Tag: general data protection law

ROI in Cybersecurity: How to quantify something that doesn’t happen?

Post author By Editorial Eval
Post date 14 de April de 2022

The best result of a well-executed cybersecurity strategy is basically a company with no disruption to its operations or systems in the event of an external threat. In other words, it is having an efficient cybersecurity ROI.

However, while this is undoubtedly a positive result, it can become a major challenge when it comes to proving ROI in cybersecurity.

With the lack of visible results to share, you may find yourself answering questions from business leaders about the true value of cybersecurity.

While preventing damage from cyber attacks should only be seen as a justification for investing in cybersecurity, if the result is invisible, the risk is that this investment will come under the spotlight and its validity will be questioned.

So, with cybersecurity investment spanning technology, people, and processes, how can you best demonstrate the tangible cybersecurity ROI of your investment in data protection and privacy?

ROI in cybersecurity, how do you quantify the value of something intangible?

Organizations make their investment and spending decisions by estimating ROI. If you, for example, spend $10 million developing a new product, you expect to make $100 million in profit. If you spend $15 million on a new IT system, you expect to achieve $150 million in productivity increases.

But if you spend $25 million on cybersecurity, what is the resulting value benefit to the organization?

Furthermore, how can you systematically and quantitatively determine which of the numerous cybersecurity tools and technologies available will provide your organization with the best possible increase in cyber resiliency for the money spent?

In 2017, IT security spending increased from 5.9% to 6.2% of total IT spending year over year, but in 2019, IT security spending fell to 5.7% of total IT investments.

The absence of tangible reasons to spend not only causes frustration among IT professionals, it also leaves organizations exposed to glaring cybersecurity flaws and malicious cybercriminals waiting for the right moment to strike.

After all, no leadership will make large investments in a strategy that does not have tangible returns.

How to calculate ROI in cybersecurity?

First, ensure that you have a defined, layered security strategy in place to provide the best possible protection on company or financial reputation as a result of a cyber attack or breach.

Several examples from previous years have already shown the consequences of not keeping customers’ personal data protected from cyber threats, according to cybersecurity firm Coveware, for example, the average cost of a ransomware attack last year was $84,116, although some ransom demands were as high as $800,000.

Demonstrate competitive advantage

To truly demonstrate the value of your cybersecurity investment, be sure to emphasize the impact that effective security protocols have on the entire enterprise.

For many companies, cybersecurity is a prerequisite for business commitments and regulatory requirements, such as the General Data Protection Act (LGPD).

With good security credentials and robust processes, companies can open up markets and revenue streams that were previously impossible to reach, proving the long-term cybersecurity ROI of an investment in data protection and privacy.

Maximize your technology investment and ensure ROI in cybersecurity

A study done by IBM with 500 global organizations, including Brazil, and with more than 3,200 security professionals shows that the average cost of a data breach is $3.86 million.

The study also shows that technologies such as artificial intelligence (AI), machine learning, process automation with robots (RPA), analytics, and others can help the company save money in the event of a breach.

Maximizing your investment in cybersecurity is crucial to demonstrating ROI in cybersecurity. There are tangible ways to achieve this by generating greater efficiency, for example by reducing the time needed to eliminate the noise created by outdated technologies, especially when it comes to monitoring and response.

Outdated technology frameworks usually produce multiple alerts, which means that you need to review and apply your own knowledge before drafting a response.

However, developments in artificial intelligence now allow patterns and behaviors across technologies to be identified in real time, reducing the noise to a few actionable alerts.

Discover security and data protection solutions

The latest security, data protection, and data privacy solutions offer great benefits in terms of driving efficiency and demonstrating ROI in cybersecurity.

The IBM report also finds that companies with fully deployed security automation compared to those without it realize a cost savings of $3.58 million.

Readiness for incident response can also help keep costs down when responding to a data breach.

In fact, companies without an incident response team averaged $5.29 million in breach costs, compared to $2 million for companies that maintain an incident response team and simulations, according to IBM.

Therefore, by combining artificial intelligence, automation, and human analysis to detect and act on cyber threats, they can reduce cyber risk and the dwell time of breaches, allowing your staff to focus efforts on other areas.

Finally, consider adopting a protection framework that is available as a hybrid security operations center.

This gives you the flexibility to adapt it to your needs, while at the same time helping to develop the right skills internally in the company, again enabling consolidation of security vendors.

a-file-id=”5623726″ height=”382″ src=”https://mcusercontent.com/24a0afe85a95b938f0283f881/images/38e2ea96-1011-d7be-9a45-490706e654b7.png” style=”border: 0px ; width: 600px; height: 300px; margin: 0px;” width=”300″ />

Earning Board Trust and Securing ROI in Cybersecurity

The methods and reasons for cyber attacks will continue to evolve and you need to make informed decisions about potential risks and mitigate them through the right security processes, technology, and controls.

While proving cybersecurity ROI has potentially been difficult for security teams historically, by implementing the right strategy, clear communication channels, and leveraging the right technologies such as security, data protection, and privacy solutions, this can be easily overcome.

Solutions like these help drive digital transformation across the enterprise, enabling your organization to adapt to the growing digital economy and face evolving threats with greater confidence.

And it is this business case that you can present to get the support of top management and the board.

CipherTrust: protect your company and maximize your ROI in cybersecurity

In the challenge of ensuring an efficient ROI in cybersecurity, companies can rely on the CipherTrust Data Security Platform solution, which allows companies to protect their structure against cyber attacks.

According to IDC, more than 175 zetabytes of data will be created by 2025, and today more than half of all corporate data is stored in the cloud.

To handle the complexity of where data is stored, CipherTrust Data Security Platform provides strong capabilities to protect and control access to sensitive data in databases, files, and containers. Specific technologies include:

CipherTrust Transparent Encryption

Encrypt data in on-premises, cloud, database, file, and Big Data environments with comprehensive access controls and detailed data access audit logging that can prevent the most malicious attacks.

CipherTrust Database Protection

It provides transparent column-level encryption of structured and confidential data that resides in databases such as credit card, social security numbers, national identification numbers, passwords, and e-mail addresses.

CipherTrust Application Data Protection

It offers APIs for developers to quickly add encryption and other cryptographic functions to their applications, while SecOps controls the encryption keys.

CipherTrust Tokenization

It offers application-level data tokenization services in two convenient solutions that provide customer flexibility – Token without Vault with dynamic policy-based data masking and Tokenization in Vault.

CipherTrust Batch Data Transformation

Provides static data masking services to remove sensitive information from production databases so that compliance and security issues are alleviated when sharing a database with a third party for analysis, testing, or other processing.

CipherTrust Manager

It centralizes keys, management policies, and data access for all CipherTrust Data Security Platform products and is available in FIPS 140-2 Level 3 compliant physical and virtual formats.

CipherTrust Cloud Key Manager

It offers its own key lifecycle management (BYOK) for many cloud infrastructure, platform, and software-as-a-service providers.

CipherTrust KMIP Server

It centralizes key management for the Key Management Interoperability Protocol (KMIP) commonly used in storage solutions.

CipherTrust TDE Key Manager

Centralizes key management for encryption found in Oracle, SQL and Always Encrypted SQL.

The portfolio of data protection products that make up the CipherTrust Data Security Platform solution enables enterprises, seeking to improve their cybersecurity ROI, to protect data at rest and in motion across the IT ecosystem and ensures that the keys to this information are always protected and only under their control.

It simplifies data security, improves operational efficiency, and accelerates compliance time. Regardless of where your data resides.

The CipherTrust platform ensures that your data is secure, with a wide range of proven, industry-leading products and solutions for deployment in data centers, either those managed by cloud service providers (CSPs) or managed service providers (MSPs), or as a cloud-based service managed by Thales, a leading security company.

