*By Leandro Zilli
It is not today that we find articles and materials that address the issue of the difficulty of large corporations to understand the importance of Information Security and the benefits of investing in this area, as it is an important ally in the fight against risks and threats.
Even with all the recent events, there are few cases in which Information Security has ceased to be a mere adjunct in organizations to be part of business strategy, attract due attention to investments and be considered in strategic planning.
In order for these investments to be assertive and carried out in a structured way, assessments of Information Security controls in the organization can be carried out periodically, demonstrating the current scenario and which actions should be considered as priorities. Actions such as awareness training or actions that bring improvements to Information Security controls can be considered as part of these investments, which, if well structured, can be carried out through internal labor, generating significant results and dispensing large investments.
Even so, it is common to see companies making large investments in high-value tools, without having the proper preparation or structure, or the opposite scenario, when investing little or almost nothing in Information Security, leaving its structure and even the future of the your business handed to luck.
Information Security maturity encompasses several concepts, including making investments in a coherent manner, with clear, tangible objectives that provide for the improvement of Information Security controls. Capacity and resilience must be present, since changes can often generate impacts and affect people's comfort line, and the support of top management is indispensable for the construction and maintenance of this “maturity”.
Forecasts and events
As for market forecasts and expectations, the insurance company Allianz carried out a survey between the months of October and November 2021 in which Brazilian entrepreneurs pointed out cyber attacks as one of the main risks for business in 2022, being for the 2nd consecutive year in this research the main cause of greatest concern, followed by natural disasters and other risks such as lack of inputs in the supply chain. The COVID-19 pandemic, which in 2021 was the third place, was in the sixth place, with the adaptation of organizations to the health crisis, even in the midst of so many difficulties still present, one of the main reasons for this “fall” in the sector. ranking.
When it comes to cyber-attacks, the ransomware-type attack is the most prominent, due to its impact and because it benefits from breaches in the infrastructure of organizations such as social engineering attacks, so much so that since the worldwide attack that took place in May 2017, WannaCry, this type of attack has been growing exponentially, reaching any company, which shows the audacity and technical capacity of cybercriminals.
According to the annual report by Apura Cyber Intelligence “2021 The Year in Summary”, ransomware appears as the biggest cybercrime threat in Brazil, followed by DDoS and Phishing, mainly taking into account the July 2021 “Ransomware on the Darkweb” report, which took into account the evolution of the publication of attacks that occurred between January 2021 and July 2021 in Brazilian companies.
The same report contains important information that happened in 2021, such as the cases of Brazilian organizations that suffered ransomware attacks, the percentage of the main cyberterrorist groups that most attacked in Brazil, as well as the most targeted areas, such as government institutions, industries and the health area, although all companies are subject to any type of attack.
The big question is that there are two factors that contribute to the growth of these attacks: the high profitability, through ransom payments and, of course, the ease with which cyberterrorist groups execute these and other types of attacks.
To contextualize and corroborate the understanding, according to the publication of FortiGuard Labs on threats in Latin America and the Caribbean in its fourth quarter 2021 report, through the network of devices protected by Fortinet, in 2021 Brazil alone suffered more than 88 billion attempts. of attacks, second only to Mexico. This number is 950% higher than in 2020. Attack attempts are defined through the AntiMalware, Intrusion Prevention Systems and Antibotnet mechanisms.
In addition to these numbers, Brazil was involved in another worrying statistic, having suffered around 500 billion attempted DDoS attacks (Distributed Denial of Service), with emphasis on the attack that took place in July 2021, through a variant of the Mirai botnet (a threat aimed at IoT devices). In this action, several DDoS attacks were carried out, which reached impressive numbers at different times with peaks ranging from 1 to 1.2 Tbps of traffic rate, with almost 10% of this attack directed to Brazil, being considered one of the main targets .
What to do?
Organizations can implement good Information Security practices based on the 3 pillars: people, processes and technology.
Processes are used for people to perform tasks properly, such as Information Security documents, which must be disclosed, implemented and monitored continuously, so that their efficiency is measured and that periodic reviews are carried out to assess possible updates/improvements that meet needs of the company or the market.
For processes to be understood and executed in the best way, people need to undergo regular training. It is evident how well a process is executed where people understand its purpose, importance and impacts if this process is not well executed.
With understood processes and trained people, technology ends up being well used and used throughout the organization, generating a cycle in which this triad is completed, where people execute processes, which are supported by technology.
Other processes that promote continuous improvement are periodic reviews (with intervals of up to 12 months) of documents such as policies, procedures and standards, execution of table tests (tabletop) involving the areas of the organization, simulations that can serve to identify efficiency and points of improvement in processes such as Business Continuity Plan, Disaster Recovery Plan, Failover Management, Incident Response, etc.
Other processes are regular and should be part of the teams' routines, such as Patch Management and Vulnerability Management, the latter being more assertive if executed first in an approval environment and as soon as the vulnerability fixes are tested and approved, start the process of applying these corrections gradually in the production environment, starting with the least critical assets to the most critical.
Finally, there may be other processes to be considered, but the important thing is that there is always continuous improvement of the Information Security Program, such as the use of the PDCA cycle.
With a well-managed environment, through solid Information Security practiced in all layers and operations, an Information Security certification can be sought to consolidate and demonstrate to the market that the organization has well-developed Information Security controls and processes. implemented.
Final considerations
Considering the survey by the insurance company Allianz already mentioned in this article, new risks emerged in the 2022 ranking, one of them being the “loss of reputation or brand value”.
It is clear that the work to be carried out is extensive and continuous, through improvements and the involvement of everyone in the organization, but when the organization understands that Information Security is not just an investment, it understands that the most significant impact on its business it's the loss of your customers' trust.
Through all this investment and effort, a positive impact on the market can be generated, through the construction of a good reputation, being in the eyes of its customers having the necessary trust in the organization to invest, consume its products or even share its data, depending on the segment in which the organization operates, certain that the organization is concerned with Information Security controls.
Information Security should no longer be seen as synonymous with a negative experience, but as a perception of protection.
– Leandro Zilli is a GRC Consultant at [SAFEWAY]
How can we help?
THE SAFEWAY is an Information Security consulting company recognized by its clients for offering high value-added solutions through projects that fully meet the needs of the business. In 14 years of experience, we have accumulated several successful projects that have earned us credibility and prominence with our clients, who largely make up the 100 largest companies in Brazil.
today through 25 strategic partnerships with global manufacturers and our SOC, SAFEWAY is considered a one stop shopping with the best solutions in technology, processes and people. We have both the technical skills and the experience necessary to assist your company in the process of structuring controls and preparing the environment for the implementation of an ISMS, SGS or SGCN and, consequently, certification of operations, services or companies to the ISO27001, ISO20000 or ISO22301 standards.
In order to support companies in this process of evaluation and adaptation to the requirements of the LGPD, [SAFEWAY] has in its portfolio of services, the Cybersecurity Health Check whose objective is to carry out a diagnosis of the CyberSecurity, Information Security and Data Privacy implemented in your company, contemplating the pillars of Law Suit, People and Technology.
through the Cybersecurity Health Check, risks associated with information security and privacy of internal processes and activities are identified, existing controls and new controls evaluated according to the size of your organization to increase the level of maturity and compliance, in accordance with good information security practices. If you would like more information, contact one of our experts!
