Feature
Avery Dennison takes leading role in cybersecurity
Avery Dennison arms itself against data loss and malware attacks, as cybersecurity becomes a key ingredient in business resilience.
“Our cloud journey is revolutionising the company, so it’s critical we’re able to secure it,” explains Jeremy Smith, Avery Dennison’s information security officer. Credit: Pixabay, Tumisu
Avery Dennison, a Fortune 500 company specialising in the design and manufacture of labelling and functional materials, has been rated by GlobalData as the best-performing packaging company in the cybersecurity theme, and is poised for excellent future performance.
With an estimated ICT spend of $371.2m in 2022, the label and adhesive behemoth has made several strategic advances towards becoming a digital-first company over the years, having launched atma.io cloud-based platform in 2021 – a platform that assigns unique digital IDs to products, enabling improved tracking, storage and management.
Other major IT investments over recent years include $230m in Williot’s Internet of Things and Cloud technologies, $38.9m in RoadRunner Recycling’s AI/ML-based technology, and a $1.45bn acquisition of Vestcom, the provider of data-integrated, shelf-edge labelling and pricing solutions for consumer-packaged goods companies.
Cybersecurity threats
The increased digitisation of supply chains and cloud-based environments, however, poses new cybersecurity threats to companies, as more and more data is stored virtually. And, if cloud data is compromised, companies risk multiple losses, including loss of revenue, reputation and business continuity. According to IBM, manufacturing has felt the brunt of cyberattacks over the past few years, receiving 23% of attacks in 2021, ahead of finance and insurance.
A notable cybersecurity breach took place in January 2021, when WestRock Company, the paper and packaging solutions provider, was subject to a ransomware attack that disrupted its IT and operational technology systems. The company said that the impact on net sales in the second quarter of 2021 was $189m, whilst $20m was incurred in ransomware recovery costs.
All this comes as the Allianz Risk Barometer 2023 survey finds that cyber incidents and business interruption rank as the most pressing company concerns for the second year running.
Moving towards zero trust security
Avery Dennison has a presence across multiple cloud platforms, including Kubernetes, Azure, Amazon Web Services, Google Cloud and Oracle Cloud. However, cloud computing brings its own unique set of risks: for example, cloud services rely on APIs which are particularly prone to cyberattacks, and the easy accessibility and data migration capabilities of the cloud also makes it vulnerable to data loss and malware attacks.
“Our cloud journey is revolutionising the company, so it’s critical we’re able to secure it,” explains Jeremy Smith, Avery Dennison’s information security officer.
This commitment to greater cybersecurity has been borne out in the company’s estimated 2022 ICT budget, with $4.59m allocated to security software, $2.07m to security equipment hardware, $3.13m to security consulting, and $2.31m to security and privacy services, according to GlobalData.
As part of its cloud-specific cybersecurity strategy, Avery Dennison has partnered with Wiz, which provides a singular view of its multi-cloud environment, allowing for easy identification of misconfigurations and providing context on vulnerabilities.
Smith said that prior to the Avery Dennison-Wiz partnership, “it was difficult to piece together solutions from different cloud providers to come up with a good cloud security posture – even understanding misconfiguration was hard within these tools.”
The risk of human error
Researchers from Stanford University and a top cybersecurity organisation found that approximately 88% of all data breaches are caused by human error.
Recognising this human factor as a significant aspect of cybersecurity, Avery Dennison launched its DataSafe initiative in 2019, which enlists all employees in an enterprise-wide effort to protect company data. Prior to this, the packaging powerhouse had adopted a more conventional approach to data loss prevention, with a focus on specialists implementing firewalls and constraining policies.
However, the company soon realised that increased reliance on cloud resources made its data more vulnerable, especially given the potential for human error. “It was often thought that security was security’s problem. But enabling your employees to act as security partners to protect their own data is as critical as any security tool you may have,” Smith says.
In consultation with cybersecurity experts, Avery Dennison therefore developed and adopted a three-pronged initiative. The first component was to identify and inventory the most critical business data and assets (namely, intellectual property and customer order information), while the second component was to measure and plan for success.
The third component involved selecting and deploying technologies to prevent data loss and ensure regulatory compliance. For this, the company chose Sekure, a cloud-native data governance solution that automatically identifies, classifies, monitors and protects sensitive business data. Additionally, it provides employees with the necessary tools to protect data effectively.
Indeed, DataSafe now requires employees to classify files at the time of creation according to the company's four-point system for data security. “It forced people to think about whether the data was important, and if distributed too permissively whether it would cause risk to the organisation. It got people thinking about the data itself and to be more careful about how they handle it,” Smith says.
In terms of endpoint security, the company has also adopted fingerprint, facial and biometric recognition technologies that have eliminated the need for passwords to log into workplace applications.
The result has been a robust data protection programme that empowers employees and incorporates customised technologies, specifically designed to protect the company’s most critical business data and assets.