Tag: lgpd

How to prevent cyber attacks: Key ways to protect yourself

Post author By Editorial Eval
Post date 1 de February de 2022

While cyber attacks and threats are an ongoing struggle and a major challenge for businesses , they can be avoided by knowing the various types of protocols, exploits, tools, and resources used by cybercriminals. In addition, knowing where and how to expect attacks ensures that you create preventive measures to protect your systems.

Basically, cyber attacks are executed with malicious intent, when a cybercriminal tries to exploit a vulnerability in an organization’s system or individuals. These attacks threaten to steal, alter, destroy, disable, gain access to, or make use of an unauthorized asset.

In practice, cyber attacks, threats and vandalism are a dangerous and growing problem for companies.

Almost every modern organization requires at least one computer network and the assets that make up its connectivity structure, such as switches, access points, and routers, to operate in its IT infrastructure. Besides this, we have as computational structure servers, desktops, laptops, printers, and other mobile devices that complete a technological architecture.

Unfortunately, while these devices and applications offer a great benefit to the enterprise, they can also pose a risk. All it takes is inefficient asset management or an employee clicking on a malicious link, and then cybercriminals gain access to your network and infect your systems.

But this risk can be reduced.

How to prevent cyber attacks?

Preventing a breach of your network and systems requires protection against a variety of cyber attacks. For each attack, the appropriate countermeasure must be deployed/used to prevent it from exploiting a vulnerability or weakness.

The first line of defense for any organization is to assess and implement security controls.

1. Break the pattern of cyberattack

Preventing, detecting or stopping the cyber attack at the earliest opportunity limits the impact on business and the potential for reputational damage.

Even though it is usually the more motivated attackers who have the persistence to carry out multi-stage attacks, they often do this using common, cheaper, and easier-to-use tools and techniques.

Therefore, implement security controls and processes that can mitigate attacks, making your company a difficult target.

Likewise, take a defense-in-depth approach to mitigate risk across the full range of potential cyber attacks, giving your company more resilience to deal with attacks that use more customized tools and techniques.

2. Reduce your exposure by using critical security controls against cyber attack

Fortunately, there are effective and affordable ways to reduce your organization’s exposure to the most common types of cyber attack on Internet-exposed systems.

Boundary firewalls and Internet gateways – establish network perimeter defenses, particularly Web proxying, Web filtering, content scanning, and firewall policies to detect and block executable downloads, block access to known malicious domains, and prevent users’ computers from communicating directly with the Internet;
Malware protection – establish and maintain malware defenses to detect and respond to known cyber attack code;
Patch management – fixes known vulnerabilities with the latest software version to prevent attacks that exploit software bugs;
Allow list and run control – prevents unknown software from being run or installed, including AutoRun on USB and CD drives;
Secure configuration – restrict the functionality of each device, operating system, and application to the minimum necessary for business operation;
Password policy – make sure that an appropriate password policy is in place and followed;
User access control – includes limiting the execution permissions of normal users and enforcing the principle of least privilege.

3. Attenuate the ‘research’ stage

Any information published for open consumption should be systematically filtered before being released to ensure that anything of value to an attacker (such as software and configuration details, names/jobs/titles of individuals, and any hidden data) is removed.

Training, education, and user awareness are important. All your users must understand how published information about your systems and operation can reveal potential vulnerabilities.

They need to be aware of the risks of discussing work-related topics on social media and the potential to be targeted by cyber attack and phishing attacks. They must also understand the risks to the business of releasing confidential information in general conversations, unsolicited phone calls, and e-mail recipients.

4. Reduce the ‘delivery’ stage

The delivery options available to an attacker can be significantly reduced by applying and maintaining a small number of security controls, which are even more effective when applied in combination:

Up-to-date malware protection can block malicious e-mails and prevent malware from being downloaded from websites;
Firewalls and proxy servers can block unsafe or unnecessary services and can also keep a list of known bad sites. Similarly, subscribing to a site reputation service to generate a list of denied sites can also provide additional protection;
A technically enforced password policy will prevent users from selecting easily guessed passwords and lock accounts after a specified number of unsuccessful attempts. Additional authentication measures for access to particularly confidential corporate or personal information should also be in place;
Secure configuration limits system functionality to the minimum necessary for business operation and should be applied systematically to all devices used to conduct business.

5. Minimize the ‘breach’ stage of the cyber attack

As with the delivery stage, the ability to successfully exploit known vulnerabilities can be effectively mitigated with just a few controls, which are best deployed together.

All malware depends on known and predominantly patched software flaws. Effective vulnerability patch management ensures that patches are applied at the earliest opportunity, limiting the time your organization is exposed to known software vulnerabilities;
Malware protection at the Internet gateway can detect known malicious code in an imported item, such as an e-mail. These measures should be complemented by malware protection at key points in the internal network and on users’ computers, where available;
Well implemented and maintained user access controls will restrict the applications, privileges, and data that users can access. The secure setup can remove unnecessary software and default user accounts. It can also ensure that default passwords are changed and that all automatic features that can activate malware immediately (such as AutoRun for media drives) are disabled;
Training, education and user awareness are extremely valuable in reducing the likelihood of successful ‘social engineering’. However, with the pressures of work and the sheer volume of communications, you cannot rely on this as a control to mitigate even a cyber attack;
Finally, the key to detecting a breach is the ability to monitor all network activity and analyze it to identify any malicious or unusual activity.

If all measures for the research, delivery and breach stages are consistently in place, most cyber attacks can be prevented.

However, if the cybercriminal is able to use tailored features, you should assume that they will bypass them and get into your systems. Ideally, companies should have a good understanding of what constitutes ‘normal’ activity on their network, and effective security monitoring should be able to identify any unusual activity.

Once a technically capable and motivated attacker has full access to your systems, it can be much more difficult to detect their actions and eradicate their presence. This is where a complete defense-in-depth strategy can be beneficial.

The CipherTrust Data Security Platform solution allows companies to protect their structure against cyber attacks

According to IDC, more than 175 zetabytes of data will be created by 2025, and today more than half of all corporate data is stored in the cloud.

To handle the complexity of where data is stored, CipherTrust Data Security Platform provides strong capabilities to protect and control access to sensitive data in databases, files, and containers. Specific technologies include:

CipherTrust Transparent Encryption

Encrypt data in on-premises, cloud, database, file, and Big Data environments with comprehensive access controls and detailed data access audit logging that can prevent the most malicious cyber attacks.

CipherTrust Database Protection

It provides transparent column-level encryption of structured and confidential data that resides in databases such as credit card, social security numbers, national identification numbers, passwords, and e-mail addresses.

CipherTrust Application Data Protection

It offers APIs for developers to quickly add encryption and other cryptographic functions to their applications, while SecOps controls the encryption keys.

CipherTrust Tokenization

It offers application-level data tokenization services in two convenient solutions that provide customer flexibility – Token without Vault with dynamic policy-based data masking and Tokenization in Vault.

CipherTrust Batch Data Transformation

Provides static data masking services to remove sensitive information from production databases so that compliance and security issues are alleviated when sharing a database with a third party for analysis, testing, or other processing.

CipherTrust Manager

It centralizes keys, management policies, and data access for all CipherTrust Data Security Platform products and is available in FIPS 140-2 Level 3 compliant physical and virtual formats.

CipherTrust Cloud Key Manager

It offers its own key lifecycle management (BYOK) for many cloud infrastructure, platform, and software-as-a-service providers.

CipherTrust KMIP Server

It centralizes key management for the Key Management Interoperability Protocol (KMIP) commonly used in storage solutions.

CipherTrust TDE Key Manager

Centralizes key management for encryption found in Oracle, SQL and Always Encrypted SQL.

