Our information security risks relate to all the valuable data we hold. This not only includes details about our customers, consumers, suppliers, and employees, but also information on our business strategy, our engineering and experimental data, including results from research. The danger is that this important information could be stolen, leaked, or damaged in some way.
In order to minimize this risk, we are committed to continually enhancing our information security framework. We understand the importance of awareness and the role every employee can play in keeping our data safe. We ensure that our regularly updated policies and procedures are shared with and understood by employees, as education is a key component of our broader cyber defense strategy.
IT risk management
The JT Group IT Governance Policy is top of our hierarchy of IT policies and procedures. This is the bedrock of information security governance. We operate IT controls to support relevant legal and regulatory requirements, specifically how personal and financial information is controlled and processed. The Senior Vice President, Information Technology has managerial responsibility over the JT Group’s IT Governance systems.
Personal information protection
To appropriately protect and ensure the responsible use of data, handling of personal information is conducted in accordance with appropriate laws and regulations specifically as it relates to applicable data protection legislation. In addition, our internal policies set out the guidelines for collecting, processing, and use of personal information. Through employee awareness and protection technologies, labeling and classifying personal information has now become essential elements in controlling, tracking and protecting information.
Our IT infrastructure and information security management systems are continuously monitoring to detect cyber threats. Existing security detection systems are systematically assessed by internal and external auditors, ensuring our practices meet the highest standards. As part of our continual improvement strategy to harden our security posture and adapt to an ever-changing threat landscape, we instruct third-party providers to perform vulnerability testing. Simulated cyber-attacks are a valuable part of our strategy to help us find areas of improvement, as well as simultaneously testing our incident response procedures.
Business continuity and incident response
One of our key focus areas is ensuring continuity of critical business processes and reducing risk to financial and or reputational damage. In the event of a disruptive incident or cyber-attack, we have a robust response structure, which is based on the following aspects:
- Our IT Business Continuity Policy describes the efforts of our IT team to support business process continuity. The most important of these processes are detailed below.
|Disaster recovery procedures and plans||Critical IT infrastructure, such as our data centers, has recovery and rehearsal procedures in place to simulate disaster scenarios. This enables us to understand how well procedures are operating and identify any areas for improvement.|
|IT service availability||IT controls are in place to ensure the availability of business-critical IT services in worst case scenarios.|
|Data backup and restoration||We have efficient data backup and restoration procedures to restore business-critical data within the required timelines. Controls are also in place to protect confidential data and data integrity, in order to minimize business disruption.|
|Incident management||Robust procedures and service-level agreements (SLAs) are in place in the event of an incident. Clear investigation and incident post-mortem processes exist. These help us to understand the root cause of such incidents and prepare for similar scenarios in the future. They also help us to avoid repeating the same mistakes.|
- In our tobacco business, we have carried out a major cyber crisis preparedness audit. The procedures and playbooks to deal with cyber events are in development. Once ready and tested, these will be shared within JT Group.
Information security training
Our information security awareness strategy empowers our employees to be the first line of defense against cybercrime and attacks. It provides the tools and know how they need to identify threats and take appropriate action to protect the JT Group.
JT Group implemented a global bespoke i-secure program, which was established to promote a culture of cyber security awareness both at home and at work. The annual learning program is executed in 100% of locations worldwide. 88% of employees in our all employees received information security e-learning. Key behavior indicators allow us to constantly measure the effectiveness of our program. This learning initiative supplements our technological defenses against cybercrime, by ensuring that all employees understand how to better protect our information. We also pay special attention to the cyber security risks around executives. In Jan 2023 we held a security briefing session (including threats and risks) for directors and non-executive board members.
As we increasingly move towards the use of cloud services for data processing, we are re-evaluating risks and strengthening our security defenses. We continually assess the threat to our company using a variety of security intelligence methods. The JT Group's vision is to become the number one leading tobacco company by 2030. This will require technological advances, which in turn bring new and complex security challenges.
It is the role and responsibility of Information Security to constantly adapt to the ever-changing technical landscape. We are making great efforts to continually improve the security of all areas of the business, with a focus on global collaboration to ensure that the best security practice and defense technologies are used across the JT Group.