Ahold Delhaize's global CISO Carolyn Schreiber (center) speaks at RiskSec NY alongside Steve Bongardt, president of The Gyges Group, and Teri Robinson, executive editor at SC Media.
Ahold Delhaize's global CISO Carolyn Schreiber (center) speaks at RiskSec NY alongside Steve Bongardt, president of The Gyges Group, and Teri Robinson, executive editor at SC Media.

In its quest to infuse security across its enterprise, $82.8 billion supermarket operator Ahold Delhaize has determined that the employees who engage in the riskiest cyber behavior tend to be sales and marketing professionals, high-level executives and, most surprisingly, millennials, according to the company's global CISO Carolyn Schreiber.

As companies strive to educate its employees about cyber awareness, it can be important to identify common traits among workers who are most likely to open a spam email, click on a malicious link or be victimized by ransomware campaigns and other cyberattacks. Schreiber addressed the concept of victim profiling, and how to steer employees toward more responsible behavior, in a ransomware-themed session at SC Media's 2018 RiskSec NY conference.

Ahold, which operates 21 food chains across 11 countries and collectively employs more than 375,000 associates, conducts periodic internal phishing simulation campaigns to identify workers who fall for such scams, and uses analytics to interpret the results. The Netherlands-based company then attempts to correct dangerous behavior with interpersonal dialogue, educational programs and corrective training, rather than stern punishments. Even some executive-level employees had to go through training after failing the company's phishing tests, Schreiber noted.

"What I say at my company is that we have strong retailing DNA, and we're trying to add a cyber gene, integrate it right into the overall DNA to make us stronger, to be a little but more resilient in the environment and to be more savvy," said Schreiber.

Schreiber said sales and marketing professionals tend to be cyber risk-pone because they're "very focused on the customer and just less focused on data protection." Millennials, on the other hand, tend to be more cyber aware, yet still engage in risky behavior, perhaps because they are too comfortable with the digital lifestyle.

"It's just their mindset is very open and transparent, so they're digitally savvy, but I think their boundaries are different," said Schreiber.

To make its employees more risk-averse, Ahold trains employees to thoughtfully examine unsolicited emails before opening them, and by explaining that responsible cyber behavior can benefit workers not just on the job but in their day-to-day personal and family lives.

The company also formed a "millennial board" comprised of young influencers within the organization, with whom more experienced executives can discuss various business issues, including cyber awareness.

"Millennials have plenty to offer, and we shouldnt be afraid of that," said Schreiber, adding that a diverse blend of younger and older employees "is where you get the best ideas and cross pollinate some basic safety [concepts] in cyber."