The portfolio of data protection products that make up the CipherTrust Data Security Platform solution enables companies to protect data at rest and in motion across the entire IT ecosystem and ensures that the keys to this information are always protected and only under your control.

It simplifies data security, improves operational efficiency, and accelerates compliance time. Regardless of where your data resides.

The CipherTrust platform ensures that your data is secure, with a wide range of proven, industry-leading products and solutions for deployment in data centers, either those managed by cloud service providers (CSPs) or managed service providers (MSPs), or as a cloud-based service managed by Thales, a leading security company.

Tool portfolio that ensures data protection against cyber attacks

With data protection products from the CipherTrust Data Security Platform, your company can:

Strengthen security and compliance against cyber attack

CipherTrust data protection products and solutions address the demands of a range of security and privacy requirements, including electronic identification, authentication, and trust, Payment Card Industry Data Security Standard (PCI DSS), General Data Protection Law (LGPD)among other compliance requirements.

Optimizes team and resource efficiency against cyber attacks

CipherTrust Data Security Platform offers the broadest support for data security use cases in the industry, with products designed to work together, a single line for global support, a proven track record of protecting against evolving threats, and the industry’s largest ecosystem of data security partnerships.

With a focus on ease of use, APIs for automation, and responsive management, the CipherTrust Data Security Platform solution ensures that your teams can quickly deploy, secure, and monitor the protection of your business.

In addition, professional services and partners are available for design, implementation, and training assistance to ensure fast and reliable implementations with minimal staff time.

Reduces total cost of ownership

CipherTrust Data Security Platform’s data protection portfolio offers a broad set of data security products and solutions that can be easily scaled, expanded for new use cases, and have a proven track record of protecting new and traditional technologies.

With CipherTrust Data Security Platform, companies can prepare their investments for the future while reducing operating costs and capital expenditures.

About Eval

With a track record of leadership and innovation dating back to 2004, Eval not only keeps up with technological trends, but we are also in an incessant quest to bring news by offering solutions and services that make a difference to people’s lives.

With value recognized by the market, EVAL’s solutions and services meet the highest regulatory standards of public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Tags cyber attacks, data protection, general data protection law, lgpd

Fighting cyber attacks: the importance of prevention

Post author By Editorial Eval
Post date 14 de December de 2021

Throughout 2021, individuals, businesses and governments have all been concerned about combating cyber attacks.

Keeping our data safe in a world where everything is on the Internet, from travel diaries to credit card information, data protection has become one of the most pressing challenges of cybersecurity.

Ransomware, phishing attacks, malware attacks, and other cybersecurity threats are some examples. No wonder that one of the fastest growing areas in IT is combating cyber attacks.

The need for data protection is increasingly recognized by organizations.

Companies, in particular, are paying more attention, as data breaches cause great damage every year and expose large amounts of personal information.

The fight against cyber attacks is increasing as society is increasingly connected

Although many of the attacks that occurred in 2021 were caused by the increased use of the Internet as a result of the pandemic of coronaviruses and blockades, the threat to businesses remains significant.

With the cost of combating global cyberattacks estimated to reach $10.5 trillion by 2025, according to
Cybersecurity Ventures
a specialist cybercrime magazine, the threats posed by cybercriminals will only increase as organizations become more reliant on the internet and technology.

Ransomware cases increased in 2021 by about 62% from 2019, and it is considered the top threat this year. In fact, cyber threats are becoming more sophisticated during these times and are much more difficult to detect.

The nature of all attacks are much more dangerous than a simple theft. So let’s dig a little deeper into this discussion by showing the top cyber attack cases occurring in 2021.

The Colonial Pipeline

If we are going to talk about cyber attacks occurring in 2021, then Colonial Pipeline should be on the list.

Considered the largest fuel pipeline in the United States, it experienced a cyber attack in May 2021, disrupting fuel distribution in 12 states for a few days. The company had to pay $4.5 million as ransom to resolve the situation.

Florida’s supply system

A cybercriminal tried to poison the water supply in Florida and managed to increase the amount of sodium hydroxide to a potentially dangerous level.

The cyber attacks occurred by hacking into the IT systems of the Oldsmar city water treatment plant, briefly increasing the amount of sodium hydroxide from 100 parts per million to 11,100 parts per million. This scenario is an example of how an invasion of critical infrastructure at any level puts residents’ lives at risk.

Microsoft Exchange

A massive cyber attack has affected millions of Microsoft customers worldwide, in which cybercriminals actively exploited four Zero Day vulnerabilities in Microsoft’s Exchange Server solution.

At least nine government agencies, as well as more than 60,000 private companies in the United States alone, are believed to have been affected by the attack.

Aircraft Manufacturer Bombardier

A popular Canadian aircraft manufacturer, Bombardier, suffered a data breach in February 2021. The breach resulted in the compromise of confidential data of suppliers, customers, and about 130 employees located in Costa Rica.

The investigation revealed that an unauthorized party gained access to the data by exploiting a vulnerability in a third-party file transfer application.

Acer Computers

World-renowned computer giant Acer suffered a ransomware attack, being asked to pay a ransom of $50 million, which made the record for the largest ransom known to date.

A cybercriminal group called Revil is believed to be responsible for the attack. The digital criminals also announced the breach on their website and leaked some images of the stolen data.

In Brazil it was no different in terms of the intensity of attacks and cybercrime

In a survey conducted by digital security company Avast, cybercriminals continue to take advantage of the Covide-19 pandemic by exploiting people’s habits created during the lockdown period to spread scams.

Following the global trend, ransomware attacks, cryptocurrency malware, and other scams were prevalent in Brazil.

For mobile devices, adware and fleeceware are among the top threats. According to Avast, the growth of ransomware attacks in Brazil was stronger than the global average.

Combating cyber attacks is already a major concern for most Brazilian companies today, as many of these attacks occurred only in 2021, such as the one that occurred at Lojas Renner, which completely paralyzed the system.

We still had the case of the Fleury group, which was unable to perform tests for several days, and JBS, which was forced to pay US$ 11 million in ransom for the hacker attack on its operation in the United States, all these situations put the issue even more in evidence in Brazil.

Organs and companies linked to the Brazilian government have also been targeted by cybercriminals. Social Security, the Ministry of Labor, the Federal Public Ministry, Petrobras, among other organizations have also suffered attacks.

Already in 2021, the LGPD offered an opportunity for companies to rethink how they fight cybercrime.

The General Data Protection Law (LGPD) went into effect in September 2020. The overall goal of the new legislation is to establish a regulatory framework for the protection of personal data, making it easier for all Brazilian citizens to understand how their data is used and, if necessary, to file a complaint about its processing.

The goal of the LGPD can be summarized in three key points:

Strengthening the rights of individuals;
Train the actors involved in data processing;
Increase the credibility of regulation through cooperation between data protection authorities.

If there is one thing that the LGPD achieved during the year 2021, it was to raise awareness about data protection and privacy issues. In practice, companies cannot sweep incidents under the rug because of the risk of revenue-based fines.

The data protection law has also given companies more visibility into the data they are collecting. The basic principle of the LGPD is that companies know what data they have and ensure that they are processing it correctly and securely.

LGPD compliant companies now have the basic elements they need to build a good information security program because if you don’t know what you have, you don’t know what to protect.

The Data Protection and Privacy Act has also changed the financial equation for organizations when it comes to privacy risk. This has encouraged companies to think holistically about risks and invest in improving privacy controls and governance.

Invest in 2022 and beyond. CipherTrust solution enables the fight against digital crime

According to IDC, more than 175 zetabytes of data will be created by 2025, and today more than half of all corporate data is stored in the cloud.

CipherTrust Transparent Encryption

Encrypt data in on-premises, cloud, database, file, and Big Data environments with comprehensive access controls and detailed data access audit logging that can prevent the most malicious attacks.

