CPO Perspective on Cybersecurity

External Business Partners,

If your business and personal inboxes are anything like ours, you have seen an uptick in phishing attempts over the last few months as cyber-attackers ride the panic associated with COVID19 and economic uncertainty. Phishing is just one of the ways that P&G and our business partners are being targeted. Every company within our supply network is at risk, regardless of what product or service is supplied. We need you, our partners, to remain alert and diligent and continue to improve your capabilities to protect all our supply chains. To that end, we encourage you to explore and adopt best practices and certifications that support the needs of P&G and the other CPGs and industries with whom you work.

Even before the events of 2020, supply chain attacks were on the rise. Industry research from the end of 2019 estimated that approximately 50% of cyber-attacks are directly related to the supply chain, which was a 78% increase from 2018. According to one cyber intelligence provider, in 2018 as many as 66% of companies had experienced a cyber incident through their supply chain. For our non-technology third party business partners, island-hopping is a concern. Island-hopping is a term used to describe a malicious actor infiltrating a smaller EBP’s environment in order to pivot to a larger, but connected, environment. One report cited that as many as 11% of recent breaches were attributed to island-hopping.

For P&G’s technology-providing EBP’s, we are concerned about conventional supply chain attacks. Cloud hopping involves infiltrating a cloud hosting provider and using that access to move laterally across that hosting provider’s clients’ environments. Supply chain targeting can involve methodology like cloud hopping or targeting actual software and hardware providers and infiltrating new hardware/software acquisitions and updates. It should be noted that all of P&G’s EBP’s are also subject to this sort of supply chain attack, which could ultimately result in island hopping to P&G’s environment.

We were recently contacted by one of our large raw material suppliers because they received a suspicious fax from a P&G executive. Their swift action is exactly what we ask of each of you. Whenever there is an incident or suspected incident related to Privacy/InfoSec, please report the details to P&G via securityincident.im@pg.com directly. For additional information on privacy, please visit pgsupplier.com. Please contact your P&G Purchases Leader with any other concerns or questions you may have.

We thank you for your ongoing partnership. Together we can protect our supply network from external threats.

Kostas Georgakopoulos	Ana Elena Marziano
Chief Info Security Office	Chief Purchasing Officer