Tool portfolio that ensures data protection

With CipherTrust Data Security Platform’s data protection products, your company achieves cybersecurity ROI in different ways:

Strengthen security and compliance

CipherTrust data protection products and solutions address the demands of a range of security and privacy requirements, including electronic identification, authentication and trust, Payment Card Industry Data Security Standard (PCI DSS), General Data Protection Act (LGPD), and other compliance requirements.

Optimizes team and resource efficiency

CipherTrust Data Security Platform offers the broadest support for data security use cases in the industry, with products designed to work together, a single line for global support, a proven track record of protecting against evolving threats, and the industry’s largest ecosystem of data security partnerships.

With a focus on ease of use, APIs for automation, and responsive management, the CipherTrust Data Security Platform solution ensures that your teams can quickly deploy, secure, and monitor the protection of your business.

In addition, professional services and partners are available for design, implementation, and training assistance to ensure fast and reliable implementations with minimal staff time.

Reduces total cost of ownership

When it comes to cybersecurity ROI, CipherTrust Data Security Platform’s data protection portfolio offers a broad set of data security products and solutions that can be easily scaled, expanded for new use cases, and have a proven track record of protecting new and traditional technologies.

With CipherTrust Data Security Platform, companies can prepare their investments for the future while reducing operating costs and capital expenditures.

About Eval

EVAL has been developing projects in the financial, health, education and industry segments for over 18 years. Since 2004, we have offered Authentication, Electronic and Digital Signature and Data Protection solutions. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.

With value recognized by the market, EVAL’s solutions and services meet the highest regulatory standards of public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Tags data protection, general data protection law, lgpd, ROI in Cybersecurity

How to prevent cyber attacks: Key ways to protect yourself

Post author By Editorial Eval
Post date 1 de February de 2022

While cyber attacks and threats are an ongoing struggle and a major challenge for businesses , they can be avoided by knowing the various types of protocols, exploits, tools, and resources used by cybercriminals. In addition, knowing where and how to expect attacks ensures that you create preventive measures to protect your systems.

Basically, cyber attacks are executed with malicious intent, when a cybercriminal tries to exploit a vulnerability in an organization’s system or individuals. These attacks threaten to steal, alter, destroy, disable, gain access to, or make use of an unauthorized asset.

In practice, cyber attacks, threats, and vandalism are a dangerous and growing problem for companies.

Almost every modern organization requires at least one computer network and the assets that make up its connectivity structure, such as switches, access points, and routers, to operate in its IT infrastructure. Besides this, we have as computational structure servers, desktops, laptops, printers, and other mobile devices that complete a technological architecture.

Unfortunately, while these devices and applications offer a great benefit to the enterprise, they can also pose a risk. All it takes is inefficient asset management or an employee clicking on a malicious link, and then cybercriminals gain access to your network and infect your systems.

But this risk can be reduced.

How to prevent cyber attacks?

Preventing a breach of your network and systems requires protection against a variety of cyber attacks. For each attack, the appropriate countermeasure must be deployed/used to prevent it from exploiting a vulnerability or weakness.

The first line of defense for any organization is to assess and implement security controls.

1. Break the pattern of cyberattack

Preventing, detecting or stopping the cyber attack at the earliest opportunity limits the impact on business and the potential for reputational damage.

Even though it is usually the more motivated attackers who have the persistence to carry out multi-stage attacks, they often do this using common, cheaper, and easier-to-use tools and techniques.

Therefore, implement security controls and processes that can mitigate attacks, making your company a difficult target.

Likewise, take a defense-in-depth approach to mitigate risk across the full range of potential cyber attacks, giving your company more resilience to deal with attacks that use more customized tools and techniques.

Como o Ransomware utiliza Protocolos de Acesso Remoto (RDP) Desprotegidos

2. Reduce your exposure by using critical security controls against cyber attack

Fortunately, there are effective and affordable ways to reduce your organization’s exposure to the most common types of cyber attack on Internet-exposed systems.

Boundary firewalls and Internet gateways – establish network perimeter defenses, particularly Web proxying, Web filtering, content scanning, and firewall policies to detect and block executable downloads, block access to known malicious domains, and prevent users’ computers from communicating directly with the Internet;
Malware protection – establish and maintain malware defenses to detect and respond to known cyber attack code;
Patch management – fixes known vulnerabilities with the latest software version to prevent attacks that exploit software bugs;
Allow list and run control – prevents unknown software from being run or installed, including AutoRun on USB and CD drives;
Secure configuration – restrict the functionality of each device, operating system, and application to the minimum necessary for business operation;
Password policy – make sure that an appropriate password policy is in place and followed;
User access control – includes limiting the execution permissions of normal users and enforcing the principle of least privilege.

3. Attenuate the ‘research’ stage

Any information published for open consumption should be systematically filtered before being released to ensure that anything of value to an attacker (such as software and configuration details, names/jobs/titles of individuals, and any hidden data) is removed.

Training, education, and user awareness are important. All your users must understand how published information about your systems and operation can reveal potential vulnerabilities.

They need to be aware of the risks of discussing work-related topics on social media and the potential to be targeted by cyber attack and phishing attacks. They must also understand the risks to the business of releasing confidential information in general conversations, unsolicited phone calls, and e-mail recipients.

4. Reduce the ‘delivery’ stage

The delivery options available to an attacker can be significantly reduced by applying and maintaining a small number of security controls, which are even more effective when applied in combination:

Up-to-date malware protection can block malicious e-mails and prevent malware from being downloaded from websites;
Firewalls and proxy servers can block unsafe or unnecessary services and can also keep a list of known bad sites. Similarly, subscribing to a site reputation service to generate a list of denied sites can also provide additional protection;
A technically enforced password policy will prevent users from selecting easily guessed passwords and lock accounts after a specified number of unsuccessful attempts. Additional authentication measures for access to particularly confidential corporate or personal information should also be in place;
Secure configuration limits system functionality to the minimum necessary for business operation and should be applied systematically to all devices used to conduct business.

5. Minimize the ‘breach’ stage of the cyber attack

As with the delivery stage, the ability to successfully exploit known vulnerabilities can be effectively mitigated with just a few controls, which are best deployed together.

All malware depends on known and predominantly patched software flaws. Effective vulnerability patch management ensures that patches are applied at the earliest opportunity, limiting the time your organization is exposed to known software vulnerabilities;
Malware protection at the Internet gateway can detect known malicious code in an imported item, such as an e-mail. These measures should be complemented by malware protection at key points in the internal network and on users’ computers, where available;
Well implemented and maintained user access controls will restrict the applications, privileges, and data that users can access. The secure setup can remove unnecessary software and default user accounts. It can also ensure that default passwords are changed and that all automatic features that can activate malware immediately (such as AutoRun for media drives) are disabled;
Training, education and user awareness are extremely valuable in reducing the likelihood of successful ‘social engineering’. However, with the pressures of work and the sheer volume of communications, you cannot rely on this as a control to mitigate even a cyber attack;
Finally, the key to detecting a breach is the ability to monitor all network activity and analyze it to identify any malicious or unusual activity.

If all measures for the research, delivery and breach stages are consistently in place, most cyber attacks can be prevented.

However, if the cybercriminal is able to use tailored features, you should assume that they will bypass them and get into your systems. Ideally, companies should have a good understanding of what constitutes ‘normal’ activity on their network, and effective security monitoring should be able to identify any unusual activity.

Once a technically capable and motivated attacker has full access to your systems, it can be much more difficult to detect their actions and eradicate their presence. This is where a complete defense-in-depth strategy can be beneficial.

