Examples of some of the activities that can be shared publicly are listed below.
Human factor as best firewall
As outlined above, technical measures are important, but cannot protect in all situations. This is why empowered and security-conscious employees are essential in the front line of defense. To promote these skills, Lenzing carries out several activities, for example:
- Regular awareness initiatives through news articles on the intranet
- Regular information via group mails, info-screens and departmental or townhall meetings
- Ad-hoc information in the event of relevant observations in the neighborhood
- Tailored face-to-face trainings for IT employees, HR teams, finance and accounting
- Keynotes on (virtual) corporate department summits
- Reporting line for any security concerns, questions or potential fraudulent activities (including giving feedback and advice on topics raised)
- Security eLearning for each and every IT user
- Privacy eLearning for each and every IT user
The consciousness and awareness of Lenzing’s IT users has led to almost 200 reports on potential spam, phishing/malware and fraudulent mails/calls/contacts worldwide in the reporting year.
Continuous improvement as paradigm for all activities
Targeted technical and organizational measures to combat data theft, the manipulation of business processes and other forms of internet crimes have been in place for several years. As technology evolves and the number and sophistication of attacks increases continuously, businesses are constantly required to check and improve their measures at a similar pace.
Achievements of the year
2021 was the year of several major security gaps that were found in the tools of software vendors, cloud service providers and, for the first time, even within the security products of giants in the IT industry. Zero-day vulnerabilities such as these, represent high levels of risk to each and every company using these products. In 2021, there were 83 zero-day vulnerabilities in total for IT vendors, of which 43 related to widely used products from tech giants such as Apple, Adobe and Microsoft.
Lenzing’s responsible security and infrastructure teams were under extreme pressure to mitigate these risks. Due to these intense situations, the competent authorities issued the highest security alert levels and in some cases, Lenzing was forced to take drastic measures to lock out potential intruders.
As a result, vulnerability management activities were stepped up to improve security hygiene and reduce the relevant threats for every day operations. Lenzing uses so-called penetration tests on a regular basis to assess security measures. These tests, performed by highly skilled external partners, result in Service Improvement Plans (SIP). In addition, external Security Scorecards Systems are frequently used to gain feedback from outside the company. Regular background checks are performed to search for potential threats, disclosures in the dark web or pawned accounts. All findings revealed by such assessments, tests and reported incidents then lead to a security review, risk assessment and, subsequently, corrective action.
Structural re-assessment of our cyber resilience
In light of these new challenges, an external auditor performed an assessment with the help of the highly regarded global NIST Cyber Security Framework to examine Lenzing’s cyber resilience. The analysis highlighted various gaps to be addressed. The whole set of recommendations, prioritized according to risk-level, were then compiled into a comprehensive program. Both, the assessment results and the recommendations, were presented to the Managing Board and, after their approval, accordingly embedded into Lenzing’s security program.