*By Cristiane Santos
Nowadays, the increase in the volume of data available in companies is remarkable. According to IBM, the world generates about 2.5 quintillion of data, with 90% of these generated in the last three years. However, data alone is not enough to generate business intelligence. It is crucial to establish adequate governance to ensure that data is available, integrated and, most importantly, secure.
Data security, in turn, must be given special attention, as a “loophole” is enough to fatally jeopardize business success. A survey of American Institute of Certified Public Accountants (AICPA), which compares the volume and complexity of security risks over the years, indicates in the most recent study that 6 out of 10 companies claim that there has been a significant increase in them.
In this sense, as a consequence, cybercrime arises, which, in the state of São Paulo alone, grew by 144% in 2022, according to data from the Secretary of Public Security (SSP). Such information reinforces the growing concern with the dangers, especially technological ones, that a company can face. Therefore, knowing the types of risks and ways to mitigate them is essential.
The types of risks for a company
Risk is a combination between the probability of occurrence of a certain event and the impacts – positive or negative – that it can generate. Unfortunately, in many cases, risks remain hidden and unknown, which leads some companies to overlook critical factors.
Currently, the most common security risks are: Compliance Risk, which refers to the violation of laws, regulations and external or internal standards, such as the LGPD; Legal Risk, which represents a specific form of compliance risk, occurring when an organization does not comply with the rules set by the government for companies; and Strategic Risk, which arises as a result of a faulty business strategy or lack of adequate strategic planning.
In addition, there is also the Reputation Risk, which covers corruption and ethical violations, negatively impacting the company's position, as well as public opinion about it. And finally, Operational Risk is related to the daily activities of a company, such as the right to privacy, information leakage, system intrusions, fraud, among other situations.
Despite their different types, the hazards complement each other and generate negative consequences for the business, such as fluctuations in profit, damaged reputation, loss of control of systems or data, damage to infrastructure and breach of SLA. In these cases, risk mitigation offers techniques that reduce risk levels to a tolerable level for the business.
Risk mitigation techniques
Security management, which encompasses risk identification, implementation of controls, monitoring and incident management, is one of the main actions a company must take to ensure effective risk mitigation in order to be in compliance with the ISO 27001 Standard. (standard for information security management system), and with the General Law for the Protection of Personal Data (LGPD), ensuring compliance and information security.
The main techniques to be applied by the security management of organizations today are, in the first place, the training and awareness of employees, known as large vulnerable gateways for intrusions and data leakage.
Other techniques, just as important, are platform vulnerability scans, constant phishing tests, endpoint security – such as technological access control and cautious use of pen-drives – and corporate governance, which exposes a vision of the danger and helps to expansion of organizational and technological maturity.
Finally, betting on an incident management process, which ranges from registration to communication with the customer, is essential to understand the impacts and ways to handle any dangerous situation, consolidating the mitigation of security risks in the company and contributing to greater gains in business reliability and scalability.
*Cristiane Santos is Head of IT Governance at Sky.One
Notice: The opinion presented in this article is the responsibility of its author and not of ABES - Brazilian Association of Software Companies