The CipherTrust Data Security Platform solution allows companies to protect their structure against cyber attacks

According to IDC, more than 175 zetabytes of data will be created by 2025, and today more than half of all corporate data is stored in the cloud.

CipherTrust Transparent Encryption

Encrypt data in on-premises, cloud, database, file, and Big Data environments with comprehensive access controls and detailed data access audit logging that can prevent the most malicious cyber attacks.

CipherTrust Database Protection

CipherTrust Application Data Protection

It offers APIs for developers to quickly add encryption and other cryptographic functions to their applications, while SecOps controls the encryption keys.

CipherTrust Tokenization

CipherTrust Batch Data Transformation

CipherTrust Manager

It centralizes keys, management policies, and data access for all CipherTrust Data Security Platform products and is available in FIPS 140-2 Level 3 compliant physical and virtual formats.

CipherTrust Cloud Key Manager

It offers its own key lifecycle management (BYOK) for many cloud infrastructure, platform, and software-as-a-service providers.

CipherTrust KMIP Server

It centralizes key management for the Key Management Interoperability Protocol (KMIP) commonly used in storage solutions.

CipherTrust TDE Key Manager

Centralizes key management for encryption found in Oracle, SQL and Always Encrypted SQL.

The portfolio of data protection products that make up the CipherTrust Data Security Platform solution enables companies to protect data at rest and in motion across the entire IT ecosystem and ensures that the keys to this information are always protected and only under your control.

It simplifies data security, improves operational efficiency, and accelerates compliance time. Regardless of where your data resides.

Tool portfolio that ensures data protection against cyber attacks

With data protection products from the CipherTrust Data Security Platform, your company can:

Strengthen security and compliance against cyber attack

CipherTrust data protection products and solutions address the demands of a range of security and privacy requirements, including electronic identification, authentication, and trust, Payment Card Industry Data Security Standard (PCI DSS), General Data Protection Law (LGPD)among other compliance requirements.

Optimizes team and resource efficiency against cyber attacks

In addition, professional services and partners are available for design, implementation, and training assistance to ensure fast and reliable implementations with minimal staff time.

Reduces total cost of ownership

CipherTrust Data Security Platform’s data protection portfolio offers a broad set of data security products and solutions that can be easily scaled, expanded for new use cases, and have a proven track record of protecting new and traditional technologies.

With CipherTrust Data Security Platform, companies can prepare their investments for the future while reducing operating costs and capital expenditures.

About Eval

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Tags cyber attacks, data protection, general data protection law, lgpd

Data Protection

Security Policies: Successful in only 41% of Companies

Post author By Editorial Eval
Post date 5 de October de 2021

While cyber attacks and threats are an ongoing struggle, they can be avoided by being aware of security policies, the various types of protocols, exploits, tools and resources used by malicious people.

In addition, knowing where and how to expect attacks ensures that you are putting preventative measures in place to protect your systems.

Cyber attacks, threats and vandalism are a dangerous and growing problem for businesses. Almost every modern business requires a network of computers, servers, printers, switches, access points and routers to operate.

The primary objective of any IT security policy is to comply with all current legislation and other security requirements in order to protect the integrity of its members and the corporate data that resides in the company’s technology infrastructure.

But this challenge is still for the few. This is shown by the study carried out by the Ponto BR Information and Coordination Center (NIC.br), where 41% of Brazilian companies have security policies against cyber attacks that are well established.

Implementing these policies is considered a best practice when developing and maintaining a cybersecurity program. As more companies develop digital programs, effective security policies are needed to effectively combat cyber attacks.

What is a security policy and why is it important in combating cyber attacks?

Basically, a security policy is a set of standardized practices and procedures designed to protect a company’s network from threats.

Typically, the first part of the cybersecurity policy focuses on the overall security expectations, roles and responsibilities in the organization. The second part may include sections for various areas of cybersecurity, such as guidelines for antivirus software or the use of cloud applications.

By default, the CISO leads the development and updates of a security policy. However, CISOs must also work with executives from other departments to create updated policies collaboratively.

Teams should start with a cybersecurity risk assessment to identify the organization’s vulnerabilities and areas of concern that are susceptible against cyberattacks and data breaches.

It is important to understand the organization’s tolerance for various security risks, highlighting concerns classified as low risk and those that threaten the survival of the organization. Staff should then consider the regulatory requirements they must meet to maintain compliance.

CISOs can then determine what level of security should be implemented for the identified security gaps and areas of concern. Remember that CISOs must match the level of protection required with the organization’s risk tolerance.

By doing so, the organization ensures that the areas with the lowest risk tolerance get the highest level of security.

What are the information security issues that cyber security policies should address against cyber attacks?

If your organization does not have an information security policy for any area of concern, security in that area is probably at risk: disorganized, fragmented and ineffective.

The issues that security policies must address differ between organizations, but some of the most important include:

Physical security

How is security handled in data centers, server rooms and terminals in company offices and elsewhere?

Physical security policies serve a wide range of purposes, including access management, monitoring and identification of secure areas.

Data retention

What data does the company collect and process? Where, how and for how long should it be stored?

Data retention policies affect several areas, including security, privacy and compliance.

Data encryption

How does the organization handle secure storage and transmission of data?

In addition to encryption objectives, data encryption policies may also discuss objectives and rules around key management and authentication.

Access control

Who can access sensitive data and what systems should be in place to ensure that sensitive data is identified and protected from unauthorized access?

Safety training

Safety depends as much on people as on technology and systems.

Human error contributes to many security breaches that could have been prevented if employees and executives received sufficient training.

Risk management

Information security risk management policies focus on risk assessment methodologies, the organization’s tolerance for risks across various systems, and who is responsible for threat management.

Business continuity

How will your organization react during a security incident that threatens critical business processes and assets?

Security and business continuity interact in many ways: security threats can quickly become business continuity risks, the processes and infrastructure that companies use to maintain the course of business must be designed with protection in mind.

We have covered just a few key points of security policies relevant to companies in many different sectors.

But every organization differs, and the content of policies must be tailored to the unique circumstances of your business, and must evolve as circumstances change.

Commitment to key protection and compliance requirements

Eval and THALES can help you develop your company’s security policies, meeting key protection and compliance requirements.

Companies should prioritize data risks by creating a classification policy based on data sensitivity.

Policies should be developed and implemented that determine what types of information are confidential and what methods, such as encryption, should be used to protect that information.

In addition, companies should monitor the transmission of information to ensure that policies are complied with and effective.

Fortunately, new technology solutions can help companies gain full visibility of their sensitive data and strengthen their compliance with protection requirements, such as the General Data Protection Law (GDPR).

The CipherTrust data security platform enables organizations to discover their sensitive information, assess the risk associated with that data, and then define and enforce security policies.

As well as making it easier to comply with data protection law at any time, your business can save money while gaining the trust of your customers and partners.

Your business achieving compliance with help from Eval

A strong information security policy is the glue that binds all security controls and compliance requirements together and is the document that describes the protection and privacy strategy across the organization.

At the same time, it can be a great accountability tool when it comes to consumer trust. To be effective, a security policy must be accepted by the entire company to effectively manage and update the security controls needed in a world of ever-changing cyber risk.

If managed well and followed accordingly, policy management is the foundation for achieving compliance with the GDPR or any other future privacy regulation.

By applying frameworks like LGPD, greater control is given back to people/consumers. This extra control goes a long way to increasing the level of trust people feel towards companies. And in turn, it can increase revenues and profits.

The LGPD requirements are much more than a checklist and if your organization processes the personal data of data subjects here in Brazil, you should take the time to explore the security controls you have in place to support the requirements of the privacy law and ensure that personal information is protected and processed appropriately.

Organizations should be transparent with their customers about their legal bases for data collection and should offer them control over whether or not they want to share their data with others.