CipherTrust Database Protection

CipherTrust Application Data Protection

It offers APIs for developers to quickly add encryption and other cryptographic functions to their applications, while SecOps controls the encryption keys.

CipherTrust Tokenization

CipherTrust Batch Data Transformation

CipherTrust’s solution designs data protection products and solutions against cyber attacks to meet a range of security and privacy requirements, including electronic identification, authentication, and trust.

CipherTrust Manager

It centralizes keys, management policies, and data access for all CipherTrust Data Security Platform products and is available in FIPS 140-2 Level 3 compliant physical and virtual formats.

CipherTrust Cloud Key Manager

It offers its own key lifecycle management (BYOK) for many cloud infrastructure, platform, and software-as-a-service providers.

CipherTrust KMIP Server

It centralizes key management for the Key Management Interoperability Protocol (KMIP) commonly used in storage solutions.

CipherTrust TDE Key Manager

Centralizes key management for encryption found in Oracle, SQL and Always Encrypted SQL.

It simplifies data security against cyber attacks, improves operational efficiency, and accelerates compliance time. Regardless of where your data resides.

The CipherTrust platform offers a wide range of proven, market-leading products and solutions to ensure the fight against cyber attacks.

These products can be deployed in data centers or at cloud service providers (CSPs) or managed service providers (MSPs). In addition, you can also count on the cloud-based service managed by Thales, a leading company in the security industry.

Portfolio of tool to ensure cybercrime is tackled

With data protection products from the CipherTrust Data Security Platform, your company can:

Strengthen security and compliance

CipherTrust designs its data protection products and solutions against cyber attacks to meet a range of security and privacy requirements, including electronic identification, authentication, and trust.

In addition, these products are also compliant with the Payment Card Industry Data Security Standard (PCI DSS), the General Data Protection Act (LGPD), and other compliance requirements.

Optimizes team and resource efficiency against security incidents

CipherTrust Data Security Platform is the industry leader and provides extensive support for data security use cases.

With products designed to work together, a single thread for global support, and a proven track record of protecting against evolving threats, this platform also boasts the industry’s largest ecosystem of data security partnerships.

The CipherTrust Data Security Platform solution was developed with a focus on ease of use, with APIs for automation and responsive management.

With this solution, your teams can quickly implement, secure, and monitor the protection of your business against cyber attacks.

In addition, professional services and partners are available to assist in implementation and staff training, ensuring fast and reliable implementations.

In this way, it is possible to reduce the time required from your staff for these activities.

Reduces total cost of ownership

The CipherTrust Data Security Platform offers a broad set of data security products and solutions for protection against cyber attacks.

This portfolio can be easily scaled, expanded for new use cases, and has a proven track record of protecting both new and traditional technologies.

With the CipherTrust Data Security Platform, companies can prepare their investments to combat cyberattacks while reducing operational costs and capital expenditures.

About Eval

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Tags cyber attacks, data protection, data security, lgpd, Ransomware

Data Protection

Cyberattack on financial institutions, a real risk

Post author By Editorial Eval
Post date 3 de November de 2021

Banks, fintechs and other companies in the financial sector have been one of the main targets of cyber attacks on financial institutions due to the abundance of confidential information contained in customer files.

Especially as more and more people transition to online banking and seek alternative, contactless ways to pay during the pandemic.

Now, a new wave of financial solutions, such as Pix and Open Banking, is emerging to make real-time transactions easier for customers, but further expanding the threat landscape.

Along with growing threats, financial institutions must also meet regulatory compliance requirements, such as the General Data Protection Act (LGPD), or regulatory fines and sanctions will apply, further amplifying the risks of major losses to businesses connected to the segment.

According to a study by the Boston Consulting Group, financial services firms are 300 times more likely than other companies to be targets of cyber attacks, including phishing, ransomware and other malware attacks, and even insider threats.

Financial institutions must take a more proactive approach to cyber attacks or risk devastating data breaches

Cybercriminals have different motives when carrying out cyberattack on financial institutions, but in the case of cybercriminals, their goal is financial gain.

Financial institutions have a wealth of personal and financial information, ready for monetization if breached, including cryptocurrency wallets and the transfer of money via Pix.

Like other attack methods, cybercriminals work to compromise account credentials through phishing. All it takes is for an employee to reuse account credentials, such as passwords, and attackers have everything they need to cyberattack financial institutions and wreak havoc.

Ransomware is a type of malware that encrypts confidential files or locks companies out of their systems. The only way to unlock it is with a mathematical key that only the attacker knows, which you will receive after paying a ransom.

In the financial segment, ransomware is one of the most common cyber attacks. In 2017 alone, 90% of financial institutions were hit by a ransomware attack. In 2020, the world’s third largest Fintech company, Finastra, was targeted.

So why is ransomware so effective for cybercriminals? Because, most of the time, it is much faster and cheaper to pay the ransom than to suffer downtime.

Dealing with Cyber Attack Risks: Detecting and Managing Threats

In practice, banks, Fintechs, and other financial institutions can follow good security practices to ensure that their organization is protected while continuing to adhere to regulatory compliance.

Implementing continuous monitoring and threat detection capabilities is the first step in closing the glaring security gaps that many banks and financial institutions are facing.

In fact, ransomware attacks are usually not a one-time event. In fact, this can happen several times in the same company.

Regardless of whether an organization has experienced an incident or not, it is important to monitor the full range of networks and applications across the IT landscape on an ongoing basis, rather than periodic assessments.

With this kind of constant visibility, companies know whether they are compromised or secure.

It is increasingly important for banks and fintechs to build a solid foundation by adopting security technologies and processes that leverage their ability to detect cyberattack on financial institutions as early as possible.

There are a number of ways in which these technologies can help institutions protect themselves, including providing important context for anomalous behavior, flagging known indicators of compromise, and accelerating threat detection and response.

However, detection alone does not prevent cybercriminals from attacking.

After suspicious activities that may indicate early stages of an attack are detected, it is important that companies have controls in place to stop future activities and an incident response plan to mitigate the attack.

Encryption and data integrity are also part of the protection strategy against cyber attacks

People will use any financial application based on the trust that their data is safe in their hands, which is why data breaches via Ransomware are so damaging to the reputation of banks and Fintechs.

Besides establishing trust, encryption is also one of the easiest ways to comply with most government regulations. In fact, many control agencies even require it.

For example, in addition to LGPD, the Payment Card Industry Data Security Standards (PCI DSS) require companies to encrypt credit card information before storing it in their database.

Encrypting data is crucial.

However, encrypting data only during storage is not enough. Unless you have no plans to move your data, encrypting it during transport is equally crucial.

This is because cybercriminals can spy on the application server connections and intercept any data sent.

Backup and disaster recovery as the most efficient way to decrease downtime for financial institutions

Planning for potential outages can reduce the impacts to banks, Fintechs, and other financial institutions not only valuable time, but also significant amounts of money in terms of lost revenue, credibility, and recovery services.

A recent report by Sophos, “
State of Ransomware 2021
“, showed that the average total cost of recovering from a ransomware attack could be as high as $2 million.

Creating a plan against cyberattack on financial institutions before disaster strikes also puts organizations in a better position to avoid paying ransoms due to the ability to resume operations.

A solid disaster recovery capability can limit the impact of cyber attacks to a minor disruption, rather than a company-ending event.

CipherTrust Data Security Platform Enables Protection Against Cyberattacks on Financial Institutions

According to IDC, more than 175 zetabytes of data will be created by 2025, and today more than half of all corporate data is stored in the cloud.

To address the complexity of where data is stored, CipherTrust Data Security Platform provides strong capabilities to protect and control access to sensitive data in databases, files, and containers from cyber attacks. Specific technologies include:

CipherTrust Transparent Encryption

Encrypts data in on-premises, cloud, database, file, and Big Data environments with comprehensive access controls and detailed data access audit logging that can prevent the most malicious cyber attacks.

