Information security in companies, start by guiding employees

Concern about Information Security is a topic that needs to be part of companies' strategy, due to the growth in incidents, the risks that security breaches can pose and the evolution of forms of attack on the internet.

A survey carried out by Allianz Global Corporate & Specialty (AGCS), placed Brazil in fourth place worldwide in the ranking of losses caused by virtual crimes, with an annual average of losses caused by cyber attacks reaching US$ 7.7 billion in the country. Behind only the United States (US$108 billion), China (US$60 billion) and Germany (US$59 billion).

In another survey carried out by PwC on virtual attacks, it was found that the number of incidents recorded in Brazilian companies jumped from 2,300 in 2015 to 8,700 in 2016. In 2016, the average value of financial loss related to security problems was R$ 9 million, according to the research. It also showed that in Brazil the majority of incidents originate from the companies' own employees, representing 41%, above the world average of 34%.

The forms of attacks on the internet are increasingly dynamic and sophisticated, exploiting in different ways all possible vulnerabilities existing in companies, from the lack of blocking or security systems, such as antivirus, proxy or firewall , to the lack of knowledge or attention of users when using the internet. In fact, as PwC research showed, users are currently the gateway to attacks in 41% of incidents.

Given this scenario, we can see the importance of a complete information security policy in companies, focusing on three fundamental points: antivirus and failure prevention/detection systems, security policies and services and management of internet access and education and employee training !

Employee training and education

Criminals try to exploit users' lack of knowledge and people's natural curiosity, sending fake messages via email, with popular subjects or posing as known and trustworthy people, inducing users to click on links contained in the content of the messages, that lead to harmful websites, this technique is known as phishing .

These attacks on users use social engineering techniques and are increasingly personalized. For example, sending messages from professionals interested in work to the company's HR department or even posing as suppliers in messages to the purchasing department. A survey carried out by Intel showed that only 3% of users are able to identify a phishing attack.

In 2015, the company JBS carried out a test with its 30 thousand employees, sending an email with content informing that the player Neymar would be leaving Barcelona and would play for another club. When clicking on the link in the message, users were directed to a page which informed that this could be a harmful website and cause damage or security breaches. The rate of users who clicked on the link was around 10% of the 30,000 collaborators, where it is recommended that it be below 5%.

After an employee clicks on a malicious link and accesses the harmful website, “malware” or a virus is installed, which can infect not only the computer, but the entire company network. With these programs installed, criminals can capture passwords, financial access data to bank or credit card accounts, steal or kidnap confidential company information and several other forms of attack.

So, to guide employees to identify possible risks, it is necessary to create guidance programs on security risks, forms of attack and possible damage. It is recommended that the company have a internet access policy , which describes how technology equipment can be used, what type of content can be accessed and under what situation or conditions it can be used.

It is also recommended to create educational materials for training, such as explanatory videos or booklets with guidance on how to use the internet safely. Two important points to be addressed, which are the cause of most failures, are the use of secure passwords and the necessary care when clicking on links in unknown messages or websites, which lead to harmful websites.

I share two materials created here at Lumiun , which cover these topics and can be used for employee guidance:

It is also important to understand that the responsibility for information security should not only lie with the IT sector, but must be part of the people and resource management strategy throughout the corporate environment.

Antivirus and internet access management

As we have seen, information security must also address the use of virus prevention or detection systems, the well-known antiviruses. AVG or Avast can be used , or paid solutions such as Kaspersky , Bitdefender , McAfee . The most important thing is that the antivirus is always up to date and properly configured, so that it prevents the installation of viruses and identifies any threat.

It is also essential to use services for security and management of internet access, which allow efficient control of what can or cannot be accessed on the network and preventing users from accessing harmful websites. There are numerous alternative services that allow this management, from traditional server solutions with proxy/firewall, UTM or appliance solutions, to more modern cloud-based solutions that allow the implementation and management of these services in a simplified way and with lower operational costs and financial sector, such as Lumiun Tecnologia .

We can see that staying protected on the internet is not a simple task, it requires a commitment to security and a large set of measures, which involve educating employees and efficient use of systems and technologies to protect and control resources.

But we can also conclude that attention to this issue is essential, considering the increase in crimes on the internet and the losses that possible attacks can cause for companies.

Share in the comments how your company views information security risks and what measures are used to prevent them.

If you want to know more about how to have good access management and more security on the internet, talk to us and schedule a demonstration !

Lumiun DNS integration with pfsense software
Lumiun DNS Free Trial
10 comments

Comments closed

Related Posts