Then, organizations must follow through and ensure that they only use the data they collect for the purposes initially described, always within the limits of the consent provided by their customers, and make sure they respect all their rights granted to them under the new legislation.

To learn more about the CipherTrust Data Security Platform, contact Eval’s experts now.

About Eval

Eval has been developing projects in the financial, health, education, and industry segments for over 18 years. Since 2004, we have offered solutions for Authentication, Electronic and Digital Signature, and Data Protection. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.

With market recognized value, Eval’s solutions and services meet the highest regulatory standards for public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Tags cyber attacks, general data protection law, lgpd, security policy

Data Protection

Ransomware Attacks: Growing for Businesses and Governments

Post author By Editorial Eval
Post date 24 de August de 2021

Have you heard of ransomware attacks? Chances are it is, after all, the term has become increasingly common in news reports.

The expression derived from the English
ransom
(ransom) with
ware
(software) is used to define when a system is contaminated by a malware.
malware
(malicious software) and an amount is demanded to release the machine and files.

Cybercriminals are on the move and several business models have become victims in recent years, from private companies and even public bodies.

Recently, according to a note released by the government,
the National Treasury suffered a ransomware attack
and “the effects of the criminal action are being evaluated by security experts from the National Treasury Secretariat and the Digital Government Secretariat.”

Another victim was Lojas Renner, which suffered the attack on Thursday (19/08) and had its website and application down for 2 days in a row.

For the organizations that fall victim, this can lead to major financial losses, both from the ransom charged and the loss of sales and credibility.

Why are ransomware attacks on the rise?

According to a
research by Statista
in 2020 alone, 304 million ransomware attacks were recorded worldwide, a 62% increase from the previous year.

So, with data like this in mind, and with so many reports of companies and governments that have become victims of cybercriminalsthe question arises: why is the number of attacks increasing?

This is because, with the advancement of technology, the way companies operate has changed. Consider 3 examples.

How Ransomware uses Unprotected Remote Access Protocols (RDP)

Increased virtualization

Virtualization refers to à adoption of a virtual environment for using different applications and operating systems on a single physical machine.

It is a technique used by IT (Information Technology) companies to better o utilization of existing infrastructure, facilitating business scalability.

However, when implementing this solution, it is important that startups stay vigilant and look for ways to ensure the security since virtualized environments can change quickly, requiring trained professionals to maintain proper management and thus ensure that the organization is free from ransomware attacks.

Exposure of sensitive cloud data

Another measure that many companies have implemented in recent years is cloud services.
cloud computing
(Cloud Computing).

According to
Gartner forecast
spending on public cloud services in the year 2021 is expected to reach $332.3 billion, which represents a 23.1% increase compared to the year 2020.

This demonstrates the growing increase in the use of cloud solutions. With this migration, a lot of sensitive data is now stored in cloud.

However, even though cloud information is more protected than local storage, this does not mean that you do not
need to develop security strategies.

Just to exemplify, it is essential to establish policies to control accessso that information is protected.

Still according to Statista, many companies do not feel fully prepared when adopting a cloud solution and among the main reasons are the
difficulties with security, governance and lack of staff experience.
.

As a result, many cybercriminals may take advantage of this to carry out ransomware attacks.

Lack of deployment of protection technologies against ransomware attacks

With the previous points in mind, it is important to highlight that even though many companies are embracing digital transformation, it is also
it is necessary to implement protection technologies
such as:

Cryptography;
Machine Learning
(ML);
Backup
backup
e
disaster recovery
;
Among others.

How to protect yourself from ransomware attacks?

In order to ensure the safety and security of your companyit is essential to apply internal policies for all employees to follow and contribute to prevention, such assuch as:

Access management;
Check page URLs;
Be careful when clicking on links in emails;
Among others.

It is also extremely important to keep a good antivirus in place and to make regular backups.

Another key strategy is to implement an encryption solution, so if your company suffers ransomware attacks, with the use of encryption, your information is protected and will not be read by criminals.

Read more about protecting sensitive data with encryption.

How to choose the most suitable way to secure data against ransomware attacks?

The Thales CipherTrust Data Security platform guarantees the entire structure and integrity of your company’s data, and the format of the fields in the database, whatever it may be: Oracle, SQL, MySQL, DB2, PostGreand so on.

Simply, comprehensively and effectively, the solution CipherTrust offers capabilities to secure and control access to databases, files and containers – and can protect assets located in cloud, virtual, big data and physical environments.

With CipherTrust, you can protect your company’s data and anonymize your sensitive assets, ensuring security for your company and avoiding future problems with data leakage.

Get in touch with Eval. Our experts will be able to help you, contributing to the development of your data protection projects and the continuous improvement of your company.

About Eval

EVAL has been developing projects in the financial, health, education, and industry segments for over 18 years. Since 2004, we have offered solutions for Authentication, Electronic and Digital Signature, and Data Protection. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Tags data protection, general data protection law, lgpd, ransomware attacks

Data Protection

Connected Cars: Data Protection in 3 Steps

Post author By Editorial Eval
Post date 22 de March de 2021

We are steadily moving towards a future where high connectivity is becoming the industry standard. This is why data security in connected cars has become a concern.

This is largely due to the increase in consumer demand, fueled by the convenience that IoT (Internet of Things) connected vehicles can offer.

This consumer demand makes sense when we consider the long-term benefits of driving or owning connected vehicles. Here are just a few of them:

A connected car enhances the experience of owning or using a vast array of apps and services that pair seamlessly with the smartphone the user owns;
Passenger and driver safety is increased and hazards are more easily avoided;
The driver has more control over the vehicle as well as its remote diagnostics;
Many routine tasks, such as parking, can be automated or partially automated;
Potential problems with the vehicle can be detected much earlier and money on fuel can be saved when the most efficient route is always chosen.

Consumer fears despite connected car innovation

Although the global connected car market is expected to surpass $219 billion by 2025, with 60% of automobiles will be connected to the internet, the industry is still facing challenges in its quest to become fully mainstream due to its main drawback: consumers’ fear of cyber attacks.

We all know that the increase in connected devices, whether vehicles or other devices, automatically increases the number of entry points and opportunities for criminals.

Considering the often very serious consequences of such attacks, this consumer fear is legitimate and needs to be addressed both by the IoT industry but especially by connected vehicle manufacturers if the industry wants to gain full consumer trust and adoption of their products and keeping their data safe.

Current safety status of connected cars

Indeed, protective measures are being taken to set data security standards in other areas of data exchange.

For example, the General Data Protection Act (GDPR) has made a significant difference to how we experience web browsing and any interaction that involves the processing of personal data.

However, IoT service providers are not currently required to comply with any additional security laws or standards.

While some are calling for specific government legislation, there are already several companies working on solutions to increase the security of connected devices.

It is not yet clear exactly what the impact on our personal privacy will be as we embark on this connected future. What is clear, however, is that if car manufacturers themselves do not step in with some clear technologies to prevent data hacking, mismanagement or data privacy breaches, the connected car industry will continue to struggle to be accepted by the general public.

So what are the automakers themselves doing these days? Crucially, what else needs to be done to reassure users that their data is safe?

What can car manufacturers do to ensure data security in connected cars?

1. investment in hardware security

Typically, the vehicles we are most used to seeing and driving on a daily basis have not been equipped with any kind of hardware security in the car’s own electronics.

This is because the car was never originally designed to have an open system that could be connected to external systems such as IoT devices. Instead, the car system should be a closed system.

Because of this, as soon as you connect the vehicle to something external, there are not enough protections (e.g. a firewall) in place against malicious parties.

This is solved in new cars by installing something called a secure gateway.

For IoT devices, no interaction could happen with the vehicle without first passing through the secure gateway, making the exchange of data between two parties significantly more secure.

