By Carlos Sovegni, SAS Latin America Fraud Prevention Specialist
In the last 15 years, we have seen an exponential increase in attacks by cybercriminals, most of them with the objective of infiltrating companies' databases in search of sensitive data. Certain sectors, such as finance, have become favorite targets and have already experienced a disproportionate number of attacks, while others have remained relatively untouched.
But that is changing. The digital transformation and the monetization of information are putting the most diverse industries at risk, requiring modern cybersecurity strategies for all of them. In 2015 Sony Pictures, for example, was the victim of an attack that stole 100 terabytes confidential data, resulting in losses of approximately US$ 200 million.
So, where do we start? Before executing IT security plans, it is necessary to reserve and direct investments. In this sense, it is necessary to have central support from the company for the implementation and at least 10% of the IT budget must be reserved for the following pillars:
1% - Employee education: In a modern organization, the budget for training in cybersecurity strategies it should be separated from the general training budget, to be treated as a priority and not to lose space for other activities. Some practices, such as not opening attachments to suspicious emails and not sharing passwords, should be in messages passed on to everyone.
2,5% - Security policies: Security policies need not be overly strict, but they do need to provide guidance on acceptable use of the internet, including on mobile devices. Turning off access to social media does not make the company safer, as employees will find a way to get around it. Then, show them how to use it best and involve the audit committee in the process, to measure the effectiveness of the practices.
3% - Perimeter solutions: At this point, we’ve grouped data loss prevention solutions, firewalls and access identification technologies, against intruders. Combined, they combat suspicious activity based on policies, ports and protocols. When properly tuned and maintained, these solutions serve as an important front of defense.
1,5% - Test security in all ways: Test new solutions and products every year to reinforce cybersecurity strategies. Look for new areas to introduce the solutions and place the system for the evaluation of the greatest specialists of each one, constantly testing all the resources and risks of the tools.
2% - Network awareness: Understanding how your company's network works should be a critical component of your cybersecurity strategy, and it must be in the hands of a competent team. The process will take time, but it will be worth the effort and will help to locate the weaknesses. In some cases, companies offer rewards as an incentive to IT staff. As they progress, teams can locate a number of outdated and vulnerable devices on the network, as well as hidden VPNs, fluctuations in access lines and compromised DNSs. Draw up a plan and solve each item found. The benefits of maintaining a regular and up-to-date maintenance program far outweigh the advantages of any other security expense.
1% - Additional - specialized training: IT security teams represent the front line of attack and defense for companies. They need training plans to further improve their skills. These plans need to be reassessed annually and may rely on consultancy from companies specializing in safety training. Currently, in the midst of a war between companies in hiring talent in this area, investing in the qualification of current security teams can bring immense benefits later on.
With well-targeted resources and the pillars of cybersecurity in place, the next step will be to measure results and constantly evolve with new products, programs and activities, always supported by a good security plan. To overcome the audacious tactics of cybercriminals, companies will need to know their weaknesses, their strengths and, above all, always be one step ahead.
But that is changing. The digital transformation and the monetization of information are putting the most diverse industries at risk, requiring modern cybersecurity strategies for all of them. In 2015 Sony Pictures, for example, was the victim of an attack that stole 100 terabytes confidential data, resulting in losses of approximately US$ 200 million.
So, where do we start? Before executing IT security plans, it is necessary to reserve and direct investments. In this sense, it is necessary to have central support from the company for the implementation and at least 10% of the IT budget must be reserved for the following pillars:
1% - Employee education: In a modern organization, the budget for training in cybersecurity strategies it should be separated from the general training budget, to be treated as a priority and not to lose space for other activities. Some practices, such as not opening attachments to suspicious emails and not sharing passwords, should be in messages passed on to everyone.
2,5% - Security policies: Security policies need not be overly strict, but they do need to provide guidance on acceptable use of the internet, including on mobile devices. Turning off access to social media does not make the company safer, as employees will find a way to get around it. Then, show them how to use it best and involve the audit committee in the process, to measure the effectiveness of the practices.
3% - Perimeter solutions: At this point, we’ve grouped data loss prevention solutions, firewalls and access identification technologies, against intruders. Combined, they combat suspicious activity based on policies, ports and protocols. When properly tuned and maintained, these solutions serve as an important front of defense.
1,5% - Test security in all ways: Test new solutions and products every year to reinforce cybersecurity strategies. Look for new areas to introduce the solutions and place the system for the evaluation of the greatest specialists of each one, constantly testing all the resources and risks of the tools.
2% - Network awareness: Understanding how your company's network works should be a critical component of your cybersecurity strategy, and it must be in the hands of a competent team. The process will take time, but it will be worth the effort and will help to locate the weaknesses. In some cases, companies offer rewards as an incentive to IT staff. As they progress, teams can locate a number of outdated and vulnerable devices on the network, as well as hidden VPNs, fluctuations in access lines and compromised DNSs. Draw up a plan and solve each item found. The benefits of maintaining a regular and up-to-date maintenance program far outweigh the advantages of any other security expense.
1% - Additional - specialized training: IT security teams represent the front line of attack and defense for companies. They need training plans to further improve their skills. These plans need to be reassessed annually and may rely on consultancy from companies specializing in safety training. Currently, in the midst of a war between companies in hiring talent in this area, investing in the qualification of current security teams can bring immense benefits later on.
With well-targeted resources and the pillars of cybersecurity in place, the next step will be to measure results and constantly evolve with new products, programs and activities, always supported by a good security plan. To overcome the audacious tactics of cybercriminals, companies will need to know their weaknesses, their strengths and, above all, always be one step ahead.
EN 
PT 
