The user is the last line of defense in cybersecurity. Examples of campaigns to protect your work
The opposite is often said, that people are the weakest link. But Prosegur's Information Security area turns this approach on its head and trains employees with courses, pills, and simulated phishing so that they are an unbreachable shield.
Just because people are not a weak link in Prosegur does not mean that this is also the case in other companies. The Information Security area has information that encapsulates the seriousness of the problem: In 2020, Spanish companies were the most attacked by global cybercrime. Among the reasons for this is the weak cybersecurity culture of 86% of those companies, according to a study by PwC. And according to Kaspersky, in the first eight months of 2021 cyber sabotage attempts increased by 24% in Latin America.
Prosegur is strengthening its defences. "We are developing our own, transversal, top-down model that cascades from the top throughout an organisation with over 150,000 employees in 26 countries," explains Enrique Miranda, Chief Information Security Officer (CISO) of the new Unit. The reason for this architecture is that we are not talking about just any company, but about a global benchmark in its sector with an exclusive Cybersecurity business, which must demonstrate an optimal level of protection that starts at home.
So how is this done? With direct reports to the Management Committee, a stronger structure with CISOs in each business, hybrid profiles between technical and risk management to understand how each activity works and adapt the defence to their specific needs. "And with a particular focus on training and raising awareness across the entire workforce to ensure that people are the last line of defence, not the most vulnerable link", says Miranda.
Tips, pills and university courses
The company is diversifying resources for this strategic objective, with mandatory courses at the Prosegur Corporate University for new recruits – last year more than 90% completed the pathway –, colloquia on trends such as the hybrid threat, and pills with key information: for example, if you are teleworking, use strong and unpublished passwords, save the information in corporate repositories and not on your desktop and activate double factor authentication in all accounts.
But there are even more examples of Prosegur's cybersecurity training: Mass tips are sent to employees so that they never leave their devices unattended and which advise them never to connect through public Wi-Fi. They are also advised to configure a blocking system on their mobile phones and use corporate channels to exchange information. They are urged not to use their corporate accounts on social media and, when working, to take basic precautions such as not sharing personal information – if it is requested it can be a social engineering trick – and to be wary of competitions and draws. They are also always advised to close sessions and given tips on how to avoid user data theft on Facebook.
Learning from experience
If knowledge is key to understanding the threat, there is no better way of internalising it than personal experience. We are talking about reinforcing theory with practice, or of the effect of making a basic mistake yourself. This is the aim of the simulated phishing campaigns whereby mails are sent to employees via corporate email in the countries where they operate.
Their content can only be designed by Information Security experts who have seen them many times and follow their development on a daily basis. Some hooks seek an immediate emotional reaction to get you to let your guard down, such as the notice to pay a bill so as not to lose this or that service. Even an email from a supposed official Ministry of Health with a link to the Covid-19 vaccination schedule.
It is small, but always catches the attention of a percentage of recipients. Enrique Miranda explains that it is not a question of shaming or reprimanding, but of making those who click on that simulated email understand that there are no excuses for the consequences of downloading a real virus. "The thing is that I was up to my eyeballs in emails that day." "I was waiting for that very message from the health authorities, which is why I fell for it."
That is why the results of the campaigns are shared with the Management Committee, like the entire Cybersecurity policy, but never the identities of the employees who fall into the phishing trap. Not only out of respect for their privacy, but also because the employees in question appreciate this discretion and tend to join the cause in a more proactive way.
"We want to really strike a chord", continues the CISO, "to make it understood that when it comes to cybersecurity your company is also your home. Just as you do not simply open the door of your home to anyone, because you are concerned about your children, you cannot open the door of your company without being sure who is on the other side, because it also affects you personally, you and the rest of your colleagues who are your other family. "