85% of security breaches linked to the human factor

85% of security breaches linked to the human factor

Eighty-five percent of security breaches are linked to the human factor, so makes known the 2021 Data Breach Investigations Report(DBIR), therefore, it is the path that cybercriminals will continue to exploit to do harm to any entity.

The procedure by which cybercriminals use people in an organization is to gain access from the inside to corporate information and personal data, using social engineering techniques, such as:

PhishingGenerally, e-mails with infected attachments or links to fraudulent pages are used with the aim of taking control of your computers and stealing your confidential information. confidential information.

DeepfakeManipulating images and/or voice of a person to deceive the receivers of these videos or audios, with false messages to obtain a financial gain or information.

Baiting: By baiting victims with malicious software in plain sight so that they themselves infect their devices.

Pretesting: By creating a fictitious story, the attacker will try to get the victim to share information that, under normal circumstances, he would not reveal.

Sextorsion: With the threat of spreading compromised content to your contacts (even if such content does not exist), if you do not agree to the cybercriminal’s requests, usually to make a payment.

Dumpster diving: Dumpster diving for documents containing personal or financial information.

Smising: By sending an SMS, the victim is asked to call a premium rate number or access a link to a fake website.

Shoulder Surfing: The attacker observes what another user types or has on screen to obtain relevant information.

Quid pro quo: They promise prizes, gifts, money, in exchange for personal information by filling out forms.

What can a company do?

To draw some conclusion to help our customers and followers, we understand that with the data available, technical security measures should not be neglected, but 85% of the efforts should be directed to human resources, in the form of:

Regulatory Compliance:

Any company, regardless of its size or activity, is obliged to comply with the RGPD and the LOPD Spanish LOPD, therefore it must comply with the requirements of these regulations:

• Elaboratethe Treatment Activity Record (RAT ).).
• Risk analysis of treatments
• Analysis of the need to prepare an Impact Assessment (EIPD).
• Security Breach Policy.
• Drawing up Contracts for Data Processors (DE)
• Protocol of Attention to the exercise of rights
• Digital Rights Digital Rights
• Analysis of the need to designate a Data Protection Officer (DPO).

Information:

The company is responsible for information in general and personal data in particular, so it must inform the Staff and remind them with certain frequency, everything they should know about the use of information:

• Organizational measures applicable to data protection
• Technical measures applicable to data protection
• Rules for the use of information
• Rules for the use of corporate information systems
• Security measures implemented and applicable to the information.
• Policies and procedures for dealing with security breaches
• To have an internal ethical channel for reporting crimes, infractions or bad labor practices.

Personnel Confidentiality

All employees must sign a corporate commitment, which regulates the duty of secrecy during the time they work for a company and after their employment relationship with that company has ended.

Sensitization:

Staff should be aware of the risks of a cyber-attack or mismanagement of information, also the risks of sanction that the company faces for non-compliance with the Personal Data Protection Regulation, Enroll staff to:

• Data Protection Newsletters
  • With examples of best practices: Videoconferencing, Teleworking, HR,
  • With examples of sanctions: images, penalties, dpd, biometrics, etc.
• Cyber-attack alerts: INCIBE,
• News related to IT security
  • Use of equipment and applications: router, whatsapp, web,
• Awareness programs consisting of sending e-mails simulating electronic fraud, so that personnel are always on the alert

Training:

Training is the fundamental pillar for the effective transmission of knowledge to personnel and will contribute to creating a culture of commitment to data protection.

In addition to being mandatory according to Art. 39.1.b) of the RGPD, Article 88.3 of the LOPD and the AEPD’s Labor Relations Guide ( section 3 b) and c) on page 18).

A good solution would be an express and tutored online course of only 3 hours. View training solution

Technological tools

It is necessary to have the right software and hardware for corporate needs, but also for the level of security required for personal data and information in general. For this purpose:

• All software used must be officially licensed by the manufacturer.
• All software should always be up to date so that the latest security patches are incorporated to protect the information.
• Adapt to new tools that facilitate information security: malicious email identifier, Keepass, etc.

Business Adapter at your service

If you are a customer and need help, do not hesitate to contact your consultant or send us an email to info@businessadapter.es or leave your message in this form and we will contact you:

[su_button url=”https://businessadapter.es/contacto” target=”blank” background=”#f6f903″ color=”#181818″ size=”7″ center=”yes” icon_color=”#000000″]Contact us, we will be happy to help you.[/su_button]

If you are not yet a customer and need advice, we are at your disposal:

[su_button url=”https://businessadapter.es/contacto” target=”blank” background=”#f6f903″ color=”#181818″ size=”7″ center=”yes” icon_color=”#000000″]Contact us and we will be happy to help you[/su_button]