Mondelez International, maker of these types of brands as Oreo, Ritz and Sour Patch Children, is in the midst of rolling out a movie-dependent security awareness and teaching method.
The 2017 NotPetya offer-chain wiper attack strike $26.6 billion international foodstuff firm Mondelez Worldwide tough, sidelining Windows-based mostly personal computers and disrupting its distribution.
Certain, APT assaults can be damaging and even deadly, but denying the entire world their Oreo cookies is just simple cruel. In truth, Nikolay Betov, information security officer at Mondelez, instructed SC media that this occasion “changed every little thing.”
But choose heart, snack enthusiasts. Mondelez has embarked on a new security consciousness initiative made to encourage cyber cleanliness greatest techniques within each its places of work and its generation vegetation, with any luck , minimizing the efficacy of no matter what the next large attack is. This world wide initiative will expose workforce to quick but, impactful video clip-based lessons developed by security awareness business AwareGO on topics these as phishing, info leaks, Microsoft Office environment security and Zoom bombing. Then Betov’s group exams staff with phishing simulations and evaluation queries to see if the lessons are retained.
With 42,000 staff, and a huge contingent of contractors functioning in workplaces and producing web sites all in excess of the globe, Mondelez have to style a coaching plan that speaks to various cultures, languages and enterprise units.
SC Media interviewed Betov to get an insider’s watch of the 3-year system, which in its very first six months is now yielding measurable final results. Doing work out of Slovakia, Betov has been a stalwart at the business for 22 years, starting off as network administrator when the company was known as Kraft Meals, and growing with the food large as it assembled a powerhouse roster of ubiquitous models like Oreo, Chips Ahoy!, Ritz, Cadbury, Halls, Trident and additional.
Fill us in on your track record.
I started out as a network administrator and labored up to distinct roles. I was fortuitous to have numerous roles, as Mondelez is a organization who grew via acquisitions.
I joined information and facts security in 2015… The region was seriously interesting and rising – and it grew even quicker immediately after that. At the instant, I’m accountable for governance and recognition, and as a aspect position I do identification and entry management, which we transitioned into security. So, the major targets for me are procedures, requirements, outlining control goals, and rolling out to the organization and the rest of the architects who are building it. And then on the recognition entrance, it is building and propagating a security society within just the company.
What prompted the selection to revitalize your security awareness system?
We have experienced security awareness for a long time. Which is not a new matter for Mondelez. But it was classic, compliance-based mostly, after a 12 months: You will go to a 40 minute-training, you are going to click on that you’ll comply with X Y, Z it’s conversing generally insurance policies and what the organization expects from the workforce.
So I took over this space in June past calendar year [as part of a cybersecurity program] which incorporates multiple factors, which includes upgrading our security functions center with new technologies, risk management, information protection plans and [a strong emphasis on] awareness – because… you have to have truly to get people to understand and to follow a little something in get to behave [properly] in a critical problem.
So we are wanting at how we can genuinely join with this broader workforce that we have, with dispersed factories, office staff – primarily now with distant approaches of working, folks heading to the offices a lot less. We’re saying… “What do we require to change inside the organization… to drive a adjust in the lifestyle?” And we were being crystal clear which is not a speedy [fix]. We’re planning to go on a journey and it is proving to be far more tricky than we predicted, but I believe we’re really on a great observe and we setting up to see the initially results.
Before we get to individuals success, what are your objectives?
We were seeking for a way to build some metrics and be in a position to measure [success]. So we begun by conducting a study among the the personnel. “How do you really feel about your expertise on security? Is it simple for you to uncover information and facts?” And we determined some gaps equally in phrases of where security is perceived as way too weighty or bureaucratic, and in phrases of [how effectively we’re] delivering messages as nicely.
[There were instances] where by people believed they have been carrying out fantastic. But essentially, when you put them in a circumstance – “Hey… would you be sharing a password with [your boss]?” Persons in some scenarios would consider that a regular and appropriate way of actions. So we want to measure the influence of, for case in point, our phishing simulations.The next region was measuring success of security procedure center incidents. But we’re not there yet.
And the 3rd [is a security training] module. We give, each and every second 7 days, a video clip to the individuals. It is a single moment, they check out it, and there is a small issue at the conclude. And then we run an assessment on the on the module.
We stated, what are the important threats for us? We have mentioned eight threats primarily based on experience, like SOC… phishing, social engineering and stuff like that. And we mentioned, what are the critical behaviors we want to evaluate? For illustration, not just not clicking [on phishing simulation emails] but also reporting incidents. How do you tackle critical information password management, dealing with password numerous passwords?
