Johnson & Johnson spinoff Kenvue listed on the New York Stock Exchange in May. The consumer-health company saw a surge in scams targetin...
 |
| Johnson & Johnson spinoff Kenvue listed on the New York Stock Exchange in May. |
As part of its separation from J&J, Kenvue consolidated tech systems and used artificial intelligence to help with tasks like summarizing cybersecurity incidents and creating same-day supplier risk assessments to quickly sign contracts with business partners, said Chief Information Security Officer Michael Wagner.
The company also uses AI to help its smaller cyber workforce analyze suspicious behavior, detect security threats and perform other tasks. Wagner, who was a vice president for information security at J&J, was part of a team that oversaw the cybersecurity aspects of Kenvue’s spinoff in August, after an IPO in May.
Kenvue worked with external contractors to prevent data breaches while transferring data off of J&J’s network. Now, Wagner said he is expanding his cyber team and moving away from the contractors who helped Kenvue separate from J&J. “It’s during times of change where companies are most vulnerable,” he said.
Kenvue makes brands including Band-Aid, Listerine, Neutrogena and Tylenol. When J&J’s then-CEO announced the split in 2021, he said the consumer-health business, prescription-drugs and medical device businesses had diverged in recent years. Drugmakers Pfizer and Merck had previously sold their consumer-health businesses and focused on pharmaceuticals.
In a disclosure filed with the U.S. Securities and Exchange Commission before its IPO, Kenvue warned that it could be a target. “Implementing our own information technology framework will be a complex, time-consuming and costly process, and could make us more vulnerable to cyberattacks, network disruptions or other information security or cybersecurity incidents,” the filing said.
During a business separation, companies need to involve cybersecurity leaders in conversations about protecting against risks, said Melissa Krasnow, privacy and data security partner at VLP Law Group. The companies need to iron out which is responsible if data is disclosed or accessed inappropriately while moving technology around, she said.
“Things can go wrong if you’re transferring technology and data,” she said. Opportunistic hackers swooped in during Kenvue’s separation, Wagner said. There was a 200% to 300% increase in attempted scams targeting Kenvue employees on their work and private devices and on WhatsApp.
Hackers impersonated Kenvue executives in their messages typically to try to fool staff into divulging sensitive corporate data or transfer payments, he said. Wagner said the company is using AI to detect abnormal behavior widely across its network and rolled out tailored training to help employees spot the scams. The number of attempted scams has since dropped, he said.
Kenvue continues to contract some technology services from J&J and will move applications for around another year. Wagner declined to say which IT services Kenvue contracts from J&J. The move is gradual, and different business divisions are still transferring parts of their technology over from J&J, he said. The light is at the end of the tunnel,” he said.
A team of cyber risk experts created a plan to bring some older technologies from J&J and modernize them. Kenvue is using some newer security technologies from major cloud providers, Wagner said. He cut ties with some suppliers he worked with at J&J that couldn’t work in Kenvue’s new systems.
Some cyber vendors that worked with J&J demanded “exorbitant” prices once Kenvue was a separate company, he said, in part because J&J is a bigger company with more bargaining power. Some prices doubled, he said. In some cases, such as for applications to manage employee access to technology systems, Wagner said he chose to continue using the tools anyway because they operate on certain platforms that require those tools.
With other technologies, Wagner said the cyber team was able to move onto newer tools because they didn’t depend on older architecture. Kenvue noted in its latest annual report that the cost of running its own enterprise systems is higher than before the company separated from J&J.