Information security is the practice of protecting information by mitigating information risks. Cybersecurity is the practice of protecting critical systems and sensitive information from digital attacks. Cyber resilience is the ability to anticipate, withstand, recover from and adapt to adverse conditions, stresses, attacks or compromises on systems that use or are enabled by cyber resources. These are the dimensions companies are permanently working on to reach an adequate level of protection.
Current state
As companies rely on digital technologies, the importance of protecting information systems and confidential information from cyberattacks cannot be overstated. Hence, most business organizations have incorporated information security into their daily work. Cybersecurity and cybercrime have become one of the top ten risks for businesses worldwide in recent years1. Attacks against companies are soaring in number, quality and scale. For Lenzing, cybersecurity is not just about risk management – it’s about ensuring the long-term resilience of the company.
The tense geopolitical security situation stemming from military conflicts has had significant repercussions on economies, global trade and cybersecurity. Owing to Austria’s geopolitical location and Lenzing’s absence from the affected regions, there has been no discernible rise in cyberattacks or offenses.
Ransomware has long been a lucrative source of income for highly skilled hackers, whether they belong to criminal organizations or state-sponsored teams pursuing financial gain or sensitive information. These adversaries operate with exceptional organization and manpower, armed with state-of-the-art tools and an unrelenting, strategic approach. They employ various tactics, including blackmail, to compel victims to meet their ransom demands. It’s no surprise that this criminal economy is believed to yield an annual revenue of approximately EUR 1.5 trillion, a sum comparable to Spain’s GDP2.
Because Lenzing, a global player in the textile business, is interconnected with numerous business partners, authorities, customers and consumers at various sites of (physical and digital) operation, it is at high risk to falling victim of one of these hackers. Last year, several companies in Lenzing’s orbit were affected by cyberattacks that disrupted services and commerce, involved encrypting, stealing and leaking confidential data (data breaches) and even the closure of production sites in some cases.
The Lenzing Group has therefore invested heavily in improving cyber resilience and information security. Existing security concepts have been and are constantly challenged and adapted to the new normal. However, Lenzing not only relies on technical protection measures, but also strongly focuses on the awareness of its employees. Cybersecurity is not a project, but a permanent endeavor for the entire organization.
Activities to fight cybercrime
As a consequence of an assessment of Lenzing’s capabilities along the Cyber Security Framework, several short- to medium-term activities were started in order to improve cyber resilience within Lenzing’s security program.
Examples of some of the activities that can be shared publicly are listed below.
Human factor: the best firewall
As outlined above, technical measures are important but cannot provide full protection in all situations. This is why empowered and security-conscious employees are essential as the first line of defense. Lenzing carries out several activities to promote these skills, including:
- Regular awareness initiatives through news articles on the intranet
- Regular information via group mails, info-screens and departmental or town hall meetings
- Ad-hoc information in the event of relevant observations in the neighborhood
- Tailored face-to-face trainings for IT employees, HR teams, finance and accounting
- Keynotes on (virtual) corporate department summits
- Line for reporting any security concerns, questions or potential fraudulent activities (including giving feedback and advice on topics raised)
- Information security e-learning for each and every IT user
- Privacy e-learning for each and every IT user
The consciousness and awareness of Lenzing’s IT users has led to more than 400 reports on potential spam, phishing/malware and fraudulent mails/calls/contacts worldwide in the reporting year.
Continuous improvement: paradigm for all activities
Targeted technical and organizational measures have been in place for several years to ensure data protection and combat data theft, the manipulation of business processes, and other forms of internet crimes. As technology evolves and the number and sophistication of attacks constantly increases, Lenzing is employing its best efforts by regularly checking and improving the appropriate measures at a similar pace.
Achievements of the year
Lenzing performs annual penetration tests to assess security measures. These tests, performed by highly skilled external partners, result in service improvement plans (SIPs). In addition, external security scorecards systems are frequently used to gain feedback from outside the company. Regular background checks are performed to search for potential threats, disclosures in the dark web or hacked accounts. All findings revealed by such assessments, tests and by reported incidents result in a security review, risk assessment and subsequent corrective action.
Lenzing has performed an assessment regarding technical and organizational cybersecurity measures. Based on the results, the Lenzing Security Program will be updated to align the cybersecurity measures with the current threat situation
Ransomware and nation-state hackers use the disclosure and exploitation of vulnerabilities in enterprise resource planning (ERP), mails, collaboration and knowledge-sharing-tools as means to harvest data and account information. To counter this, Lenzing emphasized the fast rollout of client and server patches to compete with the dramatically lowered times to exploit (and attack). Several campaigns included mobile device update cycles as well.
Since almost two thirds of ransomware attacks are orchestrated by phishing mails, Lenzing provides specific awareness information and e-learnings about phishing to its employees and subsequently tested the results in a phishing simulation. Lenzing also intensified its technical endeavors in this area. The IT infrastructure teams implemented additional security measures on Lenzing’s IT assets during the year to improve security hygiene and to reduce the risk to everyday operations.
The vulnerability management process is continuously improved, further increasing the pace with which the IT team closed open vulnerabilities as well as the visibility of the IT team. The still high number of newly revealed vulnerabilities as well as revoked or reissued patches kept the teams incredibly busy. However, the hard work enabled Lenzing to achieve key milestones towards improved threat detection and response capabilities. This quantum leap will help to detect and respond to attacks faster.
1 World Economic Forum – The Global Risks Report 2023, https://www3.weforum.org/docs/WEF_Global_Risks_Report_2023.pdf
2 https://www.techrepublic.com/article/cybercriminals-raking-in-1-5-trillion-every-year/