Articles

Security in home office times: it's not just about computers, it's about human behavior

By July 7, 2020 No Comments
(*) By Claudinei Vieira

“Everything threatens those who do not defend themselves” - inspired by Raul Pompéia (O Ateneu) 

Who were we in the pre-pandemic moment? Serumaninhos enjoying the post-carnival hangover, distant and insensitive to the chaos that the Covid-19 it was already causing in Asia and Europe, companies anxious to close the first quarter of 2020 turnover, and the home office, well… few using too much, many using little… only a few fans and some companies still trying to surrender to the practice of new way of working". Home office was viewed with suspicion. It was practical for hipsters, or for moms and dads who chose to take care of their shoots and pussies. Or, even, for those who could no longer support the traffic and public transport of large centers. Working from home was not well regarded by the old guard of the corporate world. 

Still in the pre-pandemic momentum: year of Olympics, Elections, LGPD coming into effect in August, resumption of growth, decrease in unemployment and the beautiful world of Poliana.

And here comes the week of March 22, 2020, like a wild steed, breaking all the fences.

Companies hastily close their doors, still not knowing when and if they would turn around, and sending (almost) everyone to work at home. A tsunami running over and taking everything like that, suddenly, and throwing us into a new world, with new fears, anxieties and without the knowledge of what was to come. 

Through behavioral science, we know that beliefs lead to emotions, that lead to certain behaviors and, ultimately, create habits. The pandemic shook part of our beliefs and, with that, it triggered eddies of emotions, behaviors that until then were strange and, finally, changed the way we live, act, exist. 

Along with all this, comes the wave of creative crimes: hackers. Hi-tech criminals aware of vulnerabilities and always smart, wicked and inventive, now diversify their social engineering tactics: pique our interest and curiosity with information about the Covid-19 cure, evolution of the contaminated and dead curve, contamination maps, disease tracking apps, government assistance programs, requests for donations, discounts and promotions, cases of domestic violence and news about our circus policy during the pandemic. Anyway, a plate full of mental triggers now in doubtful hands, to grab our attention and ruin our day, or even threaten our personal, family and professional safety. The Kaa snake entangling and seducing Mogli. 

Mental trigger is "the ability to bring people to our side, changing only the way we present our arguments" (The Weapons of Persuasion, Roberto Cialdinni). Examples of mental triggers: scarcity, urgency, novelty, social proof, authority, reciprocity, motivation, anticipation, simplicity and the relationship between pain and pleasure. 

Let's see how these threats are installed and how these triggers are triggered: “Click here! Click here! Click here! Access now! Enter now! Streaming releases all your content for free !! Company distributes alcohol gel for free !! Click here and register to receive a government benefit! Dogs and cats abandoned during the pandemic! Cases of domestic violence increase! Elixir to cure covid-19! Find out how many cases there are in your neighborhood! Follow another chapter of the political fight between the executive and the judiciary during the pandemic! ”

A large amusement park in front of us flashing with its provocative lights and saying "come on ... come have fun ... kill your curiosity ... vent and feed your fears and anxieties".

Parallel to all this, our house became “The Truman Show”, a true reality from the quarantine. The world started to visit us every day through the home office, invading our privacy, exposing the pains and delights of home sweet home. Homes have become a branch of the company where we work, a school unit where our children study. He became the bar for happy hour, clubbing and the gym. Surprising things startled us, for example, the dependence we have on our home wifi! Wifi should become an item in government assistance assistance or a basic food item (as well as psychotherapy). Pouch wifi now! And with the visceral dependence we have on the internet, another question hangs in the air: is my wifi safe? Is someone accessing my information or leaking my data? How protected from hackers are I, my family and the company I work for, now that I only use my home wifi? I miss the analog world, right, my daughter? 

At the beginning of the pandemic, companies faced a Homeric perrengue to provide tools and infrastructure for remote work to their employees and partners. But now a provocation echoes: how is the security of the company that, as a monolithic figure, no longer exists? The dozens, hundreds or thousands of computers, tablets and corporate cell phones are now scattered throughout the homes of the city.

If before the pandemic companies were already being bombarded by hacker attacks, in the current scenario this has multiplied for each device outside the company's network. Company information hosted on personal computers and cell phones without a baseline adequate security, sneaky accessible cloud solutions without security parameters (strong passwords, double authentication factor), taking consumers' personal data and confidential information to be hosted in a Data Center somewhere in this world of God.

The risk is high in terms of intrusions of notebooks and corporate cell phones - with the consequent hijacking or leakage of consumers' personal data and disclosure of confidential information. The search for solutions for protection, prevention and detection of vulnerabilities of these devices (end point management) is imperative for companies that want to evolve and guarantee their business in the new digital world borne out of force by the pandemic. Added to this, a very indigestible spice, which are the social engineering techniques described in this text. 

As if that were not enough, there is still a hacker invading session of videoconferencing applications, conversations being leaked or being shared on Facebook, credentials of these applications being sold on the darkweb.

EAD (distance learning) platforms, vital to the evolution and democratization of education at this time, can also threaten our personal and family security: collecting data, such as intellectual, professional skills, personality traits, professional performance or even health users, which translate into automated decision making using artificial intelligence. Thereby, can cause incalculable damage to millions of citizens, leaking or improperly sharing these data and predictive analyzes based on student performance (dyslexia, autism, learning disabilities, hyperactivity, attention, memory, perception, language or social interaction disorders). 

Necessity is the mother of innovation! And here are some examples of how this ballet between innovation and security is doing in these new times: companies are making a big move to set fire to their sales force, making personal customer data available to all salespeople, developing websites and applications with minimal friction in the consumption relationship, implying, in certain cases, the relaxation of security rules in the name of this premise. 

