São Paulo/SP – January 2, 2023. Through Information Security training, it will be possible to engage employees to avoid risks, demonstrating that everyone is a fundamental part of a SGSI – Information Security Management System.
*By Leandro Zilli
We live in a time when the growing wave of attacks and cyber threats is visible, and with the advent of the pandemic, these threats have become one of the biggest concerns of Brazilian companies. A proof of this is the survey carried out by the insurance company Allianz between the months of October and November 2021, where Brazilian businessmen pointed out cyber attacks as one of the main risks for business in 2022, being for the 2nd consecutive year in this survey the main reason for concern. of companies, surpassing even the COVID-19 pandemic itself, which was in sixth place.
Even with the adoption of protection devices, it is known that cyber risks will always be present and that technical and administrative measures must be constantly taken, a fact that demonstrates the importance of Information Security and its important role in protecting the company's image and reputation. , after all, it is known that in addition to the fear of data being leaked, reliability has been one of the main factors in the relationship between customer and consumer.
TRAINING AND AWARENESS IN YOURSELF:
A common phrase in the world of Information Security is “The weakest link in the cybersecurity chain is the human being”. The sentence is not always described in this way, but the understanding is the same.
In view of this, a very important factor that companies should consider in their annual Information Security planning is training and awareness campaigns for employees. Through training, it will be possible to engage employees to avoid risks, demonstrating that everyone is a fundamental part of a SGSI – Information Security Management System.
The awareness of employees about the processes related to Information Security will allow them to understand their role and responsibilities, thus reinforcing the precautions that must be taken inside and outside the company.
RELATIONSHIP WITH LGPD:
Taking into account that actions related to Information Security and measures to prevent leaks of strategic or confidential information are not exclusively linked to the use of technological resources, such as smartphones and corporate systems, the GDPR – General Data Protection Law, brings an important point about data protection known as DPO – Data Protection Officer whose role is “guide the entity's employees and contractors regarding the practices to be adopted in relation to the protection of personal data;” – second article 41.
According to the Cyber Threat Report by the SonicWall July 2022, compiled by SonicWall capture labs, there is an increase in 11% in the volume of malware global and even with a greater incidence of this increase in the European region, Brazil is in the top 10 of this list, occupying second place and only behind the United States.
These factors reinforce that the creation of an Information Security culture must be considered as a long-term investment, which requires constant effort for maintenance and growth, with periodic reviews of the controls of protection assets and training.
What to consider in Awareness Campaigns?
The first initiative may be to “look inside the house”. It is essential to address and disseminate the good practices and policies of Information Security present in the company, allowing employees to understand their role and the importance of their participation in these initiatives.
A relevant topic for Information Security training, considering both “Basic” Subjects to be addressed” and “Trends of global cyber threats”, is the conservation and use of passwords for access credentials (e-mail, corporate systems, VPN, etc.), since, according to the 2022 report of the NordPass, where the 200 most common passwords were surveyed, it proved to take less than 1 second to “crack” most of the top 10 passwords present in the report.
In addition to dimensioning and planning the Information Security Program, it is necessary to identify which subjects/topics of relevance and tools to be considered, such as interactive platforms that are ready for use and that address the main subjects of Information Security or that allow customization .
Another trend that has a good adhesion considering the dynamics and acceptance by the collaborators, is the concept of gamification (gamification), which can be understood as “…use of concepts related to the universe of games…” or “…apply game elements in contexts outside of leisure…”, where the steps refer to the invitation to participate (the experience and expectations for the participant), rules, goals, feedback and rewards.
Regardless of the format and approach used, training must generate assertive reports that allow the identification of adherence and actions that need greater attention, for example cases of scores low, where a differentiated approach is needed in order to cover the GAP identified.
FINAL CONSIDERATIONS:
It is a fact that people's instinct is to try to "bypass" the present controls, often thinking that the easiest way is less bureaucratic, without taking into account the risks that could compromise the tripod. CID (Confidentiality, Integrity and Availability), so Information Security training should not be based only on the use of protection devices to mitigate risks, it is essential that the Information Security culture is present in organizations, a fact that, as seen throughout the text, it is possible through training and awareness of employees about the importance they have in an efficient ISMS.
— Leandro Zilli is a GRC Consultant at Safeway
How can we help?
THE SAFEWAY is an Information Security consulting company recognized by its clients for offering high value-added solutions through projects that fully meet the needs of the business. In 14 years of experience, we have accumulated several successful projects that have earned us credibility and prominence with our clients, who largely make up the 100 largest companies in Brazil.
today through 25 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best solutions in technology, processes and people. We have both the technical skills and the experience necessary to assist your company in the process of structuring controls and preparing the environment for the implementation of an ISMS, SGS or SGCN and, consequently, certification of operations, services or companies to the ISO27001, ISO20000 or ISO22301 standards.
In order to support companies in this process of evaluation and adaptation to the requirements of the LGPD, [SAFEWAY] has in its portfolio of services, the Cybersecurity Health Check whose objective is to carry out a diagnosis of the CyberSecurity, Information Security and Data Privacy implemented in your company, contemplating the pillars of Law Suit, People and Technology.
through the Cybersecurity Health Check, risks associated with information security and privacy of internal processes and activities are identified, existing controls and new controls evaluated according to the size of your organization to increase the level of maturity and compliance, in accordance with good information security practices. If you would like more information, contact one of our experts!
