19/01/2022 - General
Posted by: SC Inova Newsroom.
A common behavior in companies and organizations that hold data that, if compromised, can generate financial or reputational damage is, when they learn of a cyberattack, they rush to implement internal changes or acquire "miraculous" solutions that promise to minimize the damages of an eventual ransomware. This may be better than taking no action at all, but it is far from the ideal and expected behavior of those who have technology as an indispensable tool for their work.
This attitude was confirmed by two recent studies which, when analyzed together, give a dimension of the size of the problem: the Brazil is the 5th largest global target of attacks hackers for companies, according to consultancy Roland Berger. For Deloitte, 90% of companies that have suffered digital attacks have made investments in security after being targeted.
The attitude of “putting out fires” is not the most appropriate and it is possible to understand this by very simple facts: it does not prevent damage from happening. When action is taken, the data is already in the hands of cybercriminals and, in some cases, the only way out is to pay for the ransom of the information. In addition, the financial impact of an emergency action tends to be much greater than if preventive investment in educational actions and aimed at protecting data and applications were made regularly.
But there are still other scenarios that are not considered ideal but are not uncommon in the Brazilian corporate environment, such as the implementation of measures after the General Data Protection Law (LGPD) came into force. For the cloud storage specialist Marcos Stefano, CEO of Armazém Cloud, “cybersecurity as compliance with a legal obligation can even help in very specific situations, but ends up masking the size of the imminent problem and deceiving business executives, who think they are protected”.
According to the research Cybersecurity Brasil 2021, prepared by Embratel and published in the special edition of the MIT Technology Review at the end of the year, the path to cyber-resilience involves investments of multiple natures aimed at digital security. Data were extracted from a series of qualitative interviews carried out with 218 companies from different sectors, from agriculture to financial services. On average, they invested around BRL 1.7 million in security in the last year, but that did not prevent 46.4% of them from having losses between BRL 50,000 and BRL 2.9 million due to digital crimes.
“Es posible que haya faltado una mayor atención a las políticas perennes de difusión de información, capacitación e implementación de una cultura proactiva de minimización de riesgos”, dice Stefano, “pues solo el 7,9% de las empresas entrevistadas afirmó mantener proyectos educativos en cybersecurity. The more democratized the topic, the less taboo and the easier it will be to involve all employees”, says the expert.
HACKER ATTACK ON ORGANIZATIONS: IT IS NOT SE WILL HAPPEN, BUT WHEN
One of the results of the survey indicates that CISOs (Chief Information Security Officer) and CTOs (Chief Technology Officer) need to collaborate with the understanding of CEOs (Chief Executive Officer) about the value of investing in cybersecurity. If this does not happen, it will be difficult to count on a really expressive budget for long-term actions to be implemented.
Some of the experts consulted within the scope of the survey say that executives and experts in digital security should be an indispensable presence in groups such as the board of directors itself. For the lead partner of cybersecurity of EY for Brazil and South America, Demétrio Carrion, it is not enough for the professional to advise. He needs to share his knowledge and inform decisions about cyber risks.
The EY consultancy itself found that this is not always a reality, and the result appears in the numbers: companies that participated in the survey had annual revenues of, on average, US$ 11 billion, but invested in cybersecurity just under US$ 5.3 million each – which corresponds to 0.05%.
Stefano, from Armazém Cloud, says that low budgets for information security are usually justified by the lack of support from CEOs. “Not always the narrative that in cybersecurity prevention is much cheaper than cure is well constructed. We need to convey knowledge directly, using the same language as executives, make them realize how much money pre-attack solutions will cost and what amount will go down the drain if the criminal action takes place. Not to mention that, sometimes, the reputational stain is much more serious than the financial loss”, he explains.
CULTURING THE INTERNAL AUDIENCE: ESSENTIAL FOR A PROACTIVE STRATEGY
The search Cybersecurity Brazil 2021 also investigated the nature of the attacks identified by the organizations interviewed: 56% of them were of the type phishing and another 22.6% used social engineering techniques. Both categories are considered by experts to be avoidable risks.
The strategy behind this type of criminal action attempt is to obtain confidential information through fake messages, but these are designed to hook the reader and trick them into clicking on a malicious link. With remote work implemented by numerous companies and institutions in the wake of changes brought about by the pandemic, this type of content can claim more victims, especially if it comes disguised as a message from the CEO or a co-worker whose authenticity cannot be verified.
In this sense, Stefano advises on the need for permanent work with all employees of the organizations. The idea, according to him, is not to turn them into experts in digital security, but to make them more attentive to the patterns of “offers” made by cyber criminals so that the first shield is a human non-action.
– If someone receives a suspicious message and knows the risks it can cause to company data, customers or the public that relates to the institution, the chances that this person will click on any link or respond to a request contained in the message (a call-to-action) are practically non-existent – he says. It complements by reinforcing the importance of employees knowing the tools they use and being positive vectors of safe practices in the virtual environment.
Investment programs in training, in order to allow users of company systems to know which processes to execute in the face of a threat, make relevant contributions to the maintenance of secure environments within organizations. Along with a routine of periodically applied tests and risk simulations, they make up a method that contributes significantly to the prevention of attacks.
STRATEGIC PARTNERSHIPS CAN ACCELERATE THE ACULTURING PROCESS
The actions implemented within organizations should not be isolated. The cyber resilient culture it starts with employee training and the definition of first-degree measures, goes through the availability of network protection services and adequate infrastructure to prevent the exploitation of vulnerabilities, but must extend to all those who are related to the business.
This involves hiring suppliers that are in tune with the purpose of ensuring digital security internally, so that “one-off protections” are not maintained. In other words, all those who are going to work with the data must care for their security, so that they do not fall into the wrong hands at any point in the chain.
– Choose strategic suppliers, who observe all safety issues and understand the importance of safety actions is essential to ensure the tranquility of the work carried out. Cloud computing and its various layers of protection, combined with the service provided by qualified teams, is a vital guarantee in favor of the peace of mind of companies dealing with digital assets that cannot be lost, damaged or used by criminals for extortion of money. money – concludes Stefano.
Finally, the outlook for the coming years is, according to the Gartner consultancy, positive: by 2024, 60% of CISOs will partner with marketing, sales and finance executives, considering that these are important areas to contribute to the mission of protecting the business. It is also expected that by 2025, 40% of boards of directors will have a dedicated cybersecurity committee under the supervision of a qualified member. It will be an important advance, considering that today, less than 10% of institutions have something like this.