And the dance continues. Enrichment of emergency data to better understand the consumer and approach him in a certain way, massive circulation of personal data and highly confidential information via Whatsapp, sharing passwords between sellers, high volume of data sharing between companies with weak security and without transparency with the consumer, disregarding the rights of consumers who have already declared that they do not want to receive offers of products and services.

For companies, the item “Cyberattacks and Frauds” is among the top 10 global threatsPrecisely in third place, behind only fear of recession and bankruptcy and consolidation of companies. But this is no accident. The Accenture study “Ninth Annual Cost Of Cybercrime Study - 2019” estimates that cyber crimes can cause losses of around US$ 5.2 trillion to companies over the next five years, due to costs with prevention, containment, investigation, recovery, loss of information, business disruption, damaged equipment and loss of revenue. 

But there are companies doing their homework. For research “COVID-19 CFO Pulse Survey - PwC”April 2020, companies don't have a priority to cut investments in data security and protection. Here are the cut-off priorities: 82% facilities / overhead, 67% workforce, 55% operations, TI 53%, R&D 27%, digital transformation 25%, 15% customer experience, 10% environmental, social and governance activities, cybersecurity and 2% privacy . Well done, CEOs and CFOs! You know that accelerating the car is only for those who have good brakes! 

What about the entry of the LGPD in this pandemic context? In a historic decision, on May 7 of this year, the STF prohibited the sharing of personal data by telephone companies with IBGE (Provisional Measure 954), justifying that the MP did not clarify how and what the collected data will be used for. And that they also did not have safeguards to prevent leaks or misuse of data. This judgment is historical because the STF has clearly recognized the fundamental right to data protection and will serve as a guide for several current issues regarding privacy and treatment of personal data. 

At first glance, it seems to make perfect sense, in the midst of the chaos of this crisis, that the citizens' data, be it cadastral, geolocation or health data, be used massively to contain the advance of the pandemic. It would be incredible to have an application that alerts or monitors, in an anonymous and safe way, how many cases of covid-19 exist in a specific location that you are or want to visit.

However, we know that today governments and companies still do not have robust and mature controls to prevent leaks and improper treatment of data. To further aggravate the situation, such data can be used to exaggerate citizens' surveillance or to curtail their human rights and acting outside the initial established purpose of containing Covid-19. Examples of this? We have in the recent past. Let's go back to 1930.

This year, Germany conducts a population census collecting the following information: nationality, native language, religion and profession. Later on, we know the rest of the story. This is very detailed when we search for the term “hollerith machines”, and how this influenced the formulation of the humanist principles of GDPR, in a happy and valiant initiative by Europe to tackle this issue. 

The issue calls for greater regulation of the use of personal data in the prevention and containment of the disease. But the people want to know: from now on, every crisis will bring real threats to the security and privacy of the citizen? Does data protection and privacy become part of the perception of citizens as an item of basic sanitation and a key factor in social well-being? 

To our delight, there is an outline of this scenario that clearly demonstrates that the LGPD has already brought its benefit. Today, a consumer relationship that involves the exchange of personal data is subject to scrutiny and questioning about privacy and data protection by the consumer, defense agencies, sector agencies and the Public Ministry. And what this can impact on brands can be negative, yes.

A notification or fine may arrive for the company before August 15, 2020, at Christmas, New Year's Eve, May or August 2021 or any date that the LGPD comes into force with its dreaded fines and sanctions. The LGPD has already sent its message: today, our mothers, fathers, children already talk about data privacy at the dinner table, it is already a subject in the Jornal Nacional, it has already become a soap opera, series, film, meme. Privacy is Pop! Soon there will be a carnival block with the theme ... 

The pandemic brings a fact that is, let us say, nauseating: the billing of BigTechs. Amazon, Apple, Facebook, Google and Microsoft - increased their earnings in this first quarter of 2020. The discomfort does not come from the increase in revenue itself. It comes from the fact that, in the midst of scandals of leakage and improper treatment of data, there is no perception of real progress to solve these problems from the perspective of users of these platforms and consumers in general.

BigTechs have not yet presented a convincing compliance program to protect our data. And all of this leads us to always be in a state of ultra surveillance, ultra skepticism with the digital world, and to swallow that much of this revenue is about the “bad treatment” of the data. To paraphrase a famous anthropologist "the privacy crisis we have today is not a crisis, it is a project". My dear, my dear, we do not lack figures of speech in our turbulent moment in history to have security in the home office. Similar to the flight of the coronavirus, to protect yourself from the threats of attacks by hackers and criminals, you need prevention, isolation, rapid testing for detection, vaccines, wearing masks, washing your hands and no hugs and kisses. 

Going back to the root of the problem, facing the threats of hackers and criminals head-on does indeed involve good antivirus, DLPs and SIEMs (security monitoring tools), access control, double factor authentication, strong passwords, encryption. But, to turn this game around in a killer way, only with behavioral realignment in the face of new threats from the dazzling and mysterious digital world. Revisit your beliefs, emotions, behaviors and habits. Digital education includes going after information, knowing and self-knowing, questioning. Technology has brought us to a moment in human evolution that leaves no room for digital illiteracy. Learning from error, in this case, is very, very expensive. And watch out! Do not click on any suspicious links that promise otherwise. It would be unforgivable, you, in the comfort of your home office, to be carried away by emotional triggers provoked by this innocent and unpretentious article. 

(*) Claudinei Vieira is Data Protection Officer and Security Officer at Marketdata.

Published in: DigiTalks Expo2020 - https://digitalks.com.br/expo/digitalks-action-coronavirus/opinioes/seguranca-em-tempos-de-home-office-nao-e-so-sobre-computadores-e- over-human-behavior /