CipherTrust Database Protection

CipherTrust Application Data Protection

It offers APIs for developers to quickly add encryption and other cryptographic functions to their applications, while SecOps controls the encryption keys.

CipherTrust Tokenization

CipherTrust Batch Data Transformation

CipherTrust Manager

It centralizes keys, management policies, and data access for all CipherTrust Data Security Platform products and is available in FIPS 140-2 Level 3 compliant physical and virtual formats.

CipherTrust Cloud Key Manager

It offers its own key lifecycle management (BYOK) for many cloud infrastructure, platform, and software-as-a-service providers.

CipherTrust KMIP Server

It centralizes key management for the Key Management Interoperability Protocol (KMIP) commonly used in storage solutions.

CipherTrust TDE Key Manager

Centralizes key management for encryption found in Oracle, SQL and Always Encrypted SQL.

It simplifies data security, improves operational efficiency, and accelerates compliance time. Regardless of where your data resides.

Tool portfolio that ensures data protection against cybercrime

With data protection products from the CipherTrust Data Security Platform, your company can:

Strengthen security and compliance against cyber attacks

CipherTrust data protection products and solutions address the demands of a range of security and privacy requirements, including electronic identification, authentication and trust, Payment Card Industry Data Security Standard (PCI DSS), General Data Protection Act (LGPD), and other compliance requirements.

Optimizes team and resource efficiency

In addition, professional services and partners are available for design, implementation, and training assistance to ensure fast and reliable implementations with minimal staff time.

Reduces total cost of ownership

With CipherTrust Data Security Platform, companies can prepare their investments for the future while reducing operating costs and capital expenditures.

About Eval

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Tags Ciphertrust, cyber attacks, data protection, lgpd

Data Protection

Security Policies: Successful in only 41% of Companies

Post author By Editorial Eval
Post date 5 de October de 2021

While cyber attacks and threats are an ongoing struggle, they can be avoided by being aware of security policies, the various types of protocols, exploits, tools and resources used by malicious people.

In addition, knowing where and how to expect attacks ensures that you are putting preventative measures in place to protect your systems.

Cyber attacks, threats and vandalism are a dangerous and growing problem for businesses. Almost every modern business requires a network of computers, servers, printers, switches, access points and routers to operate.

The primary objective of any IT security policy is to comply with all current legislation and other security requirements in order to protect the integrity of its members and the corporate data that resides in the company’s technology infrastructure.

But this challenge is still for the few. This is shown by the study carried out by the Ponto BR Information and Coordination Center (NIC.br), where 41% of Brazilian companies have security policies against cyber attacks that are well established.

Implementing these policies is considered a best practice when developing and maintaining a cybersecurity program. As more companies develop digital programs, effective security policies are needed to effectively combat cyber attacks.

What is a security policy and why is it important in combating cyber attacks?

Basically, a security policy is a set of standardized practices and procedures designed to protect a company’s network from threats.

Typically, the first part of the cybersecurity policy focuses on the overall security expectations, roles and responsibilities in the organization. The second part may include sections for various areas of cybersecurity, such as guidelines for antivirus software or the use of cloud applications.

By default, the CISO leads the development and updates of a security policy. However, CISOs must also work with executives from other departments to create updated policies collaboratively.

Teams should start with a cybersecurity risk assessment to identify the organization’s vulnerabilities and areas of concern that are susceptible against cyberattacks and data breaches.

It is important to understand the organization’s tolerance for various security risks, highlighting concerns classified as low risk and those that threaten the survival of the organization. Staff should then consider the regulatory requirements they must meet to maintain compliance.

CISOs can then determine what level of security should be implemented for the identified security gaps and areas of concern. Remember that CISOs must match the level of protection required with the organization’s risk tolerance.

By doing so, the organization ensures that the areas with the lowest risk tolerance get the highest level of security.

What are the information security issues that cyber security policies should address against cyber attacks?

If your organization does not have an information security policy for any area of concern, security in that area is probably at risk: disorganized, fragmented and ineffective.

The issues that security policies must address differ between organizations, but some of the most important include:

Physical security

How is security handled in data centers, server rooms and terminals in company offices and elsewhere?

Physical security policies serve a wide range of purposes, including access management, monitoring and identification of secure areas.

Data retention

What data does the company collect and process? Where, how and for how long should it be stored?

Data retention policies affect several areas, including security, privacy and compliance.

Data encryption

How does the organization handle secure storage and transmission of data?

In addition to encryption objectives, data encryption policies may also discuss objectives and rules around key management and authentication.

Access control

Who can access sensitive data and what systems should be in place to ensure that sensitive data is identified and protected from unauthorized access?

Safety training

Safety depends as much on people as on technology and systems.

Human error contributes to many security breaches that could have been prevented if employees and executives received sufficient training.

Risk management

Information security risk management policies focus on risk assessment methodologies, the organization’s tolerance for risks across various systems, and who is responsible for threat management.

Business continuity

How will your organization react during a security incident that threatens critical business processes and assets?

Security and business continuity interact in many ways: security threats can quickly become business continuity risks, the processes and infrastructure that companies use to maintain the course of business must be designed with protection in mind.

We have covered just a few key points of security policies relevant to companies in many different sectors.

But every organization differs, and the content of policies must be tailored to the unique circumstances of your business, and must evolve as circumstances change.

Commitment to key protection and compliance requirements

Eval and THALES can help you develop your company’s security policies, meeting key protection and compliance requirements.

Companies should prioritize data risks by creating a classification policy based on data sensitivity.

Policies should be developed and implemented that determine what types of information are confidential and what methods, such as encryption, should be used to protect that information.

In addition, companies should monitor the transmission of information to ensure that policies are complied with and effective.

Fortunately, new technology solutions can help companies gain full visibility of their sensitive data and strengthen their compliance with protection requirements, such as the General Data Protection Law (GDPR).

The CipherTrust data security platform enables organizations to discover their sensitive information, assess the risk associated with that data, and then define and enforce security policies.

As well as making it easier to comply with data protection law at any time, your business can save money while gaining the trust of your customers and partners.

Your business achieving compliance with help from Eval

A strong information security policy is the glue that binds all security controls and compliance requirements together and is the document that describes the protection and privacy strategy across the organization.

At the same time, it can be a great accountability tool when it comes to consumer trust. To be effective, a security policy must be accepted by the entire company to effectively manage and update the security controls needed in a world of ever-changing cyber risk.

If managed well and followed accordingly, policy management is the foundation for achieving compliance with the GDPR or any other future privacy regulation.

By applying frameworks like LGPD, greater control is given back to people/consumers. This extra control goes a long way to increasing the level of trust people feel towards companies. And in turn, it can increase revenues and profits.

The LGPD requirements are much more than a checklist and if your organization processes the personal data of data subjects here in Brazil, you should take the time to explore the security controls you have in place to support the requirements of the privacy law and ensure that personal information is protected and processed appropriately.

Organizations should be transparent with their customers about their legal bases for data collection and should offer them control over whether or not they want to share their data with others.

Then, organizations must follow through and ensure that they only use the data they collect for the purposes initially described, always within the limits of the consent provided by their customers, and make sure they respect all their rights granted to them under the new legislation.

To learn more about the CipherTrust Data Security Platform, contact Eval’s experts now.

About Eval

With market recognized value, Eval’s solutions and services meet the highest regulatory standards for public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Tags cyber attacks, general data protection law, lgpd, security policy

Data Protection

Ransomware Attacks: Growing for Businesses and Governments

Post author By Editorial Eval
Post date 24 de August de 2021

Have you heard of ransomware attacks? Chances are it is, after all, the term has become increasingly common in news reports.

