“Prevention is better than cure.” I would like to start my analysis with this popular saying in Brazil, I’m sure it exemplifies well what we’re going to discuss throughout this chat, because I strongly believe that all companies, regardless of the niche they are in, need to have an active risks management so that they can protect sensitive information and their capital, in addition to guaranteeing the security of the data of employees, partners and customers.
Having a good risk management and investing in an IT team capable of preventing and closing all doors to possible invasions by hackers, highly destructive viruses or even internal data leaks, is essential and even reverberates in the reputation of the brand and in your profits.
However, it is always necessary to be updated, today, the technological race is very fierce and in a matter of seconds everything can change and even the most complex systems are susceptible to intrusions, which always need to be circumvented as soon as possible to avoid virtual threats.
I usually compare risk management to insurance, such as life, health, even a car or a house, which are there ready to be activated whenever necessary in order to minimize damages and circumvent the problem in the most efficient way. comfortable as possible.
Lately, we have seen large companies and even government agencies around the world, which are being victims of cyber attacks, with this, risk management committees are increasingly inserted in the routine of companies and governments. According to Gartner, by the end of the year half of the risk operations centers will be more modern, smarter, threat hunters and much more agile to circumvent damage.
As the digital advance arrived with accelerated steps, mainly due to the COVID-19 pandemic, which forced an almost total migratory movement to the digital environment, the occurrence of cyber attacks also evolved proportionally because companies are increasingly worried with adapting to this universe and forgetting the most important step: safety.
The fact is that the imminent cyber risk has always been part of the daily life of large companies and governments, but with this new reality, in which everyone is connected all the time and releasing data on the most different websites and applications, it is necessary to be responsible with information that could put the company’s credibility in check, hackers are seeing this new reality as the ‘crownjewel ‘.
Security also needs to be present in remote work as many companies have definitively adopted the home office. New norms and conventions need to be present in companies, whether small, medium or large. The truth is that few organizations were prepared for this digital “boom” and the vast majority were unable to review remote access policies in time to provide the necessary protection to the endpoint, since when employees are outside the corporate environment, they are more susceptible and vulnerable to attacks.
To ensure quality, care must be taken with the copy and paste recipe, the NIST – National Institute of Standards and Technology, has already stated that there is no single solution that works for several companies. I agree and sign under this information, because even if two companies are similar and have similar structures, the needs need to be detailed. For successful management it is necessary to map sensitive areas and determine layers of protection.
I see a (very near) future in which passwords as we know them today will only remain in memory, we can already have a taste of it in banks and even in electronic devices such as cell phones, tablets and computers, as well as the most modern locks that use the biometrics or facial recognition. This is because conventional passwords with combinations of letters and/or numbers are true invitations to attackers. What I have seen in large companies are their own systems that blocks passwords that are very easy or that are obvious, in addition to promoting a rotation from time to time.
But that alone is not enough, it is necessary to have integrated and comprehensive solutions, which involve all hierarchical levels of the company, as a failure in the system can cause incalculable losses and even make days and days of work impossible. Did you know that about 2/3 of all information leaks are done by employees and that 92% access inappropriate data? Many of these accidentally, for example wrongly attached documents and even forgetting materials in the cloud. I saw a survey by Proofpoint that revealed that 90% of phishing messages want to steal credentials and also showed that most employees are more likely to click on dangerous links before, during or just after lunch, as they are more relaxed and browsing more freely on the network. For this reason, NIST strongly recommends that rules for acceptable and unacceptable behavior be included in company policies.
In addition, I suggest limiting internet access, as well as installing network access controls in offices, installing up-to-date antivirus programs and requesting two-factor authentication for sensitive systems and files, it is also imperative that a risk analysis be carried out constantly.
We are in a beneficial era to install the culture of risk management in companies, any virtual security department has to be sharp to keep up with this acceleration, as all traditional methods no longer fit in this new reality, we need to use another approach, with integrated processes and, mainly, with training so that everyone is aware of the risks of a cyber attack.
Security has to be seen as a fundamental strategy, as it moves through all spaces of an organization.