Cybersecurity and data protection came out strongly as a key sustainability issue that was highlighted in our materiality assessment. As a contractor for the U.S. DOD we have an obligation to be compliant and ensure the highest levels of security are met.

As a contractor to militaries, we handle defence-related data. Through our work with the U.S. DOD we are subject to the International Traffic in Arms Regulations (ITAR) which mandate that access to data related to defence and military technologies is restricted to U.S. citizens only. A violation of ITAR could result in fines and/or loss of export licences. As with many organisations, we face risks from external threats that could cause sensitive data to be lost, corrupted or accessed by unauthorised users, leading to financial or reputational loss. Over the past 12 months, we have started an integration programme to ensure our newly acquired sites are running on our latest and most secure network. This programme is ongoing and will continue into the next year as we cover key aspects including infrastructure, ERP, desktop equipment and applications.
As of 2022, we have revisited and updated our Information Classification Policy. We commonly exchange information, some of which could have security classifications with external customers and partners, so as a Group, we prioritise the placement of appropriate markings, disclosure agreements and security measures. In addition, during the past year we have launched the Group’s new Compliance Programme alongside a reviewed and revised Information Security Policy and Code of Conduct. These documents define the standards expected of each employee, contractor and third party acting on behalf of Avon Protection, including meeting physical, digital and data security requirements. Over the next 12 months we have a target to introduce additional compliance training covering each of our three core compliance pillars spanning organisational governance, export compliance and security in an approach very similar to our proven and successful cybersecurity training programme.
As workplace COVID-19 restrictions reduce, we continue to be a flexible employer, allowing individuals to work from home where possible and, as a result, continue to maintain the enhanced monitoring of phishing attempts and other security threats both within and outside of our core locations. We have policies and mandatory online training delivered by a leading provider throughout the year, continually raising awareness of such risks with our employees to avoid any data breach of confidential information. Training includes online courses and questionnaires surrounding topics such as protecting personal and sensitive data and how to recognise social engineering attacks, with industry benchmarking data suggesting users are six times less likely to be prone to a phishing attack 12 months after this training. With 91% of successful data breaches starting with a spear phishing attack, we also run regular security tests to ensure our employees continue to utilise the tools provided to them in addition to their training. Since joining the programme, our cyber tests have proven our phish-prone rating to be half that of the industry average.
Cybersecurity training is a key line of defence for the Group and continues to support us as we work towards meeting the requirements of Cybersecurity Maturity Model Certification (CMMC) 2.0. CMMC 2.0 is a requirement for all contractors and subcontractors of the U.S. DOD, as the model brings together many cybersecurity requirements to better protect Controlled Unclassified Information (CUI).