The expression derived from the English
ransom
(ransom) with
ware
(software) is used to define when a system is contaminated by a malware.
malware
(malicious software) and an amount is demanded to release the machine and files.

Cybercriminals are on the move and several business models have become victims in recent years, from private companies and even public bodies.

Recently, according to a note released by the government,
the National Treasury suffered a ransomware attack
and “the effects of the criminal action are being evaluated by security experts from the National Treasury Secretariat and the Digital Government Secretariat.”

Another victim was Lojas Renner, which suffered the attack on Thursday (19/08) and had its website and application down for 2 days in a row.

For the organizations that fall victim, this can lead to major financial losses, both from the ransom charged and the loss of sales and credibility.

Why are ransomware attacks on the rise?

According to a
research by Statista
in 2020 alone, 304 million ransomware attacks were recorded worldwide, a 62% increase from the previous year.

So, with data like this in mind, and with so many reports of companies and governments that have become victims of cybercriminalsthe question arises: why is the number of attacks increasing?

This is because, with the advancement of technology, the way companies operate has changed. Consider 3 examples.

Increased virtualization

Virtualization refers to à adoption of a virtual environment for using different applications and operating systems on a single physical machine.

It is a technique used by IT (Information Technology) companies to better o utilization of existing infrastructure, facilitating business scalability.

However, when implementing this solution, it is important that startups stay vigilant and look for ways to ensure the security since virtualized environments can change quickly, requiring trained professionals to maintain proper management and thus ensure that the organization is free from ransomware attacks.

Exposure of sensitive cloud data

Another measure that many companies have implemented in recent years is cloud services.
cloud computing
(Cloud Computing).

According to
Gartner forecast
spending on public cloud services in the year 2021 is expected to reach $332.3 billion, which represents a 23.1% increase compared to the year 2020.

This demonstrates the growing increase in the use of cloud solutions. With this migration, a lot of sensitive data is now stored in cloud.

However, even though cloud information is more protected than local storage, this does not mean that you do not
need to develop security strategies.

Just to exemplify, it is essential to establish policies to control accessso that information is protected.

Still according to Statista, many companies do not feel fully prepared when adopting a cloud solution and among the main reasons are the
difficulties with security, governance and lack of staff experience.
.

As a result, many cybercriminals may take advantage of this to carry out ransomware attacks.

Lack of deployment of protection technologies against ransomware attacks

With the previous points in mind, it is important to highlight that even though many companies are embracing digital transformation, it is also
it is necessary to implement protection technologies
such as:

Cryptography;
Machine Learning
(ML);
Backup
backup
e
disaster recovery
;
Among others.

How to protect yourself from ransomware attacks?

In order to ensure the safety and security of your companyit is essential to apply internal policies for all employees to follow and contribute to prevention, such assuch as:

Access management;
Check page URLs;
Be careful when clicking on links in emails;
Among others.

It is also extremely important to keep a good antivirus in place and to make regular backups.

Another key strategy is to implement an encryption solution, so if your company suffers ransomware attacks, with the use of encryption, your information is protected and will not be read by criminals.

Read more about protecting sensitive data with encryption.

How to choose the most suitable way to secure data against ransomware attacks?

The Thales CipherTrust Data Security platform guarantees the entire structure and integrity of your company’s data, and the format of the fields in the database, whatever it may be: Oracle, SQL, MySQL, DB2, PostGreand so on.

Simply, comprehensively and effectively, the solution CipherTrust offers capabilities to secure and control access to databases, files and containers – and can protect assets located in cloud, virtual, big data and physical environments.

With CipherTrust, you can protect your company’s data and anonymize your sensitive assets, ensuring security for your company and avoiding future problems with data leakage.

Get in touch with Eval. Our experts will be able to help you, contributing to the development of your data protection projects and the continuous improvement of your company.

About Eval

EVAL has been developing projects in the financial, health, education, and industry segments for over 18 years. Since 2004, we have offered solutions for Authentication, Electronic and Digital Signature, and Data Protection. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Tags data protection, general data protection law, lgpd, ransomware attacks

Data Protection

Does LGPD compliance apply in healthcare institutions?

Post author By Editorial Eval
Post date 6 de July de 2021

Since the General Data Protection Law – LGPD came into force, the protection of personal data has become more challenging for the health sector. Which means that information must be managed with a more holistic approach.

Healthcare organizations should have procedures in place that can be triggered immediately to address GDPR compliance. Starting with being more cautious with personal data, knowing where it is stored and how it is being processed.

This applies to the public and private sector: hospitals and clinics, dental care, pharmacies, nursing homes, diagnostic laboratories, stores selling pharmaceuticals and all other companies or organizations that process health-related data.

To avoid any breaches, healthcare organizations should implement GDPR compliance requirements, including contract management as well as policies, procedures, documentation and records of patients, healthcare professionals and business partners.

Therefore, records of data processing activity and retention and deletion periods must also be adequate under data protection law.

LGPD compliance: Processing health data in the digital age

Many systems used in the health sector are now fully digital. With the help of cloud-based technology, systems containing patient data are often ‘shared’ between hospitals, pharmacies and other institutions in order to better serve patients.

But how should this sensitive data be processed and shared while still meeting GDPR compliance?

Considering the fact that health data is assembled on confidential patient information, it should be ensured that the principles of data protection and privacy law are duly complied with before processing or sharing.

Under the LGPD, your organization will need to demonstrate that its processing has met specific requirements, which include implementing appropriate safeguards to ensure the protection of this information.

Given the sensitivity of health-related personal information, it should only be processed by authorized health professionals who are bound by the obligation of medical and data confidentiality.

Individuals should be properly screened and reminded of their confidentiality obligations.

In addition, it is especially vital that healthcare institutions carry out data protection impact assessments and put in place specific security measures, such as authentication procedures, use of digital certificates and signatures, and access controls to a patient’s personal data.

In practice, by complying with the LGPD, the patient and persons related to the Hospital and doctors have the following rights:

Have the right to confirmation of the existence of treatment, treatment is understood as any operation carried out with personal data such as: collection, production, reception, use, reproduction, transmission, distribution, processing, archiving, modification, communication, transfer, dissemination, among others;
Have the right to access and correct your stored data;
Anonymization (anonymized data is data relating to the data subject who cannot be identified);
Portability;
Deletion of data after the end of processing;
Information regarding data sharing;
Possibility to receive information about not providing consent and its consequences;
Revocation of consent;

If access control is not adequate, it can easily lead to a data breach and according to data protection law to fines and sanctions that can jeopardize the reputation and financial health of any healthcare institution, regardless of its size.

What are the fines and penalties in the LGPD that can be applied to health institutions?

The LGPD provides for six penalties or fines. They are:

Warning. This warning will come with a deadline for the company to comply with the legislation. Failure to correct by the deadline will result in a penalty;
Simple fine on top of turnover. This fine can be up to 2% of the legal entity’s turnover. The limit is 50 million BRL per infringement
Daily fine. This fine will also be capped at 50 million BRL;
Publicizing the infringement. The infringement will become public and the damage to the company’s image could be enormous;
Blocking personal data. This administrative sanction prevents companies from using the personal data collected until the situation is regularized;
Deletion of personal data. The sixth penalty provided for in the LGPD obliges the company to completely eliminate the data collected in its services, causing damage to the company’s operation.

The limit of fines in the LGPD is 50 million. But some of the penalties can be even worse, depending on the organization. For example, publicly assuming the leakage of personal data of thousands of customers can bring down even solid companies, totally undermining the credibility of a hospital, for example.

What steps healthcare institutions can take to ensure compliance and reduce the risk of a breach of personal patient information

After going through the most important aspects of the General Data Protection Law in relation to healthcare institutions, let’s briefly go through three tangible steps that medical organizations should take to protect the personal data processed by them.

