latam Cybersecurity

A proactive approach to cybersecurity: interview with
Márcia Tosta, CISO at Petrobras

Márcia Tosta speaker
Márcia Tosta speaker

1) Currently,  what is the major impact of cyber crimes and leakages on companies?

Cyber crimes have a series of direct and indirect costs for companies because of the damage they can cause to their reputation and the consequential loss of interest in their products and services. Among these costs are the loss of financial assets, a fall in the value of shares, loss of intellectual property, legal sues as a result of the violation of confidential information, and those related to supply chain trust contract breach – by both the inability to pay and the loss of credibility.

There is also the increased cost of cyber insurance, which is calculated on top of the risk and raises exponentially when a cybercrime happens. Executives must bear the fines and penalties for failing to comply with current legislation requirements, in particular, the General Data Protection Law (GDPL) or GDPR, due to the leakage or misuse of customers’ sensitive personal data, employees, and partners.

2) What are the key factors behind cyber attacks?

Companies of all sectors and sizes are undergoing an intense digital transformation, fueled by the pandemic, which has led them to make available a series of new digital products and services, based on the adoption of new technologies, such as 5G, for example, which has made remote working possible by guaranteeing higher quality and speed of connections. 

In other words, today, we have a new way of working and behaving virtually. In this scenario, companies have had to provide access to critical systems outside their security perimeter, migrating to the cloud to be more productive and efficient. 

Many applications were not prepared for exposure to the whole internet and had vulnerabilities and less robust source code, especially because they were developed to be used within the company’s infrastructure. Therefore, more efforts and investments must be made in IT and security to validate identities and establish access policies for all applications. 

Unfortunately, the speed of these efforts often lags behind the needs of administrative and business fields, generating more vulnerabilities and increasing the risks of leakages or intrusions. At the same time, criminals have discovered that digital crimes are highly profitable as they can be carried out remotely, stealing data and kidnapping for ransom.

Other aspects to consider are:

1) The obsolescence of equipment and technological platforms in banks and other large industries, as the old hardware does not support the software updates necessary to guarantee security, as they do not evolve at the same speed.

2) We are all in the cloud today generates a series of gaps that can be exploited, mainly because criminals have discovered the high profitability of digital crimes, such as theft and data encryption so they can demand a  ransom.

3) The high turnover of security professionals caused by high market demand, which also generates costs, as each time skills migrate to competitors or foreign companies, it is necessary to train and educate new team professionals.

3) What are the main cyber attacks that have impacted companies in the last two years?

Currently, the main form of cybercrime is ransomware, kidnapping data and demanding a ransom for its return. It can start with a phishing attack, meaning the use of tricks to steal or obtain victims’ personal information, such as passwords, bank details, credit card numbers, among other important data or it is done by spear phishing a targeted email scam aimed at gaining unauthorized access to confidential data. 

Cybercrimes can target individuals but are also very common to occur against companies because when the attacker accesses intelligence, confidential and especially personal data, they ask for a ransom to return the data so that the company can avoid fines and reputational damage. For example, if the penalty for a General Data Protection Law violation would be BRL 50,000, they would ask for a ransom of BRL 20,000.

To prevent these cyberattacks from occurring, it is essential that organizations identify and protect themselves against possible vulnerabilities. They must design very well-structured and detailed policies and processes to carry out updates, preventing intrusions or leakages during the update period.

4) Are Brazilian companies prepared to detect, respond and recover from attacks? How have they done this?

In Brazil, there is still very little sharing of intelligence and best practices against threats. Many companies still don’t take sufficient care with their vulnerability management programs, with corrections and constant application updates in terms of code or infrastructure. 

In addition, few companies adopt market frameworks that would improve the overall detection and response processes. There are now frameworks that help to detect, identify and react to attacks, which need to be adopted in practice as soon as possible, as information security requires constant improvement. This is because attacks occur against all companies, regardless of their size or sector, and the greater the profitability that can be generated by data theft, the greater the chance that cybercriminals will act, with the exchange of knowledge and practices being our best weapon against the spread of this type of crime.

5) How important is the General Data Protection Law for data privacy and company business?

The General Data Protection Law introduces a unified regulatory language to identify and process all privacy risks. Today, not considering the protection of personal data can have relevant impacts on companies through penalties and reputational losses. It is an excellent law because previously, the data was used in a very banal way. 

In summary, the law meets market demand, but it needs to be increasingly understood and applied to companies’ businesses, as it regulates data management processes not only for the protection of companies but particularly for data subjects. Its entry into force requires companies to be diligent about ensuring the trust of their customers and respecting consumer rights. Therefore, companies are now being more careful in defining the essential data they need to collect for their core business; they pay attention to its safe storage, treatment, and analysis, which is beneficial for the business as a whole.

6) What were the main initiatives to promote LGDP?

National companies are adapting to the requirements of the General Data Protection Law, as it is an innovative regulation and requires attention to all stages of data management. We are learning from the legislation on a day-to-day basis. And contrary to what many companies think, it’s not just about hiring a DPO (Data Protection Officer), having a channel for customer queries, and obtaining consent to hold data. 

It is necessary to know how the data is collected and stored and for what purposes to guarantee its suitability and security in all its processes. Therefore, good privacy practices need to go hand in hand with cybersecurity practices, as only those who need it should have access to data, and the market still has some way to achieve this.

7) Are small and medium-sized enterprises also prepared to deal with cyber and data leakage risks? How have you done this?

The company size does not determine risks, as these have grown for all because the access and adoption of new technologies have also increased, with greater exposure to crime. For this reason, I advise everyone to adopt three basic principles:

  • Constant training of people
  • Analysis and frequent review of processes
  • Updating and evaluating technologies. 

The more people know and understand risks, the more efficient the adoption of the security culture. Recognizing cyber risk as part of the business and being diligent and proactive in mitigating such risks is essential. It is also necessary to involve senior management in all information security and data privacy steps.

8) Which sectors are most impacted by cyber and privacy risks?

Cyber risks involve all types of companies, especially businesses, as data breaches or theft can block operations. These risks can impact companies from all sectors. Still, I would highlight those that deal with a large volume of data, incredibly personal and sensitive data in their core business, such as those in the financial, telecommunications, energy, retail, pharmaceutical, and health sectors.

9) What are your recommendations for preventing or mitigating attacks?

It is necessary to have visibility of the entire computing environment of an enterprise, to know the technologies and systems used, the processes, and access points. 

That includes in-depth control of the users’ systems and extensive knowledge of the technology architecture to implement several layers of protection to compose the defense.

The companies that are better responding to today’s challenges are those constantly improving and extracting the maximum from the investments made. It is essential to train the technical personnel, businesses, and senior management continuously to apply the necessary protection measures to safeguard, in particular, their digital identities, which offer criminals an opening to attack.