Julie Neal and Andreas Aschenbrenner present a five-step framework to help FMCG leaders prepare, respond and protect business value in the face of rising cyber threats from hackers
For many companies, a cyberattack affecting a key area of business operations, such as an e-commerce platform, is a worst-case scenario. Being prepared for such risks is obviously important, but how far should you go and what areas should you focus on? Knowing where to start is sometimes the biggest challenge, but it’s vital that boardroom decision-makers develop and implement a comprehensive cybersecurity strategy.
For M&S, the worst-case scenario has happened – a ransomware attack through a third party by “social engineering”, resulting in the theft of customer data, has since forced it to pause online orders. According to M&S, the fallout from the cyberattack could reduce its profits by an estimated £300 million this year and more than half a billion pounds wiped off the company’s value.
M&S is not alone. The cyber threat is increasing all the time, both in terms of the incidence of malicious attacks on businesses and the impact they can have financially and operationally. According to the Cyber Security Breaches Survey, in 2023/24 an estimated 7.78 million businesses in the UK said they had experienced some form of cybercrime in the previous 12 months. Research by IBM, has confirmed that the global average cost of a data breach rose to $4.88 million in 2024 – 10 percent up on the previous year.
For FMCG companies, an attack that results in data theft or prevents the business from operating can have a lasting impact on customer trust and damage brand reputation, so taking some preventative action is important. However, even the best laid plans can’t stop a cyber breach from happening. Reacting quickly and having the right controls in place to reduce risk and protect shareholder value, could make all the difference.
The following steps will help boardroom decision-makers to be prepared for a cyberattack.
Step 1 – Take a holistic approach to assessing cyber risk
When considering a cyber control strategy for the first time, or reviewing an existing strategy, the first step should be risk assessment. This could involve asking some uncomfortable, inward-looking questions, such as ‘can I trust my team?’. It’s important to take a holistic view; assessing the company’s approach to cybersecurity in each of the following business domains – governance, people, process and technology.
Taking an end-to-end view of business operations is critical. Often, companies focus on the most obvious risk areas, such as IT, without considering the need to protect operational technology (OT) at all. Interfaces with customers and suppliers are a common risk area, where controls may be lacking or inadequate. It’s important to remember that hackers will be looking for any area of weakness as an entry point, so it’s important to be one step ahead.
Step 2 – Know your risk appetite
Once cyber risks have been identified, boardroom decision-makers will need to decide how far to go in addressing them. There is no right or wrong approach, and businesses will have different risk appetites depending on the culture of the organisation and the nature of its activities. To inform their decision, each risk should be assessed individually to determine the likelihood of a cyber breach and its potential impact. When considering how far to go in addressing each cyber risk, doing the bare minimum is a high-risk strategy. However, trying to secure everything to the highest level possible could be counterproductive if the business finds it’s impossible to operate efficiently.
Step 3 – Set strategic goals and have a purpose
To develop a cyber security strategy, business leaders need a clear understanding of where the business is now, and have a ‘north star’ to aim for in terms of what they want to achieve. Based on a risk analysis and their risk appetite, the board should define its purpose and adopt a data-driven approach to risk management to ensure they know what is going on. For example, a US-based drinks business was aiming for a robust approach to managing cyber risks and its purpose was defined as ‘protection against malicious attacks’ through the application of globally recognised cyber security practices and advanced autonomous security solutions. With a purpose in mind and reliable sources of information established, the business can develop a meaningful strategy to guide its investment decisions.
Step 4 – Be ready to protect, detect and respond
When devising and implementing a cyber security response plan, a multi-layered approach is required. In the initial ‘protect phase’, for example, the business is likely to focus on specific measures such as implementing firewalls and anti-virus systems. It’s important to consider early detection systems too, as it is not always easy to spot when a cyber breach has occurred and the longer it goes unnoticed, the more collateral damage it can cause. The first 24-48 hours are critical and having a plan in place to detect and control a cyber intruder quickly, could be vital to protect the business. Spotting the presence of an intruder quickly could also be important for compliance reasons as it is a legal requirement (GDPR) to report the loss of personal data to the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of it. Setting up controls and monitoring systems, and empowering staff to escalate their concerns if necessary, will ensure the business is ready to protect, detect and respond.
Step 5 – Establish a risk-oriented culture
Having the right people in the right jobs can help to keep cyber security top of mind and establish a proactive, risk-oriented culture. Ideally, business leaders should prioritise the recruitment of a dedicated cyber security professional to take responsibility for the end-to-end delivery of the strategy. Understanding how and when to communicate with stakeholders – internally and externally – is a key skill that could help to limit damage and protect brand reputation in the event of a cyberattack. In addition, employees at all levels should receive training to ensure they are aware of cyber risks and understand the role that they know what to do if they are concerned about anything they see or hear.
Julie Neal is a director and consumer packaged goods sector specialist at management consultancy, Vendigital, and Andreas Aschenbrenner is a vice president specialising in cybersecurity, AI and new technologies at Siemens Advanta.