1. Ensure awareness

Among patients

A crucial first step in meeting the requirements under data protection law is that all data subjects, such as patients, must be informed of the details of third parties with whom their information will be shared in order to comply with the transparency requirements set out by the LGPD.

In addition, the data sharing agreement should clearly define the purpose, the legal bases and the information to be shared, together with the necessary details on the treatment of data subjects’ rights and the agreed shared security standards.

All this information should be communicated in a clear and easy to understand way.

Between Staff

Regular staff training on data protection is advised in order to reduce the risks of human error and therefore internal data breaches.

Meanwhile, in practice, staff must be bound by medical confidentiality, as mistakes and accidents can happen. Therefore, making all employees aware of the importance of data protection, the safeguards that need to be implemented and which typical problematic aspects should be avoided can have a significant positive impact on an institution’s compliance efforts.

In addition, all employees should also be aware of how to recognize a data breach, what steps will be taken in the event of a security incident and which stakeholders should be involved in the process.

2. Process and share only the personal data necessary for the purpose of your work

It is also important that necessary health data is processed minimally and shared only if necessary.

Unauthorized disclosure can have a serious impact on a patient’s life, so it should be ensured that data sharing is done on the basis of any of the lawful bases of processing, with appropriate agreements in place to hold a relevant party accountable.

To add to this, such data should not be shared unless, for example:

The data subject has given explicit consent;
If the patient himself makes the data public;
When it is a life or death situation where patients cannot give consent and it is in the patient’s vital interest;
For preventive or occupational medicine;
Assessment of your working capacity;
For medical diagnosis
For the provision of health or social care or treatment or the management of health or social care systems and services

Please note that in the case of sharing, health institutions should have safeguards in place to ensure that data is secure.

3. Set strict access controls

Given the shared nature of cloud-based systems often used in the healthcare sector, it is critical to ensure that only those needed have access to patient data.

Implementing measures such as two-factor authentication or single sign-on, as well as the use of digital signatures and certificates can also help provide further measures for data protection when it comes to accessing patient files.

GDPR compliance: a worthwhile investment

With the digital transformation of the healthcare segment, the way information is processed and accessed also needs to be adjusted. This brought several new aspects regarding data protection, requiring healthcare institutions to make data privacy their top priority.

While GDPR compliance requires healthcare institutions to invest time and resources, at the end of the day, it is in the interest of patients and the institution itself.

Complying with the obligation will not only decrease the possibility of a potential data breach, protecting your organization from a hefty fine and reputational damage, but also plays a significant role in gaining patient trust and improving the overall efficiency of how patients are treated.

About Eval

EVAL has been developing projects in the financial, health, education and industry segments for over 18 years. Since 2004, we have offered Authentication, Electronic and Digital Signature and Data Protection solutions. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Tags data protection, health institutions, lgpd

Data Protection

LGPD in healthcare: Impact on Institutional Quality

Post author By Editorial Eval
Post date 1 de June de 2021

It is always important to remember that the General Data Protection Law (LGPD) was not designed to make life difficult for organizations, but to protect and promote the interests of individuals.

It’s about giving people control over how their personal data is processed, reducing risk and allowing them to build trust in the companies they interact with.

By coincidence, these two themes – trust and risk – also characterize the major challenges facing the health sector today.

Healthcare organizations can now have clarity on what constitutes health data and have very clear guidelines on when and how they can process it. Of course, nothing is that simple.

The implementation and compliance of the LGPD in the healthcare area is a challenge that promotes important benefits to medical institutions.

LGPD in Healthcare for the Continuous Improvement of Institutions

The collection and transfer of real-time data between service providers in healthcare – from the primary care worker, to the doctor, to the specialists, pharmacists, physiotherapists, social worker, etc – is enabling a more coordinated approach to patient care, which is already delivering better outcomes as well as cost savings.

The typical patient pathway through healthcare providers requires secure data capture across a multitude of devices and platforms, including mobile equipment and the cloud.

This includes developing protocols and standards for sharing and controlling access to data – including providing access to data by patients themselves.

To implement quality medical institutions using LGPD in healthcare, organizations will need robust and sophisticated processes and systems in place.

They should know where the data is at any given time, exactly who can and cannot see what (and perhaps more importantly, who has seen what).

Roles and responsibilities will have to be formal and legally codified and, of course, privacy and security will have to be the standard starting point from which these processes and systems are implemented.

Data protection law improves the relationship between healthcare organizations/providers and their clients

The GDPR in healthcare should lead to better relationships between medical organizations and their customers.

This is largely due to the confidence they will now have in knowing that their personal information is secure and can be easily accessed by themselves if needed.

Customers will be assured that organizations will only keep their personal information if they allow them to do so and it can only be used in ways defined by legislation.

Overall, the GDPR in healthcare should be seen as an opportunity for the organizations involved, as it will provide them with a number of benefits: increased customer satisfaction, improved processes, greater understanding of their data and help to avoid serious fines.

However, healthcare organizations and providers need to ensure that they are always transparent, as situations such as failure to alert a patient about a data breach or misuse of customer information can damage relationships.

LGPD Compliance in Healthcare is Just the Beginning

The data protection law is comprehensive in its scope and adds strict new requirements to any healthcare institution that captures and uses patients’ personal data.

Compliance is not an isolated exercise, but must be incorporated into organizational structures.

When it comes to GDPR in healthcare, a critical component of compliance is the implementation of a complete cybersecurity strategy, with technological solutions that help isolate healthcare organizations’ networks.

Healthcare institutions should not only seek to use tools that provide them with a comprehensive view of their network as it already exists today, but also allow them to adapt quickly to new threats and prevent them before they occur.

The LGPD signaled a significant shift in our collective culture towards data protection law and user privacy.

However, legislation and compliance are just the beginning.

Providing health institutions with a checklist they must follow to avoid fines may cause some movement, but deeper progress can only be made by fundamentally and organizationally prioritizing data privacy and digital security.

Only when organizations are protected against fraud and data theft using secure business processes, strong cybersecurity tools and a comprehensive strategy can personal data be truly protected.

EVAL: We are experts in digital signature

Now that you understand a little more about the use and validation of digital signature, what do you think about implementing our tips in your company?

With a dedicated focus on the healthcare market and a highly specialized team, EVAL offers customized solutions that bring security and agility to the processes of hospitals, laboratories, clinics and healthcare operators.

In addition to contract management, electronic signatures and digital certificates provide a high evidence value for the digital archiving of these documents. Medical institutions can use these tools to avoid paper formation and to digitize existing paper documents.

Contact our team of experts today to find out how EVAL can help your organization manage your contracts and all other medical documents and processes.

About Eval

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Tags lgpd, quality of health institutions

Data Protection

Connected Cars: Data Protection in 3 Steps

Post author By Editorial Eval
Post date 22 de March de 2021

We are steadily moving towards a future where high connectivity is becoming the industry standard. This is why data security in connected cars has become a concern.

This is largely due to the increase in consumer demand, fueled by the convenience that IoT (Internet of Things) connected vehicles can offer.

This consumer demand makes sense when we consider the long-term benefits of driving or owning connected vehicles. Here are just a few of them:

A connected car enhances the experience of owning or using a vast array of apps and services that pair seamlessly with the smartphone the user owns;
Passenger and driver safety is increased and hazards are more easily avoided;
The driver has more control over the vehicle as well as its remote diagnostics;
Many routine tasks, such as parking, can be automated or partially automated;
Potential problems with the vehicle can be detected much earlier and money on fuel can be saved when the most efficient route is always chosen.