2. Investment in software security

With the continued rise in cybersecurity incidents, automakers need to incorporate an approach to data security in connected cars that takes into account not only the obvious exposures in the car’s software, but also the hidden vulnerabilities that can be introduced by open-source software components.

Connected car software code is extremely complex to say the least, with the average car software based around 100 million lines of code.

With so much complexity comes many opportunities for vulnerabilities and an increased risk of malicious attacks from cybercriminals.

Nowadays, it’s not uncommon to hear about malware specifically designed to detect flaws in car software.

Today, several renowned car manufacturers and their software suppliers deploy testing tools that include safety assessments on static and dynamic software.

In connected cars, these tools are used to identify coding errors that can result in software vulnerabilities and opportunities for hackers and criminals to enable or disable certain features remotely.

While these tools are effective in detecting bugs in the code written by the connected car manufacturers’ own in-house team of developers. They are not effective in identifying open source vulnerabilities in third party code.

This leaves many of the key components of today’s apps exposed, due to the fact that they are made by developers working for external IoT providers rather than the carmakers themselves.

3. User awareness and consent

In addition to protecting the car’s hardware and the vehicle’s software, it is important to emphasize the responsibility of connected car manufacturers to alert users to the importance of which devices they allow to be connected and for what purpose.

This is where user consent needs to be obtained and regulations such as the GDPR rigorously enforced.

Third-party IoT providers must clearly define why they want to interact with connected cars and what they plan to do with any data they get from the automobile, but it is the job of manufacturers to assure users of the security of their data.

Eval & Thales technology partnership: bringing trust to connected cars

As we look to our increasingly connected future, we can be sure that the relationship between vehicles and IoT is only likely to increase in complexity.

With a dedicated approach to data privacy and security, any risks of cyber attacks or misuse of data in connected cars can be significantly mitigated.

The IoT industry is growing at an exponential rate now. Traditional car companies need to adopt a safety-first approach.

This approach is necessary to take advantage of the huge strides technology can make in the lives of drivers and road users through connected vehicles.

With more than 20 years of experience in connecting vehicles, Eval and Thales’ customers benefit from their leading position in mobile connectivity standardization, serving more than 450 mobile operators worldwide.

Global automotive connectivity solutions and remote management greatly reduce supply chain complexity for automotive manufacturers while enabling easier end-user experiences over long vehicle lifecycles.

Eval and Thales’ solutions enable the use of end-user subscriptions for infotainment services in mobility and provide the technical capability for infotainment/telematics connectivity.

Leveraging proven and advanced expertise in digital security and IoT, Thales Trusted Key Manager provides connected car manufacturers with support for digital transformation, ensuring the end-to-end security of the automotive ecosystem.

About Eval

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Tags connected cars, general data protection law, Internet of Things, IoT devices, lgpd, software security, Thales

Data Protection

Difference between encryption types for data protection

Post author By Editorial Eval
Post date 13 de October de 2020

Companies can reduce the likelihood of a data breach, and thus reduce the risk of fines in the future under the General Data Protection Act (GDPR), if they choose to use encryption for data protection.

The processing of personal data is naturally associated with a certain degree of risk. Especially nowadays, where cyber attacks are almost inevitable for companies.

Therefore, encryption for data protection plays an increasing role in IT security for a large part of companies.

In general, encryption refers to the procedure that converts unencrypted text, also known as clear text, into information that is unreadable, in a form of interpretation using a key, where the output information only becomes readable again using the correct key.

This minimizes the risk of an incident during data processing, as the encrypted content is basically unreadable to third parties who do not have the correct key.

Encryption is the best way to protect data during transfer and is a way to protect stored personal data. It also reduces the risk of abuse within a company, as access is limited to only authorized people with the right key.

Encryption for data protection and the GDPR: what you should know

In today’s age of computers, encryption is often associated with the process where an ordinary plain text is converted into cipher text, which is the text made in such a way that the intended recipient of the text can only decode it and hence this process is known as cryptography.

The process of converting ciphertext into plaintext is known as decryption.

The main uses of encryption are as follows:

Confidentiality: the information can only be accessed by the person for whom it is intended and no other person except them can access it;
Digital Signature: In which information is signed so that the sender of the information can be identified, with integrity and non-repudiation.
Integrity: the information cannot be modified in storage or in the transition between the sender and the intended recipient without any addition to the information being detected;
Authentication: the identities of the sender and recipient are confirmed. As well as the destination/source of the information is confirmed.

Types of encryption for data protection:

In general, there are three types of encryption for data protection:

Symmetric key cryptography

It is an encryption system where the sender and receiver of the message use a single common key to encrypt and decrypt messages.

Symmetric key systems are faster and simpler, but the problem is that the sender and recipient need to somehow exchange the key in a secure way.

The most popular symmetric key cryptosystem is the Data Encryption System (DES) and the Advanced Encryption Standard (AES). Advanced Encryption Standard (AES);

Hash functions

There is no use of any key in this algorithm. A fixed-length hash value is calculated according to the plaintext, which makes it impossible for the content of the plaintext to be retrieved. Many operating systems use hash functions to encrypt passwords;

Asymmetric key cryptography

In this system, a key pair is used to encrypt and decrypt information. A public key is used to encrypt and a private key is used to decrypt.

The public key and the private key are different. Even if the public key is known to everyone, the intended receiver can only decrypt it because only he knows the private key.

Thales and E-VAL can help you comply with key LGPD requirements

To maintain confidentiality in the storage and transit of data

Encryption allows data to be stored encrypted, allowing users to stay away from attacks by hackers.

Reliability of transmission

A conventional approach that enables reliability is to perform encryption of the transmission channel, either symmetric or asymmetric or even a combination of the two encryptions.

If you use symmetric cryptography, you need a key to encrypt the information, then you need to find some way to exchange the key, which turns out to be a problem to be solved, which is the exchange of keys in a secure way.

It is worth remembering that this method performs well.

Another way is to use asymmetric cryptography, in which the recipient’s public key can be used so that the message can be opened only by the recipient who has the corresponding key, the private key.

The problem with this type of use is performance.

Identity Authentication

For authenticity, which aims to know if the sender of the message is himself, makes use of PKI, (Public Key Infrastructure).

This is done by encrypting the message with the sender’s private key, just as anyone can have their corresponding public key, it can be verified that the message was generated by the appropriate sender.

Why is encryption for data protection crucial for GDPR compliance?

While there are no explicit data protection encryption requirements in the General Data Protection Act (GDPR), the new legislation requires you to apply security measures and safeguards.

The LGPD highlights the need to use appropriate technical and organizational measures for personal data security.

Because encryption for data protection makes information unreadable and unusable to people without a valid cryptographic key,encryption strategies for data protection can be extremely beneficial to your company in the event of a data breach and the requirements under the GDPR.

Remember the LGPD requirement to notify customers affected by a security incident?

By encrypting your data, you reduce the chance of fulfilling this obligation due to cyber attack issues or other types of problems.

No information is technically “breached” if the data is unintelligible to the attacker.

How to choose the most appropriate way to ensure data security?

Simple, comprehensive and effective, Cipher Trust provides capabilities to secure and control access to databases, files and containers – and can protect assets located in cloud, virtual, big data and physical environments.

With CipherTrust, you can protect your company’s data and anonymize your sensitive assets, ensuring security for your company and avoiding future problems with data leakage.

About Eval

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Tags encryption for data protection, general data protection law, lgpd

News and Events

Suddenly LGPD: 10 questions and answers your company needs to know to meet the requirements of the Data Protection Act

Post author By Editorial Eval
Post date 2 de September de 2020

It may seem controversial to imagine that suddenly the General Law of Data Protection (LGPD), will come into force throughout the country. After all, Law No. 13,709/2018, which defines the new legislation, was sanctioned on August 14, 2018, establishing an 18-month adaptation period, scheduled to begin in 2020.

