The 2017 NotPetya supply-chain wiper attack hit $26.6 billion global food company Mondelez International hard, sidelining Windows-based computers and disrupting its distribution.
Sure, APT attacks can be destructive and even deadly, but denying the world their Oreo cookies is just plain cruel. Indeed, Nikolay Betov, information security officer at Mondelez, told SC media that this event “changed everything."
But take heart, snack lovers. Mondelez has embarked on a new security awareness initiative designed to promote cyber hygiene best practices inside both its offices and its production plants, hopefully reducing the efficacy of whatever the next big attack is. This global initiative will expose employees to short but, impactful video-based lessons produced by security awareness firm AwareGO on topics such as phishing, data leaks, Microsoft Office security and Zoom bombing. Then Betov's team tests workers with phishing simulations and assessment questions to see if the lessons are retained.
With 42,000 employees, and a large contingent of contractors working in offices and manufacturing sites all over the globe, Mondelez must design a training program that speaks to different cultures, languages and business units.
SC Media interviewed Betov to get an insider's view of the three-year program, which in its first six months is already yielding measurable results. Working out of Slovakia, Betov has been a stalwart at the company for 22 years, starting as network administrator when the company was known as Kraft Foods, and growing with the food giant as it assembled a powerhouse roster of ubiquitous brands including Oreo, Chips Ahoy!, Ritz, Cadbury, Halls, Trident and more.
Fill us in on your background.
I started as a network administrator and worked up to different roles. I was fortunate to have many roles, as Mondelez is a company who grew through acquisitions.
I joined information security in 2015… The area was really exciting and growing – and it grew even faster after that. At the moment, I'm responsible for governance and awareness, and as a side job I do identity and access management, which we transitioned into security. So, the main objectives for me are policies, standards, outlining control objectives, and rolling out to the organization and the rest of the architects who are building it. And then on the awareness front, it is building and propagating a security culture within the enterprise.
What prompted the decision to revitalize your security awareness program?
We have had security awareness for years. That's not a new thing for Mondelez. But it was traditional, compliance-based, once a year: You’ll go to a 40 minute-training, you’ll click that you'll comply with X Y, Z; it’s talking mainly policies and what the company expects from the employees.
So I took over this area in June last year [as part of a cybersecurity program] which includes multiple elements, including upgrading our security operations center with new technologies, risk management, data protection programs and [a strong emphasis on] awareness – because… you need really to get people to understand and to practice something in order to behave [properly] in a critical situation.
So we are looking at how we can really connect with this broader workforce that we have, with distributed factories, office workers – especially now with remote ways of working, people going to the offices less. We’re saying… "What do we need to change inside the organization… to drive a change in the culture?" And we were clear that's not a quick [fix]. We’re preparing to go on a journey and it is proving to be more difficult than we anticipated, but I think we're really on a good track and we starting to see the first results.
Before we get to those results, what are your objectives?
We were looking for a way to build some metrics and be able to measure [success]. So we started by conducting a survey among the employees. “How do you feel about your knowledge on security? Is it easy for you to find information?” And we identified some gaps both in terms of where security is perceived as too heavy or bureaucratic, and in terms of [how effectively we’re] delivering messages as well.
[There were instances] where people thought they were doing good. But actually, when you put them in a scenario – “Hey… would you be sharing a password with [your boss]?” People in some cases would consider that a normal and acceptable way of behavior. So we want to measure the impact of, for example, our phishing simulations.
The second area was measuring results of security operation center incidents. But we're not there yet.
And the third [is a security training] module. We give, every second week, a video to the people. It’s one minute, they watch it, and there is a short question at the end. And then we run an assessment on the on the module.
We said, what are the key threats for us? We have listed eight threats based on experience, including SOC… phishing, social engineering and stuff like that. And we said, what are the key behaviors we want to measure? For example, not just not clicking [on phishing simulation emails] but also reporting incidents. How do you handle critical information password management, dealing with password multiple passwords?
And there were some really interesting observations.
What have been some of the observations and measurable results so far?
We were training users for years on what a strong password is and to also embrace a passphrase [which is even stronger.]
But when we asked them, “Can you place these passwords in order of strength?” they put as the strongest password the one which had a special character, even though it was [only] eight characters in length, instead of the one which was 16 characters. And we said… we need to do something different to change the mindset because it's so deeply embedded that you need to have eight characters, a digit and a special character.
And as example of improvement, I can give you results from the latest phishing simulation that we did. We did a bit more difficult one. We tailored it – we put an old Mondelez logo [in the email.] So, our failure rate – that means people entering their credentials – was higher than the industry average.
But with the awareness campaign, we started with the Asia Pacific region. So, I would say, if the [industry failure rate] benchmark was “X percent” and our average rating was X-plus-five-percent, Asia Pacific was 30 percent lower. And it was the only region below the benchmark of the others.
Can you explain a little more about the nature of the training videos?
It is a one-minute video, followed by a single question – very simple, but not always easy, and then a reference material for further reading, which is optional.
We run a new video every second week. So we have built the program over six months during which we had 10 videos plus three assessments.
The key for me is repetition, just like you're going into a gym for practice. Often people tell us, “Even after the phishing simulation… you know what? I fell for it. And I know it. And I'm so angry at myself because all the hints were there.” And I tell them, “Look, it's a matter of practice… The more you practice, you seem to know it. But when it hits you [for real], you need to have it in mind in the back of your mind so it quickly comes to you."
At the end of the video, [we can] customize messages to make them relevant [to each department or location]. For example, we can show our report phishing button… And we put in our logo and say, “This is what we need from you” – and we have translated that in six languages.
And it’s not just office workers, is it? There are also manufacturing plant employees, who have very different jobs and associated cyber risks. What does their training look like?
We focus really on the areas which are impacted by human behavior – network protection, relying on firewalls, NAC solutions.
For manufacturing we have identified the three things: USB usage (which is widely used), software updates… and the third one is visitors and maintenance companies – these guys which are coming with their laptops, plugging into our equipment, and doing some tuning of the machines, etc. So, don't leave them unattended, have a checkpoint on the software. Is it a trusted company? A big one like Siemens who have all the tools in place or is it a local vendor, and he got his laptop from his brother's shop and you don't know what is running on it? So have a have a local IT guy first check it before they move on.
There is a third dimension that we consider. We call them persona groups. So we want to do a separate [awareness] focus on people with privileged access accounts and also senior executives for whaling type of conduct.
Considering the current threat landscape, what are Mondelez’s top security concerns that you hope to address through not just the awareness program, but your greater cyber initiative?
Operations continuity – which includes manufacturing the product, and reaching the shelves and the consumers – is really on the top list.
We make simple things – cookies and sweets. We are not a typical IP company. But still, we don't want our trade secrets, our recipes for Cadbury or for Oreos, to be circulating around so I would also say brand protection, financial loss.
You may recall we were hit in 2017 by NotPetya, very seriously… And everyone who had been with the company at that point in time remembers what it took us to ensure continuity. Luckily our SAP ERP systems were running on Linux, Unix, so they were not impacted, but people were without PCs or Windows devices... This had a massive impact, and whenever we talk about potential future it's in the back of the mind of management as well as the employees.
What’s the next step? New locales? New training tools and modules?
It’s both. We have done Asia Pacific and we have started Latin America. At the end of this month we're doing North America, and Europe is starting a campaign with us.
After that, we want to go in depth, raising the complexity and the topics that we're discussing, as well as penetration in the organization. We know it will not all be done in the year one.