Balancing Digitalization and Security: Key Takeaways from the Cybersecurity Summit in Chicago
Consumer packaged goods companies adopting digital technologies like cloud computing and AI need to understand and protect against the security gaps these tools can create.
Consumer packaged goods companies adopting digital technologies need to be aware and ready to remedy the potential security gaps these technologies present.
Yuichiro Chino via Getty Images
Consumer packaged goods companies can find incredible benefits by adopting emerging digital technologies, but these new tools can also bring unexpected security challenges.
That doesn't mean CPGs should avoid these technologies entirely; doing so can leave them behind the curve as the industry advances. They do need to be aware of the various security challenges that come with digital technologies though, and develop a strategy to fill those gaps for a secure and connected operation.
Presenters at Friday's Cybersecurity Summit in Chicago explored the most popular emerging technologies driving innovation today, and shared insights on how to implement these technologies while remaining secure from bad actors.
AI as a blessing and a curse for security
Artificial intelligence (AI) security is a double-edged sword of both enhanced protection and extra vulnerabilities, Bob Kalka, global lead at IBM Security, explained at the Cybersecurity Summit. Consumer packaged goods companies can leverage AI to detect and block attacks more effectively than traditional approaches. One example is "behavioral analysis" as an extra layer of security to bolster two-factor authentication.
"Hackers don't break in, they log in," says Kalka, noting that one of the most common methods of hacking is obtaining valid login information. "Once you get the credentials and you log in, especially if it's a privileged account, you can do whatever you want. When does [the company] find out? Eventually through the threat management system, they see some anomaly."
He points to a client whom his company helped achieve a 15x decrease in user friction, or time spent entering passwords and working to log in, associated with multi-factor authentication by incorporating adaptive access and behavioral analysis.
"What is my online behavior? Well, one of my behaviors is connecting from a laptop or a desktop, or my typing rate, or my error rate in my typing. It isn't hard to come up with a profile of you of how you typically interact with your device," Kalka says. "Let's say your credentials get hacked and now you have the hacker logging into your account. The typing radar watches how they're interacting, and you can immediately see it's not the original user and you flag it. That's an example of AI that's in use right now."
After implementing this AI application, Kalka says his client reported lowering login friction to less than 1%, only needing to cause friction when behavior is inconsistent.
But the technology comes with its own security challenges, like model vulnerabilities.
One method hackers use is to "slowly poison the model so it eventually comes to the wrong conclusion," says Kalka, pointing specifically to multi-language support capabilities. "If your AI model supports a language that you don't really know, you can't even tell it's getting poisoned."
CPGs utilizing AI need to consider securing their models at three levels.
"First, when you're doing data collection, you have to be vetting it. If you're not, you're going to run into trouble. Secondly, as you're training the model, you'll have applications that may have vulnerabilities injected into them. And finally, as you're actually using the models, [hackers] are trying to manipulate behavior in the model. That's where the biggest source of black hat hacking is happening right now, is trying to get the models to misbehave," says Kalka.
The benefits of a move to the cloud
Consumer packaged goods companies are increasingly storing data in the cloud, with 80% of surveyed industry stakeholders at least partly storing data in the cloud, according to PMMI Business Intelligence's 2024 report, "Transforming Packaging and Processing Operations."
Cloud computing can bring major benefits in flexibility, cost-efficiency, and scalability, but it also opens companies to potential security gaps, John Gall, solutions engineer at Cloudflare, and Ivan Gotti, senior solutions engineer at Okta explained at the Cybersecurity Summit.
Gall and Gotti see companies large and small in manufacturing and elsewhere wary of the potential dangers of cloud computing. They explain that knowledge is power when working with the cloud, and it helps to offload the responsibilities of managing data alone.
"It's not just mom-and-pop shops [that are wary of the cloud]; I see traditional manufacturing industries and government organizations that still want to keep their own data center. But there's a return on investment and a business value of using the cloud. You will not have the high availability and scalability that a big cloud provider could have," Gotti says. "The journey to the cloud can be complicated, but the key to having a good strategy is to educate and to balance the benefits of having a big company behind you with a strong service level agreement (SLA), and with strong scalability so you don't need to scale up your own servers, patching, maintenance, and then if a breach happens, it's all on your own."
Maintaining cloud security and avoiding misconfigurations, or errors made in cloud system deployment or maintenance, comes down to a strong cloud management strategy, and knowing that employees are the weakest link in cloud security.
"What you don't want to do is rely on your IT team to manage everything. You want to have appropriate access dispersed out among your different organizations," Gall says. "But alternatively, you don't want to have the wrong organizations having access to the wrong systems. Misconfigurations are human error; it's us misconfiguring things. We want to provide safeguards that enable us not to do those things, and utilize playbooks and repeatable processes. It's all about minimizing human error by making things repeatable, scalable, and only having the appropriate experts work on the material that they're experts in."
Assessing cybersecurity readiness
CPGs may have a few strategies and tools in place to protect their digital information, but how can they know if it's enough?
Subject matter experts answered this question by defining cybersecurity readiness and sharing evaluation tips at the Cybersecurity Summit.
"Cybersecurity readiness is about the preparation. I don't think companies do enough incident planning or tabletop exercises, and when they do, it's limited," explains Tony Anscombe, chief security evangelist at ESET.
Anscombe notes the importance of having a contact list ready, preferably on paper, when technology fails during a cybersecurity emergency. "[Companies] should already have that list, and that's why you should be doing tabletop exercises. The people you think you need to contact might not actually be the people you need to contact in an incident."
Protections should be built deep into digital systems with a "bottom-up approach" to ensure data is secure, according to Adam Vande Ven, director of innovation at Capital Data, representing Veeam Software at the event.
"Oftentimes during the continuous cybersecurity readiness conversation, we put a lot of effort into looking at front-end security measures like firewalls, EDR solutions, and managed detection and response. But some of the most important things to consider are in the underlying infrastructure," Vande Ven says, noting the importance of incident recovery. "If the company has backups, are they immutable? Are they on different mediums of storage so that in the event of vulnerability, the company can recover? Then thinking about different tiers of that immutability and recoverability strategy so that the company can recover as quickly as possible, depending on the threat."
After a CPG establishes a strong cybersecurity posture, the job is far from over.
"You need to do this continually. This is not a one-and-done scenario," says Anscombe. "Companies get acquired, we grow, other people come in and employees start using things they shouldn't. It's a continually evolving environment that you need to audit."
As companies maintain cybersecurity, they can rely on indicators that their strategy is mature and robust.
"One key indicator of organizational success is limiting the blast radius of an attack," says Chad Monteith, principal field solutions architect at Pure Storage. "If a company can implement good processes, procedures, and exercises that test how far somebody can get into that blast radius, that's a real indicator of maturity. Even if an attacker comes in and compromises one area of your business, if they can't actually get to other areas, you've substantially limited the impact of that attack."
As technologies like AI and cloud computing evolve, CPGs need to strike a balance between embracing emerging technologies and staying vigilant about cybersecurity, ensuring innovation doesn't come at a cost to security.
Check out new technology from 2,500+ packaging & processing suppliers
PACK EXPO International is where you can discuss real-world problems with experts and land on innovative ideas. Discover every new packaging and processing trend, see machinery in action and learn sustainable solutions from experts.
Read how to extend the life of your case packing equipment and best practices for efficient shrink bundling operation. Plus, learn the differences between wraparound & regular slotted containers.