However, the law went through postponements in the same year it was to take effect (2020), and then it was expected to be extended to 2021 due to the COVID-19 pandemic.

But, between comings and goings in the National Congress and presidential approvals and vetoes, we are expecting the Law to come into effect at any moment. Unfortunately, these changes generate a lot of instability regarding the new legislation and a risk that can directly impact the main objective of the law: the protection and privacy of Brazilians.

In addition to the definition (or lack of clear definition), of the effective date of the LGPD, the Federal Government has recently established the structure of the National Data Protection Authority (ANPD)the body responsible for overseeing the protection of personal data, elaborating guidelines for the National Policy on Personal Data Protection and Privacy, inspecting and applying sanctions in cases of non-compliance with the legislation, among other duties defined in Law 13,709.

Expectations aside, companies and organizations need, more than ever now, to be prepared for the requirements that will soon be imposed by data protection law. Despite all this transition period, there are still questions about the LGPD that companies need to understand in order to comply with the new legislation.

To help clarify the main doubts, we have put together a list of the most important questions and answers so that you can adapt the LGPD to your business.

Questions and answers about LGPD that your company needs to know to comply with the data protection law

Although there is no universal checklist applicable to all cases, some problems arise more frequently than others. And these questions and answers about the LGPD will be relevant for years to come, as the new legislation has no expiration date.

#1. Are you a data controller or data processor – do you determine the purposes and means of the processing of personal data or do you process personal data on behalf of another party?

Answering this question is crucial to determining the scope of your obligations under data protection law. Of all the questions and answers about the LGPD, this one will probably guide you to most of the actions that need to be taken going forward.

Data controllers decide what data is collected, for what purpose, how it is processed, and for how long. This means that you are responsible for fulfilling a wide range of obligations, such as protecting the data, meeting the objectives of, for example, data minimization and processing transparency. You are also the one who has the obligation to respond to and facilitate the exercise of the data subject’s rights.

On the other hand, if you are a data processor, you process data on behalf of a controller and only within the scope that it has determined. Therefore, you cannot make decisions about what personal data is processed and how. Your primary duty is to protect the data you process from unauthorized access, modification, etc.

#2. Do you perform all processing activities yourself or do you use third-party processing services, such as server rental?

If you use a third-party processing service, you must enter into a specific written agreement (including in electronic form), which should regulate in particular the object and duration of the processing, the nature and purpose of the processing, the types of personal data and categories of data subjects, and the obligations and rights of the controller.

Remember that even if you do not process the data yourself, you are still responsible for the processing. Choose only those companies that guarantee to implement appropriate technical and organizational processing measures to meet the requirements of the LGPD and ensure data protection.

The set of questions and answers about the LGPD also apply to third-party companies.

#3. Who can access your company’s personal data? Are there different levels of access for different positions?

The fact that you, as the controller or processor, have the right to process the data does not mean that all your employees can access it – it should only be the people whose position within your company requires that they have these rights.

Remember to specify the scope of the authorization – what kind of data they can access (e.g. customer data, employment-related data) and what they can do with the data. Some people will need to have full access, including the right to enter, modify or delete the data, while for others just the right to view the data will be sufficient.

#4. Is all the data you collect really necessary for the purpose of your processing?

One of the main rules of personal data protection is data minimization. It obliges the controller to limit – by default – to the minimum necessary the amount of personal data collected, as well as the extent of its processing, the period of its storage, and its accessibility.

Remember to take this into account when auditing your databases and when designing new data flows (creating forms, making decisions about activity tracking, etc.).

#5. How is the collected data used – what is the purpose of processing personal data?

Data may only be processed for specified, explicit, and legitimate purposes and may not be processed in a way incompatible with those purposes.

# LGPD 6. Do you collect sensitive data – such as health records, data on racial or ethnic origin, religious or philosophical beliefs, etc.?

Processing sensitive data is prohibited by default and can happen only in specific circumstances described in the LGPD, so a general recommendation would be to avoid processing such data altogether. If this is not possible, seek legal advice to identify remedies that provide a legal basis for processing such data.

#7. Have you checked whether there are processes in your company that require a data protection impact assessment to be performed?

Such an assessment must be carried out in the case of processing that – taking into account its nature, scope, context and purposes – is likely to result in a high risk to the rights and freedoms of individuals, in particular due to the use of new technologies.

It may be necessary in specific cases, including:

The systematic and comprehensive assessment of personal aspects relating to natural persons that is based on automated processing, including profiling, and upon which decisions that produce legal effects on the natural person or significantly affect him/her are based.
The processing of sensitive data on a large scale.
The systematic monitoring of a publicly accessible area on a large scale.

#8. How will the right to data portability be handled? In what format will the data be provided to the data subject or to another controller at the data subject’s request?

The right to data portability can be exercised if the data subject has provided data to a controller. The processing is performed by automated means and is based on one of the following legal bases – the data subject’s consent or a contract to which the data subject is a party.

It allows the data subject to request a copy of their data in a structured, common, and readable format. The LGPD does not provide further specifications of this format, so it is up to the controller to choose it, keeping in mind that the data subject may request that the data be transmitted directly to another controller.

#9. How can a user request access to his/her data, including receiving a copy of his/her personal data being processed? Will this process be conducted manually or automatically? In what format will the copy be provided?

The data subject may ask the controller for a copy of his or her personal data being processed. When this right is exercised for the first time, the controller must provide this copy free of charge, but in case of further requests, the controller may charge a reasonable fee based on administrative costs.

Unless otherwise requested by the data subject, if the request is made by electronic means, the information must also be provided in electronic format.

In preparing for the data subject to exercise their data rights, the controller must ask itself a handful of important questions, the most important being:

How the request can be made – using a dedicated website, with a request form and instructions, or perhaps, for example, by e-mail;
This process will be conducted either manually or automatically;
In the first case, there are enough trained personnel to handle the incoming workload;
The existing procedures and organizational means allow such requests to be met without undue delay.

#10. Will data be shared with third parties, including within your group? When, how, on what legal basis?

When you are the data controller, sharing data with other entities can take two forms:

The processing will be carried out on your behalf, you specify its purpose, duration, the obligations of the processor, and so on – in this case you need to conclude a contract regulating all these issues with the processor, and you do not have to ask the data subject for his or her consent to do so;
Your company loses control over the data it shares and its processing, and the recipient becomes an independent controller of that data – in which case you will need a legal basis for sharing personal data (e.g. consent from the data subject specifying with whom you share the data and for what purpose).

Questions and answers about the LGPD that went beyond the basic concept

Basic questions like “What is LGPD?”, ” What is personal and confidential data?”, “When does LGPD go into effect?” have been left out to show that data protection law is directly linked to your company’s business processes, and therefore the goal of data protection law implementation should be something more in-depth.

This means that questions and answers about the LGPD should focus on tools, features such as the adoption of electronic signatures, encryption, training, among other points that were not portrayed in our list. It is necessary to go further.

With a little over a year to go, companies need to keep an eye on the next steps of the General Data Protection Law. That is, the execution of the necessary compliance actions before the LGPD went into effect.

Companies like EVAL help you implement your strategy to meet expected requirements before LGPD takes effect with solutions to assess risks, enforce policies, protect data, respond to incidents and requests, and prove compliance.

EVAL can help your company unify business operations with data protection and security, enabling risk measurement across the organization to assist in implementing a comprehensive LGPD compliance plan.

