Mondelez International, maker of these types of manufacturers as Oreo, Ritz and Bitter Patch Little ones, is in the midst of rolling out a movie-dependent security consciousness and education plan.
The 2017 NotPetya offer-chain wiper attack strike $26.6 billion global foods corporation Mondelez Global challenging, sidelining Windows-primarily based computers and disrupting its distribution.
Confident, APT attacks can be damaging and even fatal, but denying the world their Oreo cookies is just basic cruel. In truth, Nikolay Betov, info security officer at Mondelez, explained to SC media that this party “changed all the things.”
But take coronary heart, snack enthusiasts. Mondelez has embarked on a new security consciousness initiative designed to promote cyber cleanliness most effective techniques inside the two its places of work and its production vegetation, with any luck , lessening the efficacy of whatever the up coming big attack is. This world wide initiative will expose staff to shorter but, impactful video clip-based lessons manufactured by security recognition organization AwareGO on topics these types of as phishing, facts leaks, Microsoft Business security and Zoom bombing. Then Betov’s workforce exams employees with phishing simulations and assessment queries to see if the lessons are retained.
With 42,000 employees, and a significant contingent of contractors working in offices and manufacturing sites all around the globe, Mondelez should structure a teaching software that speaks to distinctive cultures, languages and organization models.
SC Media interviewed Betov to get an insider’s perspective of the 3-year system, which in its initially 6 months is now yielding measurable results. Doing the job out of Slovakia, Betov has been a stalwart at the corporation for 22 yrs, starting up as network administrator when the organization was known as Kraft Foods, and expanding with the food large as it assembled a powerhouse roster of ubiquitous makes such as Oreo, Chips Ahoy!, Ritz, Cadbury, Halls, Trident and a lot more.
Be aware: The pursuing interview was a little modified and edited for clarity.
Fill us in on your track record.
I began as a network administrator and worked up to distinct roles. I was lucky to have numerous roles, as Mondelez is a business who grew by means of acquisitions.
I joined information and facts security in 2015… The region was actually interesting and developing – and it grew even quicker immediately after that. At the second, I’m dependable for governance and consciousness, and as a aspect career I do identity and access management, which we transitioned into security. So, the main goals for me are procedures, benchmarks, outlining command objectives, and rolling out to the business and the relaxation of the architects who are constructing it. And then on the recognition entrance, it is developing and propagating a security society inside the company.
What prompted the selection to revitalize your security awareness program?
We have experienced security recognition for decades. That is not a new thing for Mondelez. But it was standard, compliance-based, once a yr: You’ll go to a 40 moment-training, you’ll click on that you’ll comply with X Y, Z it’s talking predominantly policies and what the enterprise expects from the personnel.
So I took more than this spot in June previous yr [as part of a cybersecurity program] which features multiple factors, such as upgrading our security operations heart with new systems, risk administration, details protection programs and [a strong emphasis on] awareness – because… you require seriously to get persons to understand and to apply a little something in order to behave [properly] in a critical predicament.
So we are seeking at how we can definitely hook up with this broader workforce that we have, with dispersed factories, office employees – especially now with distant methods of doing work, men and women likely to the offices fewer. We’re saying… “What do we want to transform within the organization… to travel a alter in the society?” And we had been apparent that’s not a fast [fix]. We’re getting ready to go on a journey and it is proving to be more complicated than we expected, but I imagine we’re definitely on a excellent keep track of and we beginning to see the 1st effects.
Before we get to those people final results, what are your aims?
We had been wanting for a way to construct some metrics and be in a position to measure [success]. So we began by conducting a study between the workers. “How do you truly feel about your awareness on security? Is it easy for you to come across data?” And we discovered some gaps the two in terms of the place security is perceived as way too major or bureaucratic, and in conditions of [how effectively we’re] providing messages as effectively.[There were instances] in which persons imagined they were being doing superior. But really, when you set them in a scenario – “Hey… would you be sharing a password with [your boss]?” Men and women in some circumstances would contemplate that a usual and suitable way of habits. So we want to evaluate the influence of, for illustration, our phishing simulations.
The second space was measuring final results of security procedure heart incidents. But we’re not there still.
And the third [is a security training] module. We give, each and every 2nd 7 days, a video clip to the men and women. It’s just one minute, they look at it, and there is a limited question at the finish. And then we run an evaluation on the on the module.
