Mondelez International, maker of this kind of manufacturers as Oreo, Ritz and Sour Patch Young ones, is in the midst of rolling out a movie-primarily based security recognition and teaching system.
The 2017 NotPetya supply-chain wiper attack strike $26.6 billion worldwide food stuff company Mondelez International hard, sidelining Windows-based mostly pcs and disrupting its distribution.
Confident, APT attacks can be damaging and even fatal, but denying the world their Oreo cookies is just simple cruel. Without a doubt, Nikolay Betov, details security officer at Mondelez, explained to SC media that this function “changed almost everything.”
But just take heart, snack enthusiasts. Mondelez has embarked on a new security consciousness initiative built to endorse cyber hygiene most effective methods inside the two its workplaces and its creation plants, with any luck , decreasing the efficacy of whichever the following large attack is. This world wide initiative will expose workers to shorter but, impactful online video-dependent lessons created by security recognition agency AwareGO on subject areas these as phishing, info leaks, Microsoft Office security and Zoom bombing. Then Betov’s workforce exams staff with phishing simulations and assessment concerns to see if the lessons are retained.
With 42,000 staff, and a huge contingent of contractors functioning in offices and manufacturing websites all more than the globe, Mondelez have to style a teaching plan that speaks to different cultures, languages and business models.
SC Media interviewed Betov to get an insider’s check out of the a few-calendar year method, which in its 1st six months is currently yielding measurable success. Performing out of Slovakia, Betov has been a stalwart at the business for 22 years, commencing as network administrator when the organization was identified as Kraft Food items, and increasing with the food stuff giant as it assembled a powerhouse roster of ubiquitous models such as Oreo, Chips Ahoy!, Ritz, Cadbury, Halls, Trident and much more.
Note: The adhering to job interview was somewhat modified and edited for clarity.
Fill us in on your qualifications.
I started as a network administrator and labored up to diverse roles. I was fortunate to have lots of roles, as Mondelez is a firm who grew as a result of acquisitions.
I joined information and facts security in 2015… The place was definitely interesting and increasing – and it grew even speedier after that. At the minute, I’m accountable for governance and consciousness, and as a aspect work I do identification and obtain management, which we transitioned into security. So, the main goals for me are procedures, requirements, outlining command targets, and rolling out to the firm and the relaxation of the architects who are developing it. And then on the awareness front, it is constructing and propagating a security society inside the organization.
What prompted the choice to revitalize your security awareness system?
We have experienced security awareness for many years. That is not a new factor for Mondelez. But it was regular, compliance-based, when a year: You’ll go to a 40 minute-training, you will simply click that you will comply with X Y, Z it is talking mostly policies and what the enterprise expects from the staff members.
So I took over this space in June last calendar year [as part of a cybersecurity program] which includes several things, such as upgrading our security functions center with new systems, risk administration, facts defense programs and [a strong emphasis on] consciousness – because… you have to have truly to get men and women to understand and to exercise a little something in buy to behave [properly] in a critical scenario.
So we are searching at how we can actually join with this broader workforce that we have, with dispersed factories, workplace workers – specially now with remote approaches of operating, people today heading to the workplaces a lot less. We’re saying… “What do we need to adjust inside the organization… to generate a adjust in the lifestyle?” And we ended up very clear that is not a brief [fix]. We’re getting ready to go on a journey and it is proving to be far more tricky than we predicted, but I assume we’re actually on a good keep track of and we setting up to see the initially outcomes.
Ahead of we get to people outcomes, what are your aims?
We were being on the lookout for a way to establish some metrics and be capable to measure [success]. So we started out by conducting a survey amid the workforce. “How do you truly feel about your information on security? Is it quick for you to discover information and facts?” And we discovered some gaps each in conditions of wherever security is perceived as too significant or bureaucratic, and in terms of [how effectively we’re] offering messages as nicely.
[There were instances] where by people thought they had been accomplishing great. But basically, when you set them in a scenario – “Hey… would you be sharing a password with [your boss]?” Men and women in some circumstances would look at that a ordinary and acceptable way of conduct. So we want to measure the impression of, for example, our phishing simulations.The second space was measuring benefits of security procedure center incidents. But we’re not there but.
And the third [is a security training] module. We give, each and every 2nd week, a video to the persons. It’s one particular minute, they watch it, and there is a quick query at the finish. And then we run an assessment on the on the module.
