The methods used in virtual attacks have been evolving over time, currently one of the most commonly used techniques is the use of phishing emails, which are false messages with links that take users to harmful sites that can install viruses on computers and the company's network.
A recent PWC on virtual attacks showed that the number of incidents registered in Brazilian companies jumped from 2,300 in 2014 to 8,700 in 2015. In 2015, the average value of financial loss related to security problems was $ 9 million. The survey also showed that in Brazil most incidents originate from companies' own employees, representing 41%, above the world average of 34%.
Criminals are increasingly sophisticated in business attacks, initially these false phishing messages were sent mass, for example fake campaigns from companies known as banks, so that company customer users fell into the coup. Currently, using social engineering techniques, these messages are more personalized to the profile of each recipient. For example, it has recently become commonplace in attacks, sending emails to the HR sectors of companies with messages by simulating the submission of professionals from professionals with attached files, files containing viruses.
After an employee click on a malicious link or open a virus file, a malware is installed that can infect not only the computer but the entire company network. These safety attacks and failures can generate different types of problems, from compromising computers or network performance, need to maintain these to data loss or privileged information such as passwords, financial data, business information or products and services, which can be marketed for competitors.
In most current attacks and security problems, employees end up being the gateway to security failures, because they do not have adequate guidance and not properly protected on the network through antiviruses and services that block access to harmful websites. Therefore the importance of proper guidance and training to educate professionals not to click on links and not open files that may cause security problems.
In 2015 JBS tested with its 30,000 employees, sending an email with content containing the information that the player Neymar would be leaving Barcelona and would transfer to another soccer club by clicking on the message link users were directed to a page that could be harmful and cause safety damage or failures. The rate of those who clicked on the link was around 10% of the 30,000 employees, where it is recommended to be below 5%. After sending the test message the company offered all employees a training explaining the danger of opening files or clicking on unknown messages and the necessary care not to take this risk.
This article shows in detail how to identify spam messages and how to prevent the receipt of these messages .
For employee training it is important to use cases that approach daily life and the reality of the workplace, showing where there are vulnerabilities in corporate routine and what to do to avoid safety failures. Many companies are required to hire participation in security and protection courses on the Internet, for example Banco Santander offers online courses on information security to new employees, with updates of this training every 6 months.
In addition to avoiding clicks on links and opening suspicious files, it is important to create a complete policy of using technology and internet resources in the company. With basic guidelines, to block the computer whenever you move away from the desk to techniques to identify sites that may be a source of viruses. Ideally, the company should have a internet use policy and that it is known to all employees. This policy must describe what can be accessed and what penalties are not complied with. For legal reasons, the company must require the employee to sign a document that contains this policy , informing his science as the rules and penalties.
Another point to be contemplated in this policy is the use of personal equipment in the workplace, especially smarthphones. It is becoming increasingly difficult to restrict mobile phones, but in some cases companies have required employees to turn off their devices, release at specific times or situations.
In addition to employee awareness, we have two other important foundations for a good internet security structure in corporate environments, which are antivirus services and internet access control services. There are numerous antivirus alternatives that can be used, many even free, but it is necessary to always be updated and configured properly. For Internet access control, it is recommended to seek guidance from specialized companies in the area, and may be local IT service providers or cloud solutions that are more modern and accessible in their implementation. A good alternative is Lumiun Tecnologia , an innovative solution in the Brazilian market that allows complete control of what is accessed on the network and generates detailed reports of everything that has been accessed, without the need for equipment and specialized technical labor acquisition.
Information security should be the concern and responsibility of the company's directors and should be part of the resource and investment management strategy. It is up to the IT manager or outsourced companies contracted to elaborate a good information security policy and to define with the directors their implementation. Some safety flaws can cause huge damage, so it is essential that this issue be viewed with attention and priority.
Share with us how your company guides employees about internet risks and what tools are used to protect computers and the network of problems and harmful websites!
6 Comments
Comments closed