Good prevention practices in cybersecurity

Ensuring data security in a medium-sized company might seem like a straightforward job, but it keeps the IT team at Value Partners on their feet. Senior IT Manager Antonello Caggiano and Senior IT Officer João Fernandes give some insight into this vital but sometimes overlooked field. These two experts also discuss best practices to help ensure IT security in a company.

Cybersecurity, a central component in GRC

Whereas data security might have once been viewed as its own enclosed domain, it is increasingly wrapped up into the larger package of Governance, Risk, and Compliance (GRC), with cybersecurity concerns running through the various areas. This is apparent in recruiting practices because nowadays IT heads look for candidates to have an overview of each sector as opposed to having a limited area of expertise.

Keeping up: a matter of vigilance

Compliance rules are always growing, especially in terms of data privacy, so that is a primary focus area. Because of the rapidity of the changes we deal with, the risk of forgetting something is always present. That is why we created a risk-management committee which acts as a filter for new business and IT developments, and it allows the IT department to create and implement new procedures and policies in order to keep up.

We always have plenty of new targets to implement, and our company is busy hiring and integrating business applications that need financial information.

João Fernandes, senior IT officer, Value Partners

“We always have plenty of new targets to implement, and our company is busy hiring and integrating business applications that need financial information. This requires careful collection, management, and safeguarding, and we really have to stay up-to-the-minute. We constantly analyse, improve, and pay attention to new trends.”

Keeping employees aware of risks

As much as some people believe that cybersecurity should mainly be the concern of the IT team, it is very much something that should and must concern everyone, as individual behaviour can have widespread repercussions for an entire organisation. That is where training and communication come into play.

A few years ago, we created a sort of training centre to internally educate all employees, and we also hold annual security training sessions. Much effort is spent on informing everybody about the dangers of phishing and spam as well as other sorts of attacks.

As anyone who is charged with teaching will tell you, during training sessions it can be difficult to keep people interested – and awake. In the early days of our training programme, because it was during the pandemic, we held sessions online, and our goal was simply to transmit information about security issues. This approach was met with limited interest, to say the least.

Now the IT team organises roundtable-type discussions that are much more interactive, and participants are called on to speak and are encouraged to share their thoughts and experiences. Sometimes, they even contact the IT team on their own to discuss security issues or talk about something suspicious they have seen.

“We have to communicate every day, to send updates and reminders. We have to be very repetitive. Because cyberattacks are carried out against companies every day, to do our job well, we have to be persistent. We prefer making everyone a little stressed out rather than being complacent.”

It is also important to incorporate more outside-of-the-box strategies to keep employees’ attention and make them aware of how easily they can fall victim to traps. One of these is to actually distribute phishing emails to staff and keep track of how many people get snared.

Another tool is to send what appear to be legitimate requests for payment but are fake, and they are conveyed with a sense of urgency which might make some people forget to take usual precautions. We might then circulate within the company a kind of ranking that shows which team is the most cautious and which ones have a bit of work to do.

Using passwords as the main way to ensure security is a thing of the past.

Antonello Caggiano, senior IT manager, Value Partners

Expecting all employees to become assistant deputies in the Wild West of data security might seem like a lot to ask, but that is the new reality. In their private lives, most employees are quite skilled at using technology such as payment apps, installing updates, keeping an eye out for phishing emails and suspicious text messages. It is only at work that, for some reason, they tend to drop their guard.

“Nowadays, people have to be aware of topics that are not part of their main jobs. We have to get them to always be vigilant and to adopt a security-oriented mindset. That is our job.”

Cybersecurity awareness: a need for everyday work life

Using passwords as the main way to ensure security is a thing of the past. Today, applications, tokens, and multi-factor authentication are the new norm. You don’t need to be a geek to know about cybersecurity. Every employee should have basic cybersecurity knowledge as data features so prominently into modern work life. In the future, it is likely that HR will create job descriptions that reflect this, that every new hire, no matter the department, will need sufficient knowledge of the basic tenets of cybersecurity, just as everyone needs to know the basics of HR procedures.