The Fast Moving Consumer Goods sector may not hog the headlines when cybersecurity is discussed, but that does not mean FMCG is safe from cyberattacks. Food and beverage giant Mondelez International took several weeks to recover from the NotPetya cyberattack and suffered

• Permanent damage to 1,700 servers and 24,000 laptops
• Production impact around the world
• $140 million negative impact on organic net revenue

This incident shows that FMCG companies can suffer significant losses following a cyberattack and should implement robust cyber defences against cyberthreats.

Is FMCG Particularly Vulnerable to Cyberattacks?

Any organisation that leverages IT is vulnerable to cyberattacks in much the same way that any organisation that uses electricity is affected by power failure. FMCG is therefore as vulnerable as any sector that has embraced digital transformation, from a purely technical perspective.

But FMCG may be more vulnerable than many other sectors when it comes to the consequences of a cyberattack. Attacks can disrupt operations and interrupt supply chains to an extent where goods that are supposed to be fast moving do not move at all!

Consumer demand may exist, but supply from FMCG companies can be hindered or paralysed. This can result in considerable opportunity cost for FMCG companies especially those who experience seasonal or festival demand, where a few days in the year contribute significantly to revenue. A cyberattack that is timed to coincide with such demand spikes can ruin a business, and that makes the organisation vulnerable to ransom demands or even cyberwarfare where attacks are launched to disrupt economies.

How FMCG Organisations Can Cybersecure Their Operations

Organisations in the FMCG sector should implement a combination of policy, technology, and training measures to secure their operations from cyberattacks.

1. Create a Cybersecurity Policy – A cybersecurity policy functions as a master plan for your facility. It lays down the roles, responsibilities, standards, and penalties required to make your organisation cybersafe. A policy will be effective only if it is implemented, and therefore leaders should ensure that everyone in the organisation is made aware of the policy and what is expected from each individual to ensure compliance
2. Enforce Password Hygiene – Passwords are a fundamental cybersecurity measure and your organisation should insist on strong passwords to prevent compromise by password guessing. Passwords leaks can be prevented by forbidding password sharing. Passwords should also not be reused or recycled to prevent password breaches in other organisations from affecting your organisation. Multi-Factor Authentication (MFA) can also be implemented where additional security is required
3. Follow the Principle of Least Privilege – Every employee, no matter how senior they are, should have the least privileges required to carry out their responsibilities. This is required to limit the damage a cyberattacker can inflict if they take over an employee’s account, or if an employee launches a cyberattack against the organisation
   1. IT administrators require admin accounts with elevated privileges to perform their duties. As such accounts present a significant risk if compromised, IT administrators should use such accounts only when necessary and have user accounts with limited privileges for other activities
   2. The employee exit procedure should require all access and credentials to be revoked immediately when an employee leaves the organisation. This prevents former, possibly disgruntled, employees from launching attacks against the organisation
4. Deploy Endpoint Security – Endpoint security solutions, like K7 Endpoint Security, protect computing devices against cyberthreats like ransomware, phishing, Trojans, and zero-day attacks. It is critical to ensure that endpoint security solutions are allowed to receive the malware definition updates distributed by the vendor, which are essential to stopping the latest cyberattacks
5. Deploy Network Security – Network security devices, like K7 Unified Threat Management (UTM) appliances, provide gateway security for the organisation’s network and include multi-zone firewalls with Intrusion Prevention/Intrusion Detection Systems (IDS/IPS) to stop hacking attempts
6. Deploy Physical Security – Ensure that physical access to your organisation’s IT infrastructure is limited to those who need such access e.g., only employees should be allowed inside your facility. Provide cable locks to secure laptops when users are away from their desks; this prevents an attacker from stealing data by stealing the device that stores the data
7. Secure All Facilities – FMCG operations are often distributed over multiple regions. It is important to remember that any device, no matter where it is located, can be targeted by a threat actor to first compromise the device and then spread the attack through the rest of the organisation. All devices in all facilities should be secured to protect the organisation
8. Install Updates – All hardware, operating systems, and applications should have the latest patches and updates installed as soon as they are available. Hardware, in this context, includes IoT devices and devices that are networked, such as printers. Security updates and patches are released because a product has a known vulnerability and therefore updates should be installed immediately. The NotPetya cyberattack discussed at the beginning of this blog primarily spread through computers that had not been patched despite the patch being available
9. Take Backups – Backup data using the 3-2-1 rule: 3 copies of the data, 2 different storage media, 1 offsite copy. The offsite copy is important as some cyberattacks look for and compromise backups as well, and an offsite copy that is physically isolated from the enterprise network is less likely to be compromised. Backups are useless if they cannot be restored, therefore restoration should be periodically checked through trial restoration of backed up data
10. Prioritise Cybersecurity in Procurement – Installing updates assumes that updates are provided by the vendor. Verify the track record of the vendor in providing updates and the support period they are willing to commit to before issuing a purchase order. Avoid procuring products that will soon reach end-of-support as the useful life of the product should not exceed the support period
11. Upgrade or Replace Legacy Systems – Hardware and software that are no longer supported by the vendor should not be used in your organisation as vulnerabilities will continue to be discovered but updates against the vulnerabilities will not be provided. Such legacy systems should be declared obsolete and uninstalled or scrapped. When scrapping devices, ensure that any data that might be stored in the device is deleted in a way that cannot be recovered before decommissioning the device
12. Secure the Supply Chain – 3^rd parties (such as your organisation’s vendors) need to have cybersecure operations to prevent cyberattacks from spreading from their organisation to yours. Read our blog on Cybersecuring the Supply Chain for a discussion on preventing cyberattacks that are launched through 3^rd parties
13. Implement Cybersecurity Training – Threat actors know that devices and networks will be protected by technology solutions and therefore also target users through social engineering. Technology solutions can provide some protection against such attacks, but training is critical as a well informed workforce is the best defence against social engineering attacks like phishing

K7 Security provides Endpoint Security and Network Security solutions to protect organisations operating in varying industries with diverse IT environments. Contact us to learn more about how we help FMCG organisations strengthen their cyber defences and protect their IT infrastructure.