Mondelez Global, maker of this sort of brand names as Oreo, Ritz and Sour Patch Little ones, is in the midst of rolling out a video clip-centered security recognition and instruction method.
The 2017 NotPetya supply-chain wiper attack strike $26.6 billion international meals corporation Mondelez International challenging, sidelining Windows-based personal computers and disrupting its distribution.
Absolutely sure, APT attacks can be destructive and even deadly, but denying the world their Oreo cookies is just plain cruel. Indeed, Nikolay Betov, details security officer at Mondelez, informed SC media that this celebration “changed all the things.”
But just take coronary heart, snack lovers. Mondelez has embarked on a new security recognition initiative developed to market cyber cleanliness very best procedures inside of equally its workplaces and its generation plants, ideally cutting down the efficacy of what ever the up coming massive attack is. This worldwide initiative will expose personnel to quick but, impactful video clip-centered lessons developed by security recognition company AwareGO on topics these as phishing, info leaks, Microsoft Office security and Zoom bombing. Then Betov’s staff checks personnel with phishing simulations and evaluation concerns to see if the lessons are retained.
With 42,000 personnel, and a substantial contingent of contractors doing the job in workplaces and manufacturing internet sites all around the globe, Mondelez need to style a education application that speaks to distinct cultures, languages and business units.
SC Media interviewed Betov to get an insider’s see of the 3-12 months application, which in its 1st six months is by now yielding measurable success. Performing out of Slovakia, Betov has been a stalwart at the corporation for 22 a long time, starting up as network administrator when the firm was recognised as Kraft Food items, and developing with the meals large as it assembled a powerhouse roster of ubiquitous brands which includes Oreo, Chips Ahoy!, Ritz, Cadbury, Halls, Trident and more.
Fill us in on your track record.
I begun as a network administrator and worked up to distinctive roles. I was lucky to have numerous roles, as Mondelez is a organization who grew by way of acquisitions.
I joined data security in 2015… The place was definitely fascinating and developing – and it grew even a lot quicker right after that. At the moment, I’m responsible for governance and consciousness, and as a aspect career I do id and access management, which we transitioned into security. So, the most important objectives for me are policies, criteria, outlining manage goals, and rolling out to the organization and the relaxation of the architects who are setting up it. And then on the awareness entrance, it is constructing and propagating a security lifestyle in the business.
What prompted the final decision to revitalize your security awareness plan?
We have had security recognition for decades. Which is not a new point for Mondelez. But it was standard, compliance-based, as soon as a yr: You are going to go to a 40 moment-schooling, you will click on that you’ll comply with X Y, Z it’s chatting mostly procedures and what the corporation expects from the employees.
So I took about this region in June very last calendar year [as part of a cybersecurity program] which consists of a number of factors, like upgrading our security operations center with new technologies, risk management, info security courses and [a strong emphasis on] recognition – because… you have to have really to get people today to understand and to apply some thing in get to behave [properly] in a critical condition.
So we are hunting at how we can seriously connect with this broader workforce that we have, with dispersed factories, office personnel – specifically now with remote methods of working, individuals likely to the offices significantly less. We’re saying… “What do we want to alter inside the organization… to travel a modify in the society?” And we have been very clear that’s not a rapid [fix]. We’re preparing to go on a journey and it is proving to be far more complicated than we expected, but I assume we’re genuinely on a fantastic monitor and we starting to see the to start with success.
Just before we get to those results, what are your goals?
We were on the lookout for a way to establish some metrics and be capable to evaluate [success]. So we commenced by conducting a survey amid the staff. “How do you really feel about your expertise on security? Is it straightforward for you to come across data?” And we determined some gaps equally in phrases of exactly where security is perceived as far too weighty or bureaucratic, and in terms of [how effectively we’re] delivering messages as very well.[There were instances] the place people thought they ended up undertaking superior. But in fact, when you put them in a circumstance – “Hey… would you be sharing a password with [your boss]?” Persons in some scenarios would contemplate that a ordinary and suitable way of actions. So we want to measure the influence of, for case in point, our phishing simulations.
The 2nd location was measuring outcomes of security operation middle incidents. But we’re not there yet.
And the 3rd [is a security training] module. We give, each individual second week, a movie to the people. It is just one minute, they enjoy it, and there is a brief concern at the stop. And then we operate an assessment on the on the module.
