Information security is the practice of protecting information by mitigating information risks. Cyber security is the practice of protecting critical systems and sensitive information from digital attacks. Cyber resilience is the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources. These are the dimensions companies are permanently working on to reach an adequate level of protection.
Current state
Most business organizations have incorporated information security into their daily work. Cyber security has become one of the top ten risks for businesses worldwide in recent years1. Attacks against companies are soaring in number, quality, and scale.
During 2022, the COVID-19 pandemic continued to challenge almost all areas of everyone’s lives. Service organisations such as Lenzing`s IT-teams still suffered from volatile supply-chains in hardware and software delivery.
Starting in December 2021, a new vulnerability in a common framework used for logging features –Log4j – shocked the entire internet. Due to its versatility, Log4j is used in a very wide range of products, from simple devices to servers and control systems. It is widespread and easy to use, making it difficult for many companies to detect these toxic ingredients and properly evaluate the risk to the product or environment in which it was being used. This prompted multiple adhoc and follow-up actions that the IT team executed successfully through excellent teamwork.
The war against the Ukraine caused high impacts on the economies, global trade as well as Cyber Security. Due to Austrian’s geopolitical position and Lenzing`s absence from this region, no increase- in attacks or offenses were detected. On the contrary, the environment was easier to navigate for several months because well-known hacker groups focused on other targets/areas or were shut down by police or judicial forces. On the other hand, a shift of several actors towards business/cyber espionage was seen.
Ransomware has long been feeding the coffers of highly skilled hackers, whether criminal groups or state-sponsored teams looking for money or information in both cases. They are well organized and staffed, equipped with top-of-the-line equipment/tools, and ruthless and strategic in their actions. They employ blackmailing, among other things, to convince victims to pay ransom. No wonder the criminal economy supposedly generated annual revenue of EUR 1.5 trillion, or roughly the GDP of Spain2.
Because Lenzing, a global player in the textile business, is inter-connected with numerous business partners, authorities, customers, and consumers at various sites of (physical and digital) operation, it is at high risk to falling victim of one of these hackers. Last year, several companies in Lenzing’s orbit were affected by cyber attacks that disrupted services and commerce, involved encrypting, stealing, and leaking confidential data (data breaches), and, in some cases, even the closure of production sites.
Therefore, Lenzing Group has invested heavily in improving cyber resilience and information security. Existing security concepts have been and are constantly challenged and adapted to the new normal. However, Lenzing not only relies on technical protection measures, but also strongly focuses on the awareness of its employees. Cyber security is not a project, but a permanent endeavor for the entire organization.
Information Security Policy
Protection of information is an ongoing endeavor for each and every employee, contractor or business partner of all the Lenzing Group’s companies in order to proactively maintain and improve an appropriate level of security for all kinds of information processes. The Information Security Policy promotes a risk-based approach to achieve global compliance with information security and data protection. Lenzing does this while balancing the rights and needs of the company, society and individuals.
This policy and applicable legal regulations constitute a framework for multiple directives/guidelines that are regularly reviewed and reworked, including:
- Lenzing Global Code of Conduct
- IT User Directive (secure use of the IT systems and the basic principles of data security measures)
- Smartphone Directive (mobile devices)
- Terms of Use for Private Mobile Devices
- Know-How Protection Directive (including classification of data and its processing)
- Secure storage of personal identifiable information
- Cyber Defense Operation Handbook
On basis of the Lenzing Security Policy and in line with local legislation an updated Data Protection Directive was proposed and will be rolled out after approval.
1 World Economic Forum 2021, https://www.weforum.org/agenda/2021/01/building-resilience-in-the-face-of-dynamic-disruption/
2 https://www.techrepublic.com/article/cybercriminals-raking-in-1-5-trillion-every-year/