About Eval

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Tags general data protection law, lgpd

Data Protection

ANPD and LGPD: The Importance of Law 13.853

Post author By Editorial Eval
Post date 7 de August de 2020

On July 8, 2019, Law No. 13,853 was published in the Federal Official Gazette (DOU) with the purpose of formalizing the creation of the National Data Protection Authority (ANPD).

Basically, the ANPD as a national authority and public administration body is responsible for ensuring, implementing and enforcing compliance with the General Data Protection Law (LGPD) throughout the national territory.

According to the LGPD, the National Data Protection Authority is composed of:

Board of Directors
National Council for the Protection of Personal Data and Privacy
Internal Affairs
Ombudsman
Own legal advisory body
Administrative units and specialized units necessary for the implementation of the LGPD

In addition, the Board of Directors of the ANPD shall be composed of five (5) directors, including the Chief Executive Officer.

But law 13.853 did not consist only in the creation of the ANPD, it went further and established important changes for companies that need to adapt to the requirements of the General Data Protection Law.

The approved modifications were fundamental for the applicability of the LGPD. Since without the creation of the ANPD, the law risked becoming practically unworkable, contradicting a system that has demonstrated worldwide effectiveness.

LGPD requirements: law 13.853 went beyond the creation of the National Data Protection Authority – ANPD

The General Data Protection Law provides, among several competences, that the ANPD must ensure the protection of personal data and develop guidelines for the National Policy for the Protection of Personal Data and Privacy.

Therefore, the National Data Protection Authority has a great responsibility regarding the supervision of the requirements defined by the LGPD and that must be met by companies that must adapt to the new legislation that comes into force in 2021.

In addition to consolidating the creation of the ANPD, Law 13.853 was responsible for solidifying important changes provided for by data protection and privacy legislation:

The law provides that data protection is of national interest, avoiding the proliferation of state and municipal laws that attempt to regulate the matter;
The data controller may be a legal person, and its appointment will also involve the data operator. In the original version, this assignment was exclusive to the data controller;
With the changes, the law excludes the obligation to inform the data subject in cases of processing of personal data to comply with a legal or regulatory obligation or when carried out by the public administration, for the execution of public policies provided for in rules or contracts;
It expands the hypotheses of communication and shared use of sensitive data related to health, explaining the scope to those related to pharmaceutical care and auxiliary services of diagnosis and therapy. In addition, also in cases of portability requested by the holder, or for financial and administrative transactions resulting from the use and provision of said services;
Health insurance companies are prohibited from using health data for risk selection, or for the purpose of hiring or excluding beneficiaries;
It inserts the possibility to waive the communication by the controller to the data controller. This, in the case of sharing data that has undergone correction, deletion, anonymization or blocking of data, where such communication proves impossible or represents a disproportionate effort
It establishes conditions for cases of sharing personal data, contained in databases in government agencies, to private entities;
It brings the hypothesis of direct conciliation between the data controller and the data subject – in cases of individual leaks or unauthorized access -, prior to the application of legal sanctions;
Establishes the need for the members of the ANPD Board of Directors, chosen by the President of the Republic, to be approved by the Federal Senate;
It defines rules for the composition of the ANPD, its attributions and the origin of its revenues;

The ANPD has several roles and responsibilities, including investigating organizations that have suffered data breaches, imposing penalties where appropriate, and generally auditing companies for their data collection and storage practices.

How does ANPD support the General Data Protection Law and businesses?

As the national authority responsible for overseeing and applying sanctions in case of non-compliance with data protection and privacy legislation, the National Data Protection Authority also aims to promote good practices in the processing of personal data and guidance on data protection.

In practice, the publication of law 13.853, creating the ANPD, consolidates the legal bases for processing, data auditing and privacy policies, aiming to ensure that the personal data of customers and employees are processed legally.

The importance of the ANPD for business

The publication of Law 13.853 was fundamental for companies that already face several challenges in their routine search for information security in their business processes.

There are often time constraints, budget and more pressing operational concerns that may take higher priority over cybersecurity.

But there are other issues as well, with the lack of knowledge in data protection and privacy that directly impact the difficult journey of meeting the requirements provided by the LGPD.

Therefore, the National Data Protection Authority should help companies understand their data protection responsibilities by providing resources, support and guidance, tailored to the needs of organizations according to their segment, size and applicability of data protection law.

In addition, the ANPD should also promote awareness among the population of public rules and policies on personal data protection and security measures, prepare studies on national and international practices on personal data protection and privacy, and encourage the adoption of standards for services and products that facilitate control over their personal data, which should take into account the specificities of the activities and the size of those responsible.

Indeed, technology is driving changes in the social, political, legal and commercial environment that the National Data Protection Authority needs to regulate.

The most significant data protection risks for individuals are now driven by the use of new technologies and so the role of the ANPD will be key throughout this process.

With just over a year to go, companies need to be aware of the next steps of the LGPD. That is, the implementation of the necessary compliance actions in accordance with the law.

About Eval

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Tags ANPD, general data protection law, lgpd, National Data Protection Authority

Data Protection

LGPD Compliance Project: 4 steps to implement it

Post author By Editorial Eval
Post date 21 de July de 2020

The essential step to implement a LGPD (General Data Protection Law) compliant project and comply with the new data management rules is to thoroughly inventory the personal data being collected in your business.

Basically, it is answering questions about data use like: “What do we have? Where is it? What could be interpreted as protected information?”

This information includes anything that can be used to identify a person, such as name, phone number, address, and even whether that person prefers to use a 12-hour or 24-hour format.

But this process is not an easy job. Personal data covered by the LGPD and other new privacy laws do not only appear in well-defined database fields. Other important steps are needed to implement a GDPR-compliant project.

Data management is just the first step towards GDPR compliance

Whether created in a commercial or social context, data protection is a concept everyone should be familiar with.

While some specifics of the implementation of the data protection law’s requirements are still being defined, the introduction of the LGPD has certainly coincided with, if not provoked, an upward trend of individuals becoming more zealous about their right to privacy.

Consumer concerns about privacy mean that investing in a data protection program brings far more value than simply protecting businesses from legal action or financial penalties.

Perhaps most important when implementing a GDPR-compliant project is the need to maintain brand reputation and consumer trust.

As consumers become more willing to shift their loyalty in favor of a company that securely protects their data, businesses can confidently leverage their GDPR compliance to secure competitive advantage.

Going beyond the basics: 4 steps to implement a GDPR-compliant project

As organizations look to update the way they use data and create more efficient processes to preserve data subjects’ rights, various data protection-related activities can be consolidated into a broader information control program.

Such a program should do more than simply enshrine compliance with data protection legislation for an exercise designed to avoid regulatory fines:

Step 1 – Governance: ensures compliance with the rules laid down by law and guides its employees.
Step 2 – Legal: consent, contract, legal obligation, vital interests, public task and legitimate interests.
Step 3 – Technology: data accuracy: all data held must be sensitive and up-to-date.
Step 4 – Cybersecurity: ensure the infrastructure of the service provided, conditions for the user to be able to preserve and manage the privacy, collection and processing of their personal data.

Data protection law covers all parts of an organization’s operations. To maximize the business gains from GDPR compliance, companies should extend the breadth of their data protection programs to incorporate information security into the design of business applications and technical infrastructure.

Legislation leads to a business value proposition in data protection and privacy

The LGPD legislation mandates that at the design stage of any processing operation, as well as at the time of the processing itself, companies implement appropriate technical and organizational measures designed to implement data protection effectively and integrate the necessary safeguards for data processing.

Therefore, those responsible for developing and delivering data systems need to look at how proper implementation of privacy can promote business as well as protect it from fines, and propose this as a business enabler.

The business objective of different organizations will vary, but changes will be required at the data and code level, so this will likely need to be driven by information security professionals with a good understanding of the business.

