Kraft Heinz on securing complex, connected FMCG supply chains

"We are partners at the table, not an isolated enforcement team.”
25 June 2020

It takes a lot to get products to supermarket shelves. Source: Shutterstock

  • The pandemic has disrupted fast-moving consumer goods supply chains worldwide
  • Kraft Heinz is a global food and beverage company and requires a solid cybersecurity system to secure its immense supply chains
  • TechHQ spoke to Ricardo Lafosse, chief information security officer at Kraft Heinz

The Kraft Heinz Company is no stranger to the American home. Ranked the third-largest food and beverage company in North America and the fifth-largest food and beverage company worldwide, the food giant is leading in both local and global markets. 

To date, the ongoing pandemic has impacted fast-moving consumer goods (FMCG) supply chains everywhere. As a result, close to half (45%) of FMCG brands experienced a sales drop in supermarkets and grocery stores, including those online, according to research by mobile app Shopmium. At the same time, demand for ‘shelf stable’ meals – macaroni and cheese, pasta sauce, and other similar goods – skyrocketed. 

With an immense and highly connected supply chain under the company’s name, chief information security officer at Kraft Heinz, Ricardo Lafosse, shared the unique challenges faced by the F&B industry in light of the pandemic with TechHQ, and how the multinational food giant has been well prepared across its entirety to manage the increasingly sophisticated and growing number of threats faced each day. 

Lafosse said his team had to quickly structure its order and replenishment processes to address an “incredible” demand and provide as many retailers as possible with a balanced supply of products. But getting much-needed goods to shelves quickly and effectively meant ensuring its workforce remained safe and healthy, and plants remained operational.

“Internally, we’ve implemented several AI [artificial intelligence] and ML [machine learning] algorithms into our demand processes in the last three months to help predict demand under COVID-19,” Lafosse stated, referring to the firm’s EDI (Electronic Data Interchange) and other technologies which support a complex supply chain that relies on third-party transportation and warehouses across the globe. 

Of course, while a connected, data-driven supply chain has helped Kraft Heinz to manage the unprecedented demands of the pandemic, it has also widened the company’s attack surface, and COVID-19 has shown that cybercriminals are ready to seize on every opportunity in a crisis.

Danger lurks in the supply chain 

As with many organizations, the food and beverage giant witnessed a hike in both phishing and social engineering attempts. The surge in attacks were often themed around COVID-19, with bad actors leveraging the ongoing pandemic and disruption as an ‘optimal psychological angle’ to lure remote workers into clicking suspicious links and surrendering sensitive information such as login credentials. 

“These attacks have always existed, but the recent frequency and highly customized messages are worrying for the industry,” said Lafosse. 

As a response to the increase in activity, Kraft Heinz quickly increased monitoring across its infrastructure, and developed real-time security awareness advisories and training for all employees. Lafosse said the company blocked malicious websites that were detected by their threat intelligence sources and provided an awareness campaign regarding these websites, including tips on how to identify malicious websites and examples. 

The food and beverage company also saw an increase in brand spoofing attacks against their suppliers via social engineering emails: “To help mitigate the impact of these spoofing campaigns, we are implementing additional controls to help us identify and deter such attacks through email reputation and domain authentication,” said Lafosse. 

“Through our strong relationships with our suppliers, they promptly notify us of these issues as they arise.”

Cybersecurity at the heart of Kraft Heinz

Indeed, like the FMCG market as a whole, while Kraft Heinz is increasingly reliant on data and technology, its most effective cybersecurity comes often down to inidividual awareness and teamwork.

Security is considered a core business function within Kraft Heinz: “a cybersecurity disruption to our organization could impact our entire operations and would have cascading effects throughout the supply chain – ultimately affecting our consumers,” Lafosse said. With connected, tech-driven supply chains, the firm is constantly leveling up cybersecurity infrastructure while fostering a security-first culture across all facets of the business means its rarely caught off guard. 

“We implement security controls at various layers to help detect, prevent, and mitigate the impact of such an attack. Information security has enabled the organization to adopt new technologies in a secure manner while ensuring business goals are met in a collaborative manner,” said Lafosse. 

“We are partners at the table instead of an isolated enforcement team […] we believe that cybersecurity starts with every employee being our first and best line of defense against malicious actors.”

The collaborative model gives Kraft Heinz an edge when it comes to responding and acting to threats, he added, “with this collaborative model, we are brought to new initiatives very early on to advise and assist — allowing us to integrate security early on instead of ‘bolting on’ security at the last minute.”

Kraft Heinz instils the importance of cybersecurity on employees the moment they walk through the door for the first time. Workers are given “robust onboarding security training”, which is continually followed up by an awareness program and annual training, while Lafosse also works with employees to understand concerns: “we collaboratively work with our employees and take their feedback into our security program very seriously.”

On how the FMCG market can continue to bolster its increasingly connected and complex supply chains, particularly as COVID-19 has laid bare the scale and growing sophistication of the cybercriminal ecosystem, the Kraft Heinz chief information security officer said the evolution must be tackled “in two streams.”

“First, there needs to be a ‘minimum security’ standard agreed upon with the supply chain prior to transmitting data.” That standard would help protect the integrity of the data, such as lowering the chances for data to be tampered with and ensure the data is not exfiltrated during communications or exchange. 

Secondly, “we need to assist our supply chain partners in strengthening their overall security posture.” While maturity varies from partner to partner, the weakest link in the entire chain can serve as an entry point for bad actors, and could ultimately affect not just one company, but multiple partners. Alongside robust internal cybersecurity protection and education, providing additional guidance to supply chain partners is equally vital to secure the entire chain.