Consumer fears despite connected car innovation

Although the global connected car market is expected to surpass $219 billion by 2025, with 60% of automobiles will be connected to the internet, the industry is still facing challenges in its quest to become fully mainstream due to its main drawback: consumers’ fear of cyber attacks.

We all know that the increase in connected devices, whether vehicles or other devices, automatically increases the number of entry points and opportunities for criminals.

Considering the often very serious consequences of such attacks, this consumer fear is legitimate and needs to be addressed both by the IoT industry but especially by connected vehicle manufacturers if the industry wants to gain full consumer trust and adoption of their products and keeping their data safe.

Current safety status of connected cars

Indeed, protective measures are being taken to set data security standards in other areas of data exchange.

For example, the General Data Protection Act (GDPR) has made a significant difference to how we experience web browsing and any interaction that involves the processing of personal data.

However, IoT service providers are not currently required to comply with any additional security laws or standards.

While some are calling for specific government legislation, there are already several companies working on solutions to increase the security of connected devices.

It is not yet clear exactly what the impact will be on our personal privacy as we embark on this connected future. What is clear, however, is that if car manufacturers themselves do not step in with some clear technologies to prevent data hacking, mismanagement or data privacy breaches, the connected car industry will continue to struggle to be accepted by the general public.

So what are the automakers themselves doing these days? Crucially, what else needs to be done to reassure users that their data is safe?

What can car manufacturers do to ensure data security in connected cars?

1. investment in hardware security

Typically, the vehicles we are most used to seeing and driving on a daily basis have not been equipped with any kind of hardware security in the car’s own electronics.

This is because the car was never originally designed to have an open system that could be connected to external systems such as IoT devices. Instead, the car system should be a closed system.

Because of this, as soon as you connect the vehicle to something external, there are not enough protections (e.g. a firewall) in place against malicious parties.

This is solved in new cars by installing something called a secure gateway.

For IoT devices, no interaction could happen with the vehicle without first passing through the secure gateway, making the exchange of data between two parties significantly more secure.

2. Investment in software security

With the continued rise in cybersecurity incidents, automakers need to incorporate an approach to data security in connected cars that takes into account not only the obvious exposures in the car’s software, but also the hidden vulnerabilities that can be introduced by open-source software components.

Connected car software code is extremely complex to say the least, with the average car software based around 100 million lines of code.

With so much complexity comes many opportunities for vulnerabilities and an increased risk of malicious attacks from cybercriminals.

Nowadays, it’s not uncommon to hear about malware specifically designed to detect flaws in car software.

Today, several renowned car manufacturers and their software suppliers deploy testing tools that include safety assessments on static and dynamic software.

In connected cars, these tools are used to identify coding errors that can result in software vulnerabilities and opportunities for hackers and criminals to enable or disable certain features remotely.

While these tools are effective in detecting bugs in the code written by the connected car manufacturers’ own in-house team of developers. They are not effective in identifying open source vulnerabilities in third party code.

This leaves many of the key components of today’s apps exposed, due to the fact that they are made by developers working for external IoT providers rather than the carmakers themselves.

3. User awareness and consent

In addition to protecting the car’s hardware and the vehicle’s software, it is important to emphasize the responsibility of connected car manufacturers to alert users to the importance of which devices they allow to be connected and for what purpose.

This is where user consent needs to be obtained and regulations such as the GDPR rigorously enforced.

Third-party IoT providers must clearly define why they want to interact with connected cars and what they plan to do with any data they get from the automobile, but it is the job of manufacturers to assure users of the security of their data.

Eval & Thales technology partnership: bringing trust to connected cars

As we look to our increasingly connected future, we can be sure that the relationship between vehicles and IoT is only likely to increase in complexity.

With a dedicated approach to data privacy and security, any risks of cyber attacks or misuse of data in connected cars can be significantly mitigated.

The IoT industry is growing at an exponential rate now. Traditional car companies need to adopt a safety-first approach.

This approach is necessary to take advantage of the huge strides technology can make in the lives of drivers and road users through connected vehicles.

With more than 20 years of experience in connecting vehicles, Eval and Thales’ customers benefit from their leading position in mobile connectivity standardization, serving more than 450 mobile operators worldwide.

Global automotive connectivity solutions and remote management greatly reduce supply chain complexity for automotive manufacturers while enabling easier end-user experiences over long vehicle lifecycles.

Eval and Thales’ solutions enable the use of end-user subscriptions for infotainment services in mobility and provide the technical capability for infotainment/telematics connectivity.

Leveraging proven and advanced expertise in digital security and IoT, Thales Trusted Key Manager provides connected car manufacturers with support for digital transformation, ensuring the end-to-end security of the automotive ecosystem.

About Eval

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Tags connected cars, general data protection law, Internet of Things, IoT devices, lgpd, software security, Thales

Data Protection

Impacts of the LGPD on retail

Post author By Editorial Eval
Post date 19 de January de 2021

It’s no secret that the role of data in the retail sector has grown considerably with the rise of global e-commerce and mobile commerce. Therefore, the impacts of the LGPD on retail are strongly felt and define much of the data protection strategy in retail in the coming years. Data protection in retail

In this fast-paced and ever-evolving digital landscape, information governance has become a prominent topic, with companies in the retail sector considering how they can modernize their data protection policies.

Failure to comply with these policies or misuse of individuals’ personal data can have severe legal, reputational and financial consequences.

What are the impacts of LGPD on retail?

In this era of personalized communication strategies and targeted online marketing, radical changes in data collection, processing and storage have huge implications for retailers.

The General Data Protection Law (LGPD) came into force in 2020 with some limitations regarding the application of fines and other types of penalties, but in practice it represents a great opportunity for retailers and something they absolutely need to be aware of.

This is because data is the most valuable commodity retailers can have in relation to their consumers, whether they are business-to-business (B2B) or business-to-consumer (B2C).

What you know about your consumers shapes your proposition, your pricing and your supply chain. For this reason, not considering the impacts of the GDPR on retail can be a big mistake.

There are four main aspects of the GDPR that retailers should be aware of, and that they should act fast enough to deal with all of them

Firstly, privacy notices will be much more prominent. These are the statements you put on your website telling consumers what you will do with their data.

The familiar checkboxes will still feature prominently, but consumers will have to activate it proactively.

This means that retailers must provide detailed information, allowing consumers to make fully informed decisions about whether they want to allow the retailer to retain and process their data.

New privacy notices need to explain why the data is needed, how it will affect the consumer, the criteria used to decide how long the data is retained and the consumer’s right to withdraw their consent.

The second key area is accountability and record keeping. Again, compliance will be a challenge, but retailers will also have to demonstrate that they have kept their records up to date and compliant with the GDPR.

Thirdly, you must have a written agreement with any third party processing the data for you.

If a retailer outsources information collection, which many large companies do, then they need a robust written contract that sets out the terms and conditions between them and the outsourcer.

In addition, there are contractual clauses prescribed by the LGPD, which means that many agreements between retailers and the parties collecting and processing their data will have to be scrapped and processed from scratch at significant cost.

Finally, retailers should address enhanced individual rights in relation to information held about individuals.

This includes the right to be forgotten and the right to data portability, which is linked to data use.

This is because data is the most valuable commodity retailers can have in relation to their consumers, whether they are business-to-business or business-to-consumer.

How can retailers implement an effective data protection program and reduce the impacts of LGPD on retail?

LGPD compliance needs vary from retailer to retailer, based on how well their business activities support the personal data privacy rights of individuals in Brazil.

Implementing an effective LGPD program can be particularly tricky for retailers, especially those who have a variety of customer touchpoints across channels, as well as those who have franchises.

These various touchpoints range from points of sale to e-commerce and call centers, as well as mobile apps, kiosks, ERP systems and even email.