The business benefits of privacy and data protection therefore need to be identified and presented in a commercial context as a positive enabler rather than a cost to avoid fines.

This is an opportunity for information security professionals to highlight the financial benefits that come with these enhanced security measures and engaging with the business can only help.

While the additional cost to design security is not discretionary, working on a GDPR-compliant project can increase investment support and raise the profile and perceived value of the security function, defining and developing the business maturity of the company.

Translating requirements into a successful GDPR compliant project

A high-maturity organization will have clearly defined governance roles and responsibilities, risk management agreed with managers, and data privacy risks prioritized and mitigated effectively with all the right data controls in place so that there is minimal likelihood of a data breach.

However, the benefit of reducing risk will only be achieved if it is underpinned by a deep understanding of the business, its operations, strategic initiatives and future plans.

To prevent a GDPR-compliant project from failing and to have secure buy-in to the logic of enforcing changes to data protection law, it is important to demonstrate that achieving compliance has the benefit of reducing risk.

Instead of focusing on the implications of non-compliance, companies should use business scenarios and technology tools that reduce the impact of data exposure, such as including digital signatures in their processes and technological resources.

Ultimately, business gains will be better realized if the motivation for compliance is to protect the organization, rather than external pressure for change.

About Eval

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Tags data management, general data protection law, lgpd, LGPD-compliant project

Data Protection

Secure data sharing: The Grand Challenge in Health

Post author By Editorial Eval
Post date 26 de May de 2020

Despite the numerous benefits of adopting secure data sharing, data protection and privacy will be the major challenge for these organizations to overcome.

It is not all about adopting technologies, such as electronic medical record systems, there are policies and processes involved, as well as user awareness.

Indeed, data protection and confidentiality are top priorities in the IT sector, and in healthcare it will be no different. But it is not always easy to achieve these goals on a large scale.

It is no wonder that secure data sharing in healthcare is considered the big hurdle for the coming years.

Always keep patient safety in mind

For many health and IT security experts, data sharing in healthcare is a “double-edged sword”.

On the one hand, managers and doctors want innovation in healthcare and for patients to be able to decide what data they want to share and with whom they want to share it.

On the other hand, technology professionals want to ensure data protection and privacy, and therefore when patients allow the sharing of their medical information, they should fully understand what is happening with their data and where that information travels.

Data privacy can become a trap

To give you an idea, 80% of behavioral health apps in the Apple App Store share information with third parties.

Determining who has access to this data once it is shared can be difficult, especially if an end-user license agreement is involved.

Have you read the Facebook end user license agreement? It would probably take hours. So when we talk about secure data sharing, a user license agreement that takes hours to read and understand is not consent with data protection and privacy in mind.

This concern also applies to healthcare institutions. The rules adopted for the storage and use of data by these organizations will also have a significant impact on patients’ lives, putting the permission to share data directly in their hands.

Ultimately, existing legislations have reduced the risk of information sharing between healthcare organizations, but if a patient allows to share their medical data, the General Data Protection Law (LGPD) may not apply, in cases of problems.

Investment in data protection and privacy is critical, but it is only one stage towards secure sharing.

Today, operating systems and healthcare solutions are better protected and attackers have shifted their attention to the human element, aiming to break into the organization’s information systems.

As the number and frequency of cyber attacks designed to take advantage of innocent people are increasing, the importance of the human factor in information security management cannot be underestimated.

To combat cyber-attacks designed to exploit human factors in the data protection and privacy chain, it is paramount to recognize information security with the aim of reducing risks to health information that occur due to user-related vulnerabilities.

Education, policies and processes as the key to safe sharing

In October 2019, the Alabama health system in the United States was the victim of an attack that left it unable to accept new patients at three hospitals. An undisclosed amount was paid to stop a cyberattack and restore the hospitals’ operations.

But investment in data protection and privacy through technology is not the only thing to be done to reduce the risks and attacks that are bound to occur in this new decade. Technological resources are just the “tip of the iceberg” to ensure secure data sharing.

Often, in order for attacks to occur or for data sharing to happen inappropriately, viruses and malware need the help of users to get into computers.

In the context of information security, social engineering is the use of techniques to manipulate individuals into divulging confidential business or personal information that can be used for fraudulent purposes.

In other words, people can be misled into disclosing strategic information that they otherwise would not.

Common vectors of attack on users include:

Phishing: fake emails to trick people into clicking on a link or opening an attachment that carries a malware payload;

Social media: Social media can be a powerful vehicle to convince a victim to open an image downloaded from a website or take other compromising actions;

Instant messaging: Instant messaging clients can be hacked by cybercriminals and used to distribute malware to the victim’s contact list;

SMSishing: SMSishing uses text messages to get recipients to navigate to a website or enter personal information on their devices;

Organizations should conduct regular training to help employees avoid common pitfalls of malware and other threats.

And to achieve this goal, there is a wide variety of methods for information security awareness, such as web-based training materials, contextual training and embedded training.

Why do healthcare institutions need IT security policies and procedures?

The goal behind IT Security Policies and Procedures is to address threats, implement strategies on how to mitigate them and how to recover from threats that have exposed a part of your organization.

IT security policies and procedures provide a roadmap for employees on what to do and when to do it. Remember, for example, the annoying password management policies that every company has.

If this policy and procedure did not exist in organizations, how common would it be for people to use simple, easy-to-guess passwords that ultimately open the organization to a greater risk of data theft and/or data loss.

An organization’s information security policies are usually high-level concepts that can cover a large number of security controls.

Issued by the company to ensure that all employees using information technology assets within the organization comply with established rules and guidelines, the information security policy is designed so that everyone recognizes that there are rules by which they will be held accountable regarding the sensitivity of corporate information and IT assets.

Secure data sharing in healthcare is the convergence of technology and awareness

Senior management in healthcare institutions plays an important role in protecting assets and sharing information in an organization.

Executive management can support the IT security objective by setting security goals and priorities and ensuring the necessary investments for data protection and privacy.

However, even knowing that the use of resources, such as certificates and digital signatures, tools such as antivirus and firewall and personnel specialized in information security.

End users have a responsibility to protect information assets on a daily basis, through security policies and processes that have been defined, communicated and need to be enforced.

End-user compliance with security policies is essential to maintaining information security in an organization, this group primarily represents securing the medical information of patients and family members at what can be considered the most fragile times in a person’s life.

About Eval

A EVAL está há mais de 18 anos desenvolvendo projetos nos segmentos financeiro, saúde, educação e indústria. Desde 2004, oferecemos soluções de Autenticação, Assinatura Eletrônica e Digital e Proteção de Dados. Atualmente, estamos presentes nos principais bancos brasileiros, instituições de saúde, escolas e universidades, além de diferentes indústrias.

Com valor reconhecido pelo mercado, as soluções e serviços da EVAL atendem aos mais altos padrões regulatórios das organizações públicas e privadas, tais como o SBIS, ITI, PCI DSS, e a LGPD. Na prática, promovemos a segurança da informação e o compliance, o aumento da eficiência operacional das empresas, além da redução de custos.

Inove agora, lidere sempre: conheça as soluções e serviços da Eval e leve sua empresa para o próximo nível.

Eval, segurança é valor.

Tags data sharing, general data protection law, protection of medical records

About Eval

Posts recentes

Comentários

Arquivos

Categorias

Where We Are

Rua Paulistânia, nº 381, 2º andar,
Sumarezinho
São Paulo - SP,
ZIP CODE: 05440-000

Contact

(11) 3670 - 3825
(11) 3865 - 1124
[email protected]

Copyright © 2023, EVAL TECNOLOGIA EM INFORMÁTICA. All rights reserved - CNPJ 05.278.889/0001-97