Digital threats are increasingly advanced, complex and planned. And we’re not just talking about code; Social engineering, phishing, and other human-focused attacks remain a major problem—one that companies are not prepared for.
Investing in advanced tools and solutions is essential to containing these threats and keeping the environment and everyone in it safe. Intelligence, automation, prioritization capability, quick responses and investigation must be differentiators in the protection arsenal. The point is that a director of information security (CISO) today cannot be content with digital tools or compartmentalize security in his department. Just as a siled defense loses efficiency, leaving security under the umbrella of information technology (IT) reduces its effectiveness.
The key is to keep everyone engaged and to get help from other departments. Again: the focus of criminals goes beyond systems and falls on people, especially in Brazil; therefore, special attention must be paid to this point in the organization. This means that, in order to have efficient protection, it is necessary to engage all employees, from all areas, at all levels. As this is both a communication and a technical challenge, it is important to have the support and expertise of Marketing, Human Resources and Legal in this area.
A good strategy is for the IT/IS area to raise the key points of security practices that everyone can adopt, pass it on to Marketing to create educational pieces and content that are easy for the public to assimilate, while HR organizes training and encourages through gamification or even rely on a strategic partner to develop an information security awareness campaign. Currently, I have developed many campaigns to meet the demand of our customers and prospects in this regard. Thus, technical knowledge is delivered in an organized manner and has the best chance of positively impacting the public.
It is also important to note that this is not a one-time effort; it must be constantly renewed, with updates on practices and transparent communication with employees. Note that we are not talking about daily repetition of the same subjects, but relevant content, offered on a regular basis, but without excesses. In practice, a weekly or biweekly communication already generates good results if carried out in the right tone and with really relevant information. When we apply a campaign and train a company’s employees, we talk about indoor security in the sense of CPF and we bring this responsibility to the corporate environment. An example: do not make personal purchases with corporate email.
Did you know that nine out of ten malware attacks are propagated through human interaction? Another interesting idea is to test the team right after the training. Trend Micro’s Phishing Insight, for example, is used by several organizations to gauge the level of internal audience attention to threats via e-mail, an ideal tool to measure the effectiveness of training and internal communication.
Reinforcing: safety is a shared and ongoing responsibility, so don’t give up if your first assessment is not positive. Understand errors, re-evaluate communication and keep the flow of information active. Thus, gradually, employees will see the importance of the process, will have a more conscious posture and will become great allies in the cybersecurity effort.
Marisa Travaglin is Head of Marketing at Trend Micro.