We reported, what are the key threats for us? We have detailed 8 threats dependent on working experience, including SOC… phishing, social engineering and stuff like that. And we said, what are the critical behaviors we want to measure? For case in point, not just not clicking [on phishing simulation emails] but also reporting incidents. How do you deal with critical information and facts password management, dealing with password many passwords?
And there have been some actually appealing observations.
What have been some of the observations and measurable success so far?
We were training users for yrs on what a robust password is and to also embrace a passphrase [which is even stronger.]
But when we requested them, “Can you place these passwords in order of energy?” they place as the strongest password the a single which experienced a specific character, even although it was [only] eight characters in size, instead of the a person which was 16 characters. And we said… we will need to do one thing unique to alter the mentality for the reason that it’s so deeply embedded that you require to have eight figures, a digit and a exclusive character.
And as case in point of improvement, I can give you success from the most recent phishing simulation that we did. We did a little bit much more complicated a single. We tailor-made it – we place an previous Mondelez logo [in the email.] So, our failure level – that suggests people moving into their credentials – was better than the marketplace ordinary.
But with the awareness marketing campaign, we started off with the Asia Pacific region. So, I would say, if the [industry failure rate] benchmark was “X percent” and our ordinary ranking was X-additionally-5-percent, Asia Pacific was 30 % reduce. And it was the only location underneath the benchmark of the others.
Nikolay Betov, Mondelez Worldwide.
Can you reveal a minimal additional about the character of the instruction video clips?
It is a one particular-moment movie, adopted by a one question – pretty uncomplicated, but not generally straightforward, and then a reference materials for further reading, which is optional.
We run a new online video each and every 2nd week. So we have designed the system in excess of 6 months throughout which we experienced 10 videos as well as 3 assessments.
The crucial for me is repetition, just like you are likely into a gymnasium for practice. Normally persons tell us, “Even just after the phishing simulation… you know what? I fell for it. And I know it. And I’m so angry at myself because all the hints were there.” And I explain to them, “Look, it is a matter of practice… The more you practice, you appear to know it. But when it hits you [for real], you will need to have it in mind in the again of your mind so it swiftly will come to you.”
At the end of the video clip, [we can] personalize messages to make them appropriate [to each department or location]. For instance, we can exhibit our report phishing button… And we put in our symbol and say, “This is what we need from you” – and we have translated that in 6 languages.
And it is not just workplace staff, is it? There are also manufacturing plant workforce, who have very various positions and linked cyber pitfalls. What does their instruction search like?
We aim truly on the areas which are impacted by human conduct – network security, relying on firewalls, NAC solutions.
For producing we have recognized the 3 points: USB usage (which is extensively used), software program updates… and the third a single is guests and maintenance companies – these guys which are coming with their laptops, plugging into our gear, and undertaking some tuning of the equipment, and so forth. So, don’t go away them unattended, have a checkpoint on the application. Is it a reliable business? A large one particular like Siemens who have all the applications in area or is it a regional seller, and he received his notebook from his brother’s store and you really do not know what is working on it? So have a have a local IT guy first examine it right before they shift on.
There is a 3rd dimension that we take into account. We simply call them persona teams. So we want to do a independent [awareness] target on folks with privileged accessibility accounts and also senior executives for whaling variety of perform.
Thinking of the current danger landscape, what are Mondelez’s prime security problems that you hope to tackle via not just the awareness method, but your larger cyber initiative?
Operations continuity – which consists of production the item, and achieving the shelves and the consumers – is definitely on the prime checklist.
We make simple issues – cookies and sweets. We are not a typical IP organization. But even now, we don’t want our trade secrets, our recipes for Cadbury or for Oreos, to be circulating all over so I would also say manufacturer protection, fiscal reduction.
You may remember we were hit in 2017 by NotPetya, very seriously… And everybody who experienced been with the enterprise at that place in time remembers what it took us to make sure continuity. Luckily for us our SAP ERP techniques have been jogging on Linux, Unix, so they were not impacted, but people today were being without the need of PCs or Windows devices… This experienced a massive impression, and anytime we speak about prospective potential it is in the back again of the intellect of administration as perfectly as the staff.
What is the future step? New locales? New instruction equipment and modules?
It’s both. We have carried out Asia Pacific and we have started Latin America. At the finish of this month we’re undertaking North The us, and Europe is commencing a campaign with us.
Following that, we want to go in depth, elevating the complexity and the topics that we’re speaking about, as perfectly as penetration in the corporation. We know it will not all be completed in the yr a single.
Some elements of this post are sourced from: