Cyber security continues to be a threat for all businesses globally. It is vital for organizations to combat this threat by creating a risk-aware culture and protecting itself from cyber risks.
We are committed to continually improving cyber security through investment in our people, processes and IT infrastructure. In 2020, we launched our new cyber security strategy, which continues to mature as we further align ourselves with the NIST (National Institute of Standards and Technology) Cyber Security Framework (Identify, Protect, Detect, Respond, Recover).
We first engaged NCC Group in 2019 to conduct an independent assessment of our cyber security maturity and risk against over 108 control areas, as specified in the framework. There are five levels of maturity: 1. ‘Non-Existent’, 2. ‘Repeatable but intuitive’, 3. ‘Defined’, 4. ‘Managed and Measurable’ and 5. ‘Optimized’. Following our first assessment in 2019, we set a target to reach level 3. ‘Defined’ maturity. Since this time, we have significantly improved our Endpoint Detection & Response capabilities across the group and are focused on continuing to embed IT security at the heart of all day to-day and project activities.
Following our 2021 assessment, it was confirmed that we have reached our target maturity level 3. ‘Defined’. We also benchmarked ourselves against levels reached by other chemical companies operating in similar geographies. As the threat landscape in the wider environment has shifted, we have committed to a new target to further increase our maturity rating by the end of 2022.
Regular communications are issued to raise awareness of key issues covering areas such as how to stay safe online, how to protect against online fraudsters and prevent organized cyber-attacks on our businesses. These communications are backed up by an extensive program of cyber security and phishing training courses through our “KnowBe4” global training platform.
In 2021, 1,287 employees completed our Global IT Acceptable Use Policy module, 1,413 employees completed the Cyber Security ‘Be Cyber Smart’ module and 1,134 employees completed the Social Media Awareness module. Internal phishing tests were also sent out to see how alert we are to attempts to gather sensitive information through fake emails. Two phishing campaigns were completed in 2021.