Protecting our people and products, and the data we are trusted with.

Why Security Matters

GRI 418: 103-1 | 103-2 | 103-3 | 418-1;
Explanation of the material topic and its Boundary
Explain management approach components
Evaluate management approach
Substantiated complaints concerning breaches of customer privacy and losses of customer data
Greif prioritizes the security of our assets—people, product and data. This includes the physical security of our facilities, ensuring the safety of our colleagues and maintaining a safe environment for our manufacturing assets. Cybersecurity protects systems, networks and programs from digital attacks. Data security protects our internal and customer data from cyber-attacks. Product security safeguards our customers’ products throughout the supply chain, including shipping and transport.



100% Cybersecurity Training Completion

All Greif colleagues, where relevant, completed cybersecurity training in 2021.

Our data security practices comply with Sarbanes-Oxley, EU General Data Protection Regulation (GDPR) and Greif’s Records Management and Retention Policy. Greif’s Information Technology Team, led by our manager of Global IT Security, manages data security, which includes annual audits for IT control processes, quarterly reviews of data permissions and quarterly phishing simulations. Greif Executives receive updates through a cybersecurity dashboard that we also share quarterly with Greif’s Enterprise Risk Management Team and Board. The dashboard tracks our performance using the National Institute of Standards and Technology NSF maturity index score. Greif’s Vice President and Chief Administrative Officer provides the board with security-related updates periodically.

Should Greif fall victim to a cybersecurity breach, we maintain an IT Services Cyber Incident and Response Plan and an IT Services Global Business Continuity Plan, which outline our steps to respond to and mitigate the impact of an incident quickly. In 2021, we conducted scenario-based tabletop exercises with our Executive Leadership Team to test our IT Services Cyber Incident and Response Plan and IT Services Global Business Continuity Plan. From the key learnings, we identified opportunities and developed additional playbooks to support incident identification and containment. We work with both industry and regional associations and consortiums to support knowledge sharing of incident response, business continuity and cybersecurity best practices.

In 2018, we conducted a cybersecurity maturity assessment in collaboration with a third-party partner. We began work to implement findings from the maturity assessment and established a three-year cybersecurity strategy. As part of this strategy, we have implemented single-sign on (SSO) and multi-factor authentication (MFA) to Greif’s exposed applications. We have implemented next-gen antivirus solutions with endpoint detection and response services. In 2021, we extended our capabilities to monitor and detect potential issues and automate detection and prevention processes. We also laid the groundwork for third-party risk management and expect to implement this program in 2022. Furthermore, we have implemented solutions in Europe to limit physical network access to only Greif-authorized equipment and plan to expand this effort to North America beginning in 2022. We are conducting another maturity assessment to measure our progress and identify opportunities to further improve our security approach.

At the center of our security operations is training. Cybersecurity and Awareness training helps improve our colleagues’ ability to identify and respond to potential threats and minimize risk in both digital and physical spaces. We train colleagues in topics such as phishing attacks, cybersecurity hygiene and general internet safety. After completing the training, all colleagues must complete a quarterly checkup, ensuring knowledge is retained and put into practice. The training is mandatory for any colleague with access to computers, including our Executive Leadership Team. Colleagues also receive quarterly newsletters promoting cybersecurity awareness and weekly security tips on topics ranging from password security to avoiding phishing scams, and they participate in our annual Cybersecurity Month each October. Additionally, we have hosted external speakers to present to our colleagues through a live webinar and recording made available through Greif University.

Each month members of Greif’s cybersecurity, human resources and legal departments meet to discuss compliance with current and emerging data security and data privacy regulations. We monitor regulatory changes and actions required to ensure compliance. Greif received no substantiated complaints concerning breaches of customer privacy and identified no leaks, thefts or losses of customer data in 2021.To protect customer data, we follow a need-to-know model to limit the number of people with access to secure information. This year, we implemented software solutions to protect and encrypt our endpoints to limit our exposure to potential data breaches and to classify our data through manual tagging. Our colleagues now have the ability to self-tag their information and emails with the proper data classification based on our new data classification framework. We also launched a new training in 2021 to educate colleagues on our Records Management and Retention and Data Privacy policies. To further comply with GDPR, we have conducted GDPR training for our colleagues in EMEA and began establishing a formal data classification framework. In 2022, we will continue to monitor and adjust our approach to protecting customer privacy.

To manage the physical security of our buildings, Greif installs tag readers and PIN code locks at our facilities. We require a bill of lading for each shipment picked up from our facilities. Greif supports product security throughout our supply chain by offering tamper-resistant closures.

Highlight Stories

FPS In Turkey Receives ISO 27001 Certification

Since 2018, Greif’s Flexible Products and Services (FPS) Turkey operations have been ISO 27001 certified, reflecting of our commitment to keeping Greif’s, and Greif’s customers’, information assets secure. The certification demonstrates that the information security management system (ISMS) meets international best practices and shows the significant efforts made by FPS Turkey towards compliance with the General Data Protection Regulation (GDPR) in Europe. The certification builds on FPS Turkey’s impressive quality credentials, which include ISO 9001 certified Quality Management Systems, Grade AA BRC IoP Global Standard for Packaging and Packaging Materials Issue 6-compliant Product Safety Management Systems and ISO 14001 compliant Environmental Management Systems.



100% Cybersecurity Training Completion

All Greif colleagues, where relevant, completed cybersecurity training in 2021.


Years of Experience

For the past 145 years, the world’s most important products have travelled around the world in Greif industrial packaging.