We reported, what are the essential threats for us? We have outlined 8 threats based mostly on practical experience, which includes SOC… phishing, social engineering and things like that. And we said, what are the vital behaviors we want to evaluate? For instance, not just not clicking [on phishing simulation emails] but also reporting incidents. How do you deal with critical information password administration, dealing with password several passwords?
And there had been some seriously attention-grabbing observations.
What have been some of the observations and measurable final results so significantly?
We have been education customers for decades on what a sturdy password is and to also embrace a passphrase [which is even stronger.]
But when we requested them, “Can you location these passwords in buy of energy?” they place as the strongest password the a single which experienced a specific character, even although it was [only] 8 people in length, in its place of the a person which was 16 characters. And we said… we need to do a thing diverse to transform the mindset for the reason that it is so deeply embedded that you will need to have 8 figures, a digit and a specific character.
And as example of improvement, I can give you success from the latest phishing simulation that we did. We did a bit additional tricky just one. We tailored it – we set an aged Mondelez brand [in the email.] So, our failure price – that implies men and women moving into their qualifications – was increased than the market normal.
But with the consciousness marketing campaign, we commenced with the Asia Pacific region. So, I would say, if the [industry failure rate] benchmark was “X percent” and our regular score was X-plus-five-percent, Asia Pacific was 30 percent decrease. And it was the only region below the benchmark of the other folks.
Nikolay Betov, info security officer at Mondelez Global.
Can you demonstrate a minimal additional about the character of the education films?
It is a a single-minute video, followed by a single query – really basic, but not generally straightforward, and then a reference material for even more studying, which is optional.
We operate a new movie every next 7 days. So we have crafted the plan about six months throughout which we experienced 10 movies as well as 3 assessments.
The essential for me is repetition, just like you are going into a health and fitness center for practice. Generally men and women notify us, “Even immediately after the phishing simulation… you know what? I fell for it. And I know it. And I’m so offended at myself for the reason that all the hints have been there.” And I inform them, “Look, it is a make any difference of practice… The additional you observe, you appear to know it. But when it hits you [for real], you require to have it in mind in the again of your head so it immediately will come to you.”
At the stop of the movie, [we can] customise messages to make them pertinent [to each department or location]. For illustration, we can demonstrate our report phishing button… And we put in our emblem and say, “This is what we require from you” – and we have translated that in six languages.
And it’s not just office environment employees, is it? There are also manufacturing plant workforce, who have pretty unique work and connected cyber hazards. What does their coaching appear like?
We aim truly on the locations which are impacted by human conduct – network protection, relying on firewalls, NAC methods.
For production we have determined the 3 items: USB use (which is extensively utilised), software package updates… and the 3rd a single is guests and routine maintenance companies – these fellas which are coming with their laptops, plugging into our gear, and doing some tuning of the machines, and so forth. So, really don’t leave them unattended, have a checkpoint on the application. Is it a trusted corporation? A large just one like Siemens who have all the equipment in put or is it a local seller, and he bought his laptop computer from his brother’s shop and you really do not know what is working on it? So have a have a regional IT guy initial verify it in advance of they move on.
There is a 3rd dimension that we consider. We contact them persona groups. So we want to do a separate [awareness] concentrate on persons with privileged access accounts and also senior executives for whaling form of carry out.
Contemplating the present risk landscape, what are Mondelez’s best security issues that you hope to handle by not just the recognition plan, but your better cyber initiative?
Operations continuity – which incorporates manufacturing the product or service, and achieving the cabinets and the customers – is actually on the leading record.
We make basic issues – cookies and sweets. We are not a usual IP business. But continue to, we really do not want our trade tricks, our recipes for Cadbury or for Oreos, to be circulating all around so I would also say brand protection, fiscal decline.
You may well recall we were being strike in 2017 by NotPetya, quite seriously… And absolutely everyone who had been with the firm at that point in time remembers what it took us to make certain continuity. The good thing is our SAP ERP programs were being operating on Linux, Unix, so they had been not impacted, but folks ended up without the need of PCs or Windows devices… This had a massive impression, and when we chat about likely upcoming it is in the back of the brain of management as properly as the employees.
What is the upcoming move? New locales? New schooling resources and modules?
It’s both equally. We have finished Asia Pacific and we have started out Latin America. At the conclude of this thirty day period we’re performing North The united states, and Europe is setting up a campaign with us.
Following that, we want to go in depth, increasing the complexity and the topics that we’re speaking about, as well as penetration in the corporation. We know it will not all be finished in the year a single.
Some elements of this post are sourced from: