The Cybersecurity literature indicates that the creation of an Cybersecurity Policy is always one of the first steps to implement an management system (ABNT NBR ISO/IEC 27001, 2013). However, the creation of the ISP alone does not guarantee its compliance in practice, since there is the human factor that must be considered.
After all, employees must comply with the established policy, and security awareness campaigns act as a resource to ensure that every company receives appropriate training, education and awareness in line with policies and organizational procedures.
Um ponto importante a destacar é que conscientização não é treinamento. O propósito da conscientização é simplesmente focar a atenção em segurança. A conscientização tem a intenção de alertar os indivíduos para reconhecer situações de segurança de TI e agir corretamente (NIST, SP 800-16). Inclusive, sabemos que você investe muita energia da sua empresa em processos automatizados e documentados, além das tecnologias de última ponta no mercado.
The reality is that most security awareness programs have tight budgets, and security managers need to make the most of the limited resources they have. This is a difficult, unprofitable scenario that brings negligible results to the organization. To obtain relevant results, it is necessary to correctly direct communication to the target audience and provide optimized campaigns.
The awareness program is a difficult program to implement efficiently, because its main criterion for success is the involvement of an audience, which is often not receptive to the proposed challenges. The main reason is that these programs are orchestrated and executed by professionals who do not seek to understand how people work, managing inefficient campaigns.
Having a safe environment is not limited to using the best tools available on the market. In fact, one of the most important factors is the human factor.
Through awareness raising methods, followed by evaluations, the PSAP is able to promote the topic of cybersecurity as something inherent to the company’s daily life.
Entendemos segurança como um meio, e não como um fim. Enxergamos segurança como um processo que precisa ser constantemente revisitado, em atualizações e mudanças recorrentes, e que está sempre se reinventando. Isso porque segurança precisa ser muito mais dinâmica e veloz nas mudanças para não ficar para trás dos cibercriminosos.
Neste mesmo contexto, conscientizamos profissionais acerca do tema segurança da informação, utilizando ações como:
To be effective, the awareness process is done through multiple channels, and the organization needs to ensure that staff will be exposed to the same information multiple times in different ways. Its cybersecurity theoretical basis is the NIST (SP 800-50) cybersecurity awareness campaign guidance and the Security Culture Framework. Awareness projects are conducted according to the precepts of Design Thinking and managed based on the concepts and fundamentals of SCRUM.
PROOF uses the following actions to promote the awareness of the organization’s employees:
Gathering news and preparing reports that help the company to disseminate information in a planned way, fundamental for all information management.
Infographic email sent constantly. It addresses topics in a playful, creative, and easily absorbed and interpreted way to raise public awareness of cybersecurity.
Resource used to generate visual impact, with the objective of transmitting information, whether through video, booklets, illustrations, logos, icons, and other ways.
Game mechanics and guided thoughts to enrich training performance and better cybersecurity learning.
Phishing simulations are used to design, create and launch an ethical attack, with the aim of making employees aware of the risks of a real attack.
Actions taken in the company’s physical environment to test its security. Strategies such as: Tailgating, shoulder surfing, baiting, and others, are used for security evaluation.
Immersion with lectures and chats, which address certain topics about cybersecurity, and can last from 1 to 3 days.
Educational lectures are events that aim to raise awareness and teach participants about specific cybersecurity topics, in a dynamic way and with efficient dialogue.
If you answered “NO” to any of these questions, we can help.