Security

Protecting our people and products and the data we are trusted with.

Highlights

  • Greif’s oversight of physical security, cybersecurity and product security is key to protecting our people, products, assets and customer data.
  • Our ability to improve our internal technology and technology-enabled communications with customers requires effective security measures to demonstrate our reliability and bolster customer satisfaction.
  • Greif received no substantiated complaints concerning breaches of customer privacy and identified no leaks, thefts or losses of customer data in 2022.

Why Security Matters

GRI 3-3 | 410-1 | 418-1
3-3
Management of material topics
410-1
Security personnel trained in human rights policies or procedures
418-1
Substantiated complaints concerning breaches of customer privacy and losses of customer data

Greif prioritizes physical security, cybersecurity and product security, which is critical to protecting our assets. Physical security includes safeguarding our facilities, ensuring the safety of our colleagues and maintaining a safe environment for our manufacturing assets. Cybersecurity defends Greif’s and our customers’ information resources – systems, networks, applications and programs – from digital attacks. Product security safeguards our customers’ products throughout the supply chain, including shipping and transport. Improvements in internal technology and technology-enabled customer communication enable us to enhance our reliability and bolster customer satisfaction. Greif will continue to build on best practices to improve our ability to protect internal and external information.

Governance

Our data security practices comply with Sarbanes-Oxley, EU General Data Protection Regulation (GDPR) and Greif’s internal policies including Records Management and Retention Policy, Data Privacy Policy, information security policy and IT procurement and spend policy. Security is a shared responsibility across the entire organization, led by the Chief Technology Officer (CTO), with cybersecurity, in particular, falling under the responsibility of the Chief Information and Digital Officer. Greif’s CTO provides the Board and Audit Committee with periodic security-related updates. Greif Executives also receive updates through a cybersecurity dashboard shared quarterly with Greif’s Enterprise Risk Management Team and Board. The dashboard tracks our performance using the National Institute of Standards and Technology Cybersecurity Framework as a reference. Greif’s Information Technology Team also plays a role in overall data security, conducting annual audits for IT control processes and monthly phishing simulations and awareness articles, increasing from quarterly in 2021.

Should Greif fall victim to a cybersecurity breach, we maintain a Cyber Incident and Response Plan and an IT Services Global Business Continuity Plan, which outlines our steps to respond to and mitigate the impact of an incident quickly. Greif’s ethics hotline is available for suspect data breaches for all colleagues, and an automatic phishing report option is available to all colleagues with email access. We work with industry and regional associations and consortiums to support knowledge sharing of incident response, business continuity and cybersecurity best practices.

Training is a vital part of Greif’s cybersecurity program. Cybersecurity and awareness training helps improve our colleagues’ ability to identify and respond to potential threats and minimize risk in both digital and physical spaces. We train colleagues on phishing attacks, cybersecurity hygiene and general internet safety, among other topics. After completing the training, all colleagues must conduct a quarterly checkup, ensuring knowledge is retained and practiced. This training is compulsory for all colleagues with computer access, including our Executive Leadership Team. Our colleagues also receive quarterly newsletters promoting cybersecurity awareness, weekly security tips on topics ranging from password security to avoiding phishing scams and connections to external security speakers through Greif University. They also participate in our annual Cybersecurity Month awareness campaign each October. Greif works with a third-party partner to implement these training initiatives, and Greif’s overall phishing-prone score is 11 percent better than our industry’s average for large-scale manufacturers.

Each month, members from Cybersecurity, Human Resources and the Legal Department meet to discuss compliance with current and emerging data security and privacy regulations. We monitor regulatory changes and actions required to ensure compliance. To protect customer data, we follow a need-to-know model to limit the number of people with access to secure information, both internally and externally. Additionally, to ensure sound management of confidential data, we obtain consent through agreements and contractual clauses and comply with all relevant regulations. We implement software solutions to protect and encrypt our endpoints to limit our exposure to potential data breaches, and we continue to educate colleagues on our Records Management and Retention and Data Privacy policies. To further comply with GDPR, we have conducted GDPR training for our colleagues in Europe, the Middle East and Africa. Additionally, we routinely and securely destroy hardware and hard copies with confidential information with verified service providers.

We install tag readers and PIN code locks to safeguard physical access at our facilities, and a bill of lading is required for each shipment picked up from our facilities. Additionally, tamper-resistant enclosures are used throughout the supply chain to give customers confidence that their products are protected and secure.

Goals, Progress & Performance

Greif regularly reviews its security strategy and roadmap and assesses progress through third-party partnerships. In 2023, we will update our multi-year roadmap through a cybersecurity maturity assessment with an external partner.

The use of single sign-on (SSO) and multi-factor authentication (MFA) is key to protecting Greif’s high-risk applications. We have implemented next-gen antivirus solutions with endpoint detection and response services and expanded our automated detection and prevention processes in 2022. Greif will continue to assess its security maturity regularly, ensuring we apply and integrate best practices throughout all levels of the organization.

Greif received no substantiated complaints concerning breaches of customer privacy and identified no leaks, thefts or losses of customer data in 2022.