Source: Valor Econômico, by Leticia Arcoverde.
Last year, 30,000 employees of JBS received an email with the information that Neymar football player had left the Spanish team Barcelona. When clicked on the link that would take the news, they were told they had accessed an undue site that could infect your computer and to the company network. Then they were invited to a training explaining the dangers of open files, or unknown links and care to not take that risk.
Sending the email was organized by JBS information technology department itself, with the help of a training tool that simulates an e-mail “phishing” so that employees understand in practice how they work cyberattacks and learn to avoid them. The technique is one of the measures adopted by companies today to protect the growing danger posed by cybercriminals, who increasingly use the staff as a gateway to attacks that can result in major financial losses.
A recent survey by PwC pointed out that the number of cyber attacks recorded by Brazilian companies jumped from 2.3000 to almost 8700 between 2014 and 2015. During this period, the average amount of financial losses related to this problem was US $ 2.4 million. In the perception of some 600 Brazilian executives surveyed, most of the incidents have probable origin the company’s own employees (41%), number above the global average (34%).
“The weakest link is always the user, then the employee often ends up being the gateway,” says Fabio Picoli, country manager of security firm Trend Micro Japanese information. “We need to do a great job of awareness, and it is important to involve the person in the process.” For experts on the subject, these risks should be seen as a responsibility of the whole company, not just the IT department.
The most common training generate simulations or near the maximum cases of employees, showing where there are vulnerabilities in corporate routine with the help often real examples that took place in the company. Many companies promote awareness campaigns or events – Trend Micro has held discussions on the subject with the participation of over 800 employees.
There are also measures such as the release of certain sites only at certain times, and a technique called “containerization”, separating applications and professional use programs of personal effects in the cell, so that work-related information is exchanged only in safe environments.
The “chief information officer” (CIO) of JBS, João Pilla, explains that the company has a conservative approach when it comes to information security. particular devices such as mobile phones, tablets or laptops can not be used for work purposes, and about eight thousand employees who need these tools receive the company’s devices. Employees also sign a liability waiver detailing the limits and duties as email users and the corporate network.
In addition to the investment in monitoring tools and protection of computers, the IT department produces videos every six months on the subject. Still, Pilla, who is in the technology field for 25 years, says the information security control is now much more complex because of technological advances and increasingly tenuous division between personal and professional use of these tools. “In information security, it is essential to stay all the time hitting the same key, or people forget.”
The simulation training was an alternative that also allowed the company to measure the level of knowledge of users. The adoption, last year, also resulted in cost savings because replaced a live training on the subject. The first time the message was sent, 10% of the 30,000 employees clicked on the link “malicious”, and half did the training. In the second simulation – the starring Neymar – 20% fewer people clicked. “Our goal is that this number does not exceed 5%,” said Pilla.
This year, the CIO intends to conduct training more often with e-mails from several subjects – after all, the hacker who want to hook someone’s attention will make an interesting subject. “People need to realize that the company is taking care of it so that they do the same thing,” he says.
Pedro Ivo Lima, CEO of PhishX, company that offers simulation training as done in JBS, explains that the intention is to educate the employee by force of habit, conditioning him to identify dangerous messages. Examples are usually chosen by the companies themselves. Some send emails that simulate internal communications, but with absurd text or full of errors – to prove the idea, according to Lima, that many do not always read a message before clicking on something. “People have behavioral patterns. In relation to technology, everyone wants to be fast,” he says.
Last year, the company made two million simulations. On average, 35% of users receiving e-mail “drop” in the message. In a first test, no company registered less than 10% access. “From the fourth test, the trend is to be between 10% and 20%. Never happened 0% or will happen,” he emphasizes.
After an employee clicks on a malicious file, this “malware” can infect not only his computer, but the whole company network. The types of crimes that result from failures in this process range from robbery to theft of privileged information such as passwords, financial data or details about products that can be sold to competitors.
Recently, the dating site Ashley Madison had leaked information revealing sensitive data users seeking privacy. Last week, Snapchat application had data stolen wages after a hacker simulate an e-mail the company’s CEO asking for information to an employee of the department people. In the case of financial institutions, have access to the network can allow hackers making false transactions.
Santander, a specific online training on information security is one of the mandatory for all employees of the bank, and presents potential problems and examples of what to do, going through basic steps as the need to lock the computer before leaving the table . “It is important to bring the day to day, for the person to understand what it means in her work,” says the vice president of human resources, Vanessa Lobato. The training is updated and should be redone every year. The bank also promotes a week of risk, which includes the subject.
In the opinion of Claudio Martinelli, general manager of security firm Kaspersky Lab Russian information in Brazil is increasingly difficult to protect information within companies. Part of the risk comes from the practice of employees to use personal devices for work, the “Bring Your Own Device”, considered by Martinelli a trend of no return.
For the partner of the intellectual property area and technology law firm information Trench, Rossi e Watanabe, Flavia Rebello, in these cases it is important that the company has a specific policy for the situation. That’s what will define, for example, the ability to monitor business use programs installed on a personal device, as you would with a corporate device. The ban on the use of applications like Whastapp, Skype or Dropbox to exchange confidential information must also be explicit. “The recommendation is to restrict the transfer of business documents only to protected networks. These policies help to create awareness that not every form of communication is appropriate,” he says.
According to Martinelli, criminals are becoming more sophisticated to try to attack companies. Before e-mail “phishing” came only mass form – for example, when hackers send false messages from a bank to a large number of people, hoping to reach customers of that bank and they fall. Now, with the use of social engineering, these messages are more personalized. A common scam in recent months, discovered by Kaspersky is sending malicious files to HR department professionals in emails that supposedly contain attached resumes.
For these reasons, the awareness of employees becomes increasingly essential as part of the business strategy. “Information security has three pillars: services such as antivirus, security policies limiting employee access to a particular type of site, and education, which is the most fundamental of all Without it, the other two are rickety.” Martinelli says.