A shared responsibility
Robust education and engagement offerings are helping McDonald’s employees do their part in cultivating a cyber safe culture.
This month marks Cybersecurity Awareness month — an entire month dedicated to raising awareness about the importance of cybersecurity. McDonald’s Technical Blog is focusing its content during October to cybersecurity topics.
by Andrew Munson, Senior Manager, Global Technology Risk Management
“McDonald’s is a people business.”
Ray Kroc shared those words decades ago, and they still resonate today. Cyberattacks often target people, and as advances in technology and digital innovation continue to change the way we live, work, and play, our people need to know about cybersecurity and safety. That’s exactly why people are at the center of McDonald’s cybersecurity strategy.
Many data breaches involve a human element. This means that McDonald’s people should be on the offensive when it comes to cyber — we all need to know how cyberattacks work and what we can do to help prevent them.
At McDonald’s, cybersecurity is a shared responsibility between the Global Technology Risk Management (GTRM) team and each employee. Because cyberattacks can happen to anyone, we created a training-and-awareness program for all of our employees, regardless of location, role, or title. All of us need the knowledge, skills, and confidence to protect ourselves and the McDonald’s brand from cyber threats.
Building muscle memory
McDonald’s employees complete an online foundational cyber training, but we know that it takes more than that to make a cyber-safe mindset second nature.
Email phishing remains one of the top cyber risks across the globe. More specifically, one type of phishing, called Business Email Compromise (BEC) — in which a scammer uses email to trick a company into sending money or divulging confidential information by appearing to be a request from a known source, like a supplier with whom regular wire transfer payments occur — resulted in collective adjusted losses of over $2.7 billion across companies of all sizes. That is unexpected financial loss for people and companies.
At McDonald’s, we mimic BEC attacks in a phishing simulation program, which sends out simulated phishing emails to employees. Like actual phishing attempts, the simulations look like real emails and are an opportunity for our people to practice identifying these types of threats in a safe and interactive environment. The program helps to prepare them to recognize the real thing.
One size doesn’t fit all
At a global company like ours, the cyber trends may vary across geographies.
The GTRM team offers customized training experiences that meet the diverse needs of our global organization.
We empower local market teams around the world with the capability to deliver their own local-language phishing exercises that reference regional interests. This local flair reflects the methods of real email attacks, augments our global phishing simulation program, and engages our global in cybersecurity training.
It’s not just different localities that have different needs.
Various internal departments are more susceptible to certain types of threats than others and require different cyber skills to combat the unique cyber threats that they may encounter. For instance, many cybercrimes are financially motivated. Teams that manage a lot of financial transactions need more tailored cyber training experiences so they can protect themselves, enabling them to focus on achieving their important mission.
Impactful results
Since launching our core training and awareness program, employees have received over two-million simulated phishing emails and reduced our enterprise click-rates by nearly 10%. Fewer employees are entering credentials on fake websites, and more people are proactively reporting suspicious emails.
Our people are making a difference.
In cybersecurity, we often say it only takes one. One second to crack a password. One person to click a link and infect your computer. One second to lose your identity.
But at McDonald’s, we say it takes all. It takes all of us to protect and secure our iconic brand and our personal online safety, and it’s why we will continue to prioritize a comprehensive cyber education and awareness program for all employees.