And there ended up some truly appealing observations.
What have been some of the observations and measurable effects so far?
We have been education consumers for yrs on what a sturdy password is and to also embrace a passphrase [which is even stronger.]
But when we requested them, “Can you location these passwords in purchase of toughness?” they place as the strongest password the one which had a special character, even though it was [only] 8 people in duration, as a substitute of the one particular which was 16 characters. And we said… we require to do a thing distinct to change the state of mind for the reason that it is so deeply embedded that you need to have 8 figures, a digit and a unique character.
And as example of improvement, I can give you final results from the most recent phishing simulation that we did. We did a bit extra hard a person. We tailored it – we set an aged Mondelez emblem [in the email.] So, our failure fee – that suggests people today entering their qualifications – was increased than the business normal.
But with the awareness marketing campaign, we started out with the Asia Pacific region. So, I would say, if the [industry failure rate] benchmark was “X percent” and our common rating was X-plus-five-%, Asia Pacific was 30 percent reduce. And it was the only region below the benchmark of the others.
Nikolay Betov, Mondelez Intercontinental.
Can you describe a tiny additional about the mother nature of the teaching video clips?
It is a one particular-moment video, adopted by a single concern – extremely very simple, but not generally uncomplicated, and then a reference material for additional reading through, which is optional.
We run a new video clip every 2nd 7 days. So we have crafted the system over 6 months through which we had 10 films in addition a few assessments.
The important for me is repetition, just like you are likely into a health and fitness center for follow. Generally men and women convey to us, “Even immediately after the phishing simulation… you know what? I fell for it. And I know it. And I’m so indignant at myself due to the fact all the hints were there.” And I inform them, “Look, it is a subject of practice… The additional you follow, you feel to know it. But when it hits you [for real], you need to have to have it in mind in the back again of your brain so it quickly comes to you.”
At the conclusion of the movie, [we can] customise messages to make them related [to each department or location]. For case in point, we can clearly show our report phishing button… And we put in our symbol and say, “This is what we want from you” – and we have translated that in 6 languages.
And it is not just business office workers, is it? There are also producing plant workers, who have quite distinctive work and associated cyber dangers. What does their education seem like?
We concentration seriously on the parts which are impacted by human habits – network protection, relying on firewalls, NAC answers.
For producing we have determined the three items: USB use (which is commonly utilised), software program updates… and the third just one is website visitors and upkeep companies – these fellas which are coming with their laptops, plugging into our gear, and undertaking some tuning of the machines, and so on. So, really do not depart them unattended, have a checkpoint on the software package. Is it a reliable enterprise? A significant one particular like Siemens who have all the applications in location or is it a community seller, and he bought his laptop computer from his brother’s store and you don’t know what is functioning on it? So have a have a regional IT person to start with check it just before they shift on.
There is a 3rd dimension that we think about. We get in touch with them persona teams. So we want to do a independent [awareness] emphasis on men and women with privileged obtain accounts and also senior executives for whaling type of perform.
Thinking of the latest threat landscape, what are Mondelez’s top rated security fears that you hope to handle through not just the consciousness plan, but your larger cyber initiative?
Functions continuity – which features manufacturing the merchandise, and achieving the cabinets and the buyers – is actually on the leading listing.
We make straightforward issues – cookies and sweets. We are not a usual IP organization. But continue to, we do not want our trade secrets, our recipes for Cadbury or for Oreos, to be circulating all over so I would also say model safety, monetary reduction.
You may possibly remember we had been strike in 2017 by NotPetya, very seriously… And everyone who had been with the firm at that level in time remembers what it took us to be certain continuity. Thankfully our SAP ERP methods were being working on Linux, Unix, so they ended up not impacted, but persons have been without having PCs or Windows devices… This had a enormous impact, and each time we chat about possible long run it’s in the back of the head of administration as nicely as the workforce.
What is the upcoming move? New locales? New training tools and modules?
It’s equally. We have carried out Asia Pacific and we have began Latin The usa. At the close of this thirty day period we’re accomplishing North The united states, and Europe is starting off a campaign with us.
Following that, we want to go in depth, elevating the complexity and the subject areas that we’re speaking about, as properly as penetration in the business. We know it will not all be performed in the year 1.
Some parts of this article are sourced from:
www.scmagazine.com