In its quest to infuse security across its enterprise, US$ 82.8 billion (£62.2 billion) supermarket operator Ahold Delhaize has determined that the employees who engage in the riskiest cyber-behaviour tend to be sales and marketing professionals, high-level executives and, most surprisingly, millennials, according to the company's global CISO Carolyn Schreiber.
As companies strive to educate its employees about cyber-awareness, it can be important to identify common traits among workers who are most likely to open a spam email, click on a malicious link or be victimised by ransomware campaigns and other cyber-attacks. Schreiber addressed the concept of victim profiling, and how to steer employees toward more responsible behaviour, in a ransomware-themed session at SC Media's 2018 RiskSec NY conference.
Ahold, which operates 21 food chains across 11 countries and collectively employs more than 375,000 associates, conducts periodic internal phishing simulation campaigns to identify workers who fall for such scams, and uses analytics to interpret the results. The Netherlands-based company then attempts to correct dangerous behavior with interpersonal dialogue, educational programs and corrective training, rather than stern punishments. Even some executive-level employees had to go through training after failing the company's phishing tests, Schreiber noted.
"What I say at my company is that we have strong retailing DNA, and we're trying to add a cyber-gene, integrate it right into the overall DNA to make us stronger, to be a little but more resilient in the environment and to be more savvy," said Schreiber.
Schreiber said sales and marketing professionals tend to be cyber-risk-pone because they're "very focused on the customer and just less focused on data protection." Millennials, on the other hand, tend to be more cyber-aware, yet still engage in risky behaviour, perhaps because they are too comfortable with the digital lifestyle.
"It's just their mindset is very open and transparent, so they're digitally savvy, but I think their boundaries are different," said Schreiber.
To make its employees more risk-averse, Ahold trains employees to thoughtfully examine unsolicited emails before opening them, and by explaining that responsible cyber-behaviour can benefit workers not just on the job but in their day-to-day personal and family lives.
The company also formed a "millennial board" comprised of young influencers within the organisation, with whom more experienced executives can discuss various business issues, including cyber-awareness.
"Millennials have plenty to offer, and we shouldn't be afraid of that," said Schreiber, adding that a diverse blend of younger and older employees "is where you get the best ideas and cross pollinate some basic safety [concepts] in cyber."