The methods used in virtual attacks have evolved over time, currently one of the most used techniques is the use of “phishing” emails, which are false messages with links that take users to harmful websites that can install viruses on computers. and the company network.
PwC survey on virtual attacks showed that the number of incidents recorded in Brazilian companies jumped from 2,300 in 2014 to 8,700 in 2015. In 2015, the average value of financial loss related to security problems was R$9 million. The research also showed that in Brazil the majority of incidents originate from the companies' own employees, representing 41%, above the world average of 34%.
Criminals are increasingly sophisticated in attacks targeting companies. Initially, these false “phishing” messages were sent en masse, for example, fake campaigns from well-known companies such as banks, with the intention that users who were customers of the company would fall for the scam. Currently, using social engineering techniques, these messages are more personalized to each recipient's profile. For example, it has recently become common in attacks to send emails to companies' HR sectors with messages simulating the sending of professionals' CVs with attached files, files containing viruses.
After an employee clicks on a malicious link or opens a file with a virus, “malware” is installed that can infect not only the computer, but the entire company network. These attacks and security breaches can generate different types of problems, from compromising the performance of computers or the network, the need for maintenance, to the loss of data or theft of privileged information such as passwords, financial data, business or product information. and services, which can be sold to competitors.
In most current attacks and security problems, employees end up being the gateway to security breaches, as they do not have adequate guidance and are not properly protected on the network through antivirus and services that block access to harmful websites. That is why it is important to have adequate guidance and training to educate professionals not to click on links or open files that could cause security problems.
In 2015, the company JBS carried out a test with its 30 thousand employees, sending an email with content containing the information that the player Neymar would be leaving Barcelona and would transfer to another football club, when they clicked on the link in the message users were directed to a page that stated that it could be harmful and cause damage or security breaches. The rate of those who clicked on the link was around 10% of the 30,000 employees, where it is recommended that it be below 5%. After sending the test message, the company offered all employees training explaining the danger of opening files or clicking on links in messages of unknown origin and the necessary precautions to avoid taking this risk.
This article shows in detail how to identify spam messages and how to prevent receiving these messages .
For employee training, it is important to use cases that come as close as possible to everyday life and the reality of the work environment, showing where there are vulnerabilities in the corporate routine and what to do to avoid security breaches. Many companies make it mandatory when hiring to take part in security and protection courses on the internet, for example Banco Santander offers online courses on information security to new employees, with updates to this training every 6 months.
In addition to avoiding clicking on links and opening suspicious files, it is important to create a complete policy for the use of technology and internet resources in the company. With basic guidelines, from blocking your computer whenever you leave your desk to techniques for identifying websites that could be a source of viruses. Ideally, the company should have a internet usage policy that is known to all employees. This policy must describe what can be accessed and what the penalties are for non-compliance with the rules. For legal reasons, the company must require the employee to sign a document containing this policy , informing their awareness of the rules and penalties.
Another point to be considered in this policy is the use of personal equipment in the workplace, mainly smartphones. It is increasingly difficult to restrict the use of cell phones, but in some cases companies have required employees to turn off their devices, with permission at specific times or situations.
In addition to employee awareness, we also have two other important foundations for a good internet security structure in corporate environments, which are antivirus services and internet access control services. There are numerous antivirus alternatives that can be used, many of which are free, but they must always be updated and configured appropriately. For internet access control, it is recommended to seek guidance from companies specialized in the area, which may be local IT service providers or cloud solutions that are more modern and accessible in their implementation. A good alternative is Lumiun Tecnologia , an innovative solution in the Brazilian market that allows complete control of what is accessed on the network and generates detailed reports on everything that was accessed, without the need to purchase equipment and specialized technical labor.
Information security must be the concern and responsibility of company directors and must be part of the resource and investment management strategy. It is up to the IT manager or outsourced companies to develop a good information security policy and define its implementation with directors. Some security breaches can cause enormous losses, so it is essential that this issue is addressed with attention and priority.
Share with us how your company advises employees about risks on the internet and what tools are used to protect computers and the network from problems and harmful websites!
6 comments
Comments closed