We explained, what are the important threats for us? We have stated eight threats dependent on working experience, such as SOC… phishing, social engineering and things like that. And we said, what are the critical behaviors we want to measure? For example, not just not clicking [on phishing simulation emails] but also reporting incidents. How do you tackle critical facts password administration, dealing with password several passwords?
And there had been some definitely fascinating observations.
What have been some of the observations and measurable final results so considerably?
We ended up instruction people for years on what a sturdy password is and to also embrace a passphrase [which is even stronger.]
But when we questioned them, “Can you place these passwords in order of energy?” they place as the strongest password the a single which experienced a distinctive character, even even though it was [only] 8 figures in size, as a substitute of the just one which was 16 characters. And we said… we need to do a little something various to transform the mindset because it’s so deeply embedded that you want to have eight people, a digit and a unique character.
And as instance of improvement, I can give you effects from the latest phishing simulation that we did. We did a little bit far more hard 1. We customized it – we place an old Mondelez brand [in the email.] So, our failure charge – that means people getting into their credentials – was bigger than the industry ordinary.
But with the consciousness campaign, we started with the Asia Pacific region. So, I would say, if the [industry failure rate] benchmark was “X percent” and our normal rating was X-moreover-five-per cent, Asia Pacific was 30 per cent lower. And it was the only area under the benchmark of the some others.
Nikolay Betov, data security officer at Mondelez Intercontinental.
Can you explain a minimal more about the character of the instruction video clips?
It is a just one-minute video clip, adopted by a one dilemma – quite very simple, but not generally effortless, and then a reference product for further reading, which is optional.
We operate a new video just about every next week. So we have created the application in excess of 6 months through which we had 10 videos additionally a few assessments.
The important for me is repetition, just like you’re heading into a gym for observe. Usually men and women explain to us, “Even right after the phishing simulation… you know what? I fell for it. And I know it. And I’m so offended at myself due to the fact all the hints were there.” And I convey to them, “Look, it’s a subject of practice… The additional you practice, you look to know it. But when it hits you [for real], you require to have it in head in the again of your mind so it quickly comes to you.”
At the stop of the video, [we can] personalize messages to make them applicable [to each department or location]. For case in point, we can exhibit our report phishing button… And we put in our emblem and say, “This is what we need to have from you” – and we have translated that in six languages.
And it’s not just office environment staff, is it? There are also manufacturing plant staff, who have pretty distinctive positions and related cyber threats. What does their instruction appear like?
We emphasis genuinely on the locations which are impacted by human habits – network protection, relying on firewalls, NAC methods.
For manufacturing we have discovered the 3 points: USB use (which is widely employed), computer software updates… and the 3rd a single is guests and maintenance firms – these guys which are coming with their laptops, plugging into our tools, and carrying out some tuning of the machines, and so on. So, don’t leave them unattended, have a checkpoint on the software. Is it a trustworthy firm? A huge a single like Siemens who have all the applications in put or is it a local seller, and he got his notebook from his brother’s shop and you really don’t know what is jogging on it? So have a have a nearby IT man first test it just before they move on.
There is a 3rd dimension that we take into consideration. We get in touch with them persona teams. So we want to do a individual [awareness] target on persons with privileged accessibility accounts and also senior executives for whaling kind of conduct.
Looking at the recent risk landscape, what are Mondelez’s major security considerations that you hope to handle as a result of not just the recognition software, but your bigger cyber initiative?
Operations continuity – which includes production the merchandise, and achieving the shelves and the shoppers – is definitely on the best listing.
We make basic things – cookies and sweets. We are not a typical IP firm. But even now, we don’t want our trade strategies, our recipes for Cadbury or for Oreos, to be circulating all-around so I would also say model security, money loss.
You may remember we have been strike in 2017 by NotPetya, quite seriously… And absolutely everyone who experienced been with the organization at that point in time remembers what it took us to make certain continuity. The good thing is our SAP ERP units were jogging on Linux, Unix, so they had been not impacted, but people have been without having PCs or Windows devices… This experienced a substantial influence, and each time we chat about potential long run it is in the again of the thoughts of administration as nicely as the staff.
What’s the next move? New locales? New coaching tools and modules?
It is the two. We have performed Asia Pacific and we have started off Latin The usa. At the end of this thirty day period we’re undertaking North America, and Europe is starting off a marketing campaign with us.
Immediately after that, we want to go in depth, boosting the complexity and the subjects that we’re speaking about, as properly as penetration in the group. We know it will not all be finished in the yr a person.
Some parts of this article are sourced from:
www.scmagazine.com