To start, retailers should consider some common questions when it comes to implementing their data privacy program:

If a data subject wants to delete their data, how do I locate all their information? How will the company determine what can be excluded and what is required for regulatory or legal retention purposes?
If the consumer data subject wishes to obtain access to his personal data, what can the business provide to him? What format will be delivered?
What personal data does the company retain and for how long?
Do we need to work with third party suppliers to obtain copies of personal data?
Do we have employees who may make similar requests and does the company know how to respond to these requests?
Can the company meet the deadlines set by the GDPR?

Data subject requests are by far one of the most complicated aspects of GDPR compliance because consumers want to know:

How your personal data is protected;
Where your data is located and who has access to it;
How to correct personal information;
Whether the company has consent to use or share your personal data.

In general, the LGPD requires retailers to take a holistic approach to data privacy governance.

Remember that data protection law was established with the understanding that data privacy will continue to evolve, and the enforcement of personal data privacy rights will need to change.

Effective data privacy programs should be aligned with retailers’ business, operations, legal and technology functions, helping to drive a culture of privacy and data protection across the enterprise.

Retailers who confirm that their current policies meet LGPD requirements and establish robust and responsive corporate data privacy philosophies will be better equipped for the new era of data privacy.

The possible unviability of the business as one of the main impacts of LGPD in retail

Retail companies need to reframe the way they think about customer data and their own accountability. So, if implemented properly, the GDPR can be an opportunity for improvement for organizations.

Adopt a risk-based approach. Privacy has to be a component that you are prepared for and believe in.

Fines will be levied based on what is provided for in the GDPR, which puts companies at significant risk.

The values assigned to each situation can make the organization’s existence totally unviable or compromise its credibility in the eyes of the market and consumers.

Please contact us. Our experts will be able to help you, contributing to the development of your data protection projects and the continuous improvement of your company.

About Eval

Eval has been developing projects in the financial, health, education, and industry segments for over 18 years. Since 2004, we have offered solutions for Authentication, Electronic and Digital Signature, and Data Protection. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Tags data protection, lgpd, Retail

Data Protection

Fraud and Data Theft: 11 Tips for Customer Security

Post author By Editorial Eval
Post date 20 de October de 2020

A Serasa Experian Global Identity and Fraud Survey 2020, shows that 57% of companies are facing increasing losses due to fraud and data theft year after year, despite claiming to be able to identify their customers accurately. That’s why we need to invest in data protection.

The reality shows that three out of five companies said there was an increase in fraud over the past 12 months.

In other words, the study carried out by Serasa Experian shows that companies’ concerns about the increase in fraud and data theft persist even with the investment in security and data protection made in recent years.

Furthermore, the average cost of a data breach in 2020 is $3.86 million, according to IBM’s data breach study. Despite the slight drop from 2019 (USD 3.9 million), it is still a very high amount to pay for fraud and its impacts with customers.

What happens when those responsible for protection are compromised by fraud and data theft?

In September 2017, consumer credit agency Equifax admitted its third cyber attack in two years, when hackers exploited a website vulnerability.

Key Facts About the Cyberattack suffered by Equifax

Some 143 million US customers have potentially become vulnerable by having their personal data compromised (with 400,000 in the UK);
Confidential information (including social security numbers, driver’s license numbers, dates of birth, medical history and bank account information) was compromised, leaving customers vulnerable to fraud and data theft;
Equifax has been criticized for being ill-equipped to manage the breach. It took five weeks to make the violation public, she set up a website for information and a hotline – where customers criticized the lack of information and the long delays;
In a notable gaffe, customers were also directed to a fake website in the company’s tweets;
Offers of a one-year free credit monitoring and identity theft service were deemed inappropriate;
A lawsuit has been filed accusing Equifax of negligence with customer data, with potential cost implications of $68.6 billion.

Consumers whose data has been leaked, stolen, or used in fraud don’t even know that their personal information is at risk for months or even years. But what choice do people have: don’t travel, don’t share, don’t use social media?

Ok, we can make these choices if we need to, but we still need to get health care services, use a bank or a credit union, be insured, or even get our Social Security benefits.

How can companies take the first steps to prevent fraud and data theft?

These are the top tips from experts to help you keep your company’s confidential information safe from fraud and data theft.

1. get rid of paper

If you must keep paper files, destroy them as soon as they are no longer needed. In practice, there are nine things that companies must destroy:

Any correspondence with a name and address;
Luggage tag;
Travel Itineraries;
Extra boarding passes;
Credit offers;
Price list;
Vendor payment receipts and paid invoices;
Cancelled checks;
Receipts.

2. Assess which data you most need to protect against fraud and data theft

Audit or evaluate your data. Every company is different. Each has different regulations, different types of data, different needs for that data, and a different business culture.

Hire an outside expert to assess what data you have, how you are protecting it (not how you think you are protecting it), and where that data is going.

While you may think it is an unnecessary cost, if you report to customers and prospects that you have done an external data assessment, you may find that it puts you at an advantage over your competitors.

3. Restrict access to your confidential data

Not everyone in the company needs access to everything. Does the project manager need pricing information? Does the seller need information about the operations?

By restricting the data to which each person has access, you limit your exposure when an employee decides what they want to steal or when the employee’s account is compromised by an outsider.

4. Apply internal and external data privacy controls

Make sure that third parties and service providers contracted by your company follow the same strict data privacy controls that you implement in your own organization.

Audit them periodically to ensure compliance with your security standards and reduce the risk of fraud and data theft.

5. Use strong passwords to protect computers and devices

Make it difficult for third parties to access your company and employees’ devices and computers if they are lost or stolen by protecting them with strong passwords and enabling remote wiping on all devices.

6. Install or enable a firewall

Even small companies with only a few employees have valuable data that needs to be protected. Make sure you have a firewall installed to prevent strangers from accessing your company’s network.

7. Secure your wireless network

Use a strong password and encryption and security to hide your wireless network from strangers. Don’t let neighbors or passersby get into your network or even see that it exists. You are increasing the risk of fraud and data theft.

8. Combat fraud and maintain good customer relations in accordance with LGPD

Adhering to the fundamental principles of the General Data Protection Law (LGPD) and preventing fraud and data theft, as well as having good customer relations, can go hand in hand.

Minimizing the amount of personal data collected, anonymizing this data and adopting privacy principles from the outset will not only ensure that your customers’ right to data privacy is preserved, but will also help mitigate your risks from the perspective of the LGPD.

9. Data minimization

Whether or not you rely on legitimate interest to acquire data, you should collect only the minimum data necessary to achieve your goal.

If you can combat fraud and data theft with only the smallest amount of non-direct identification information, it’s better. That will mean less data to protect later.

10. Anonymization

Make sure that all data is protected using tokenization or encryption.

In addition to increased security, a clear benefit is that mandatory breach reporting requirements are significantly reduced for anonymized data, as the risk of harm to the data subject is greatly reduced as long as the key is not compromised.

11. Privacy by design

Make data privacy an integral part of your organization’s thought process at all levels.

Make it a habit for all departments to ask questions about what data you need, how you will protect it, and whether or not you need consent. Not to mention that a well thought out privacy strategy will likely create a better user experience.

And don’t forget the authentication! Tampered and stolen credentials are a real threat to the security of your users’ data. This threat vector makes stronger authentication an essential component in the fight against fraud and data theft, as well as defending your users’ right to data privacy.

How EVAL can help your company fight fraud and data theft

EVAL has solutions for application encryption, data tokenization, anonymization, cloud protection, database encryption, big data encryption, structured and unstructured file protection on file server and cloud, and key management to meet different demands in the area of data security.

These are solutions for business to be compliant and protected against data leakage.

About Eval

Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.

Eval, safety is value.

Tags data protection, frauds, lgpd

About Eval

Posts recentes

Comentários

Arquivos

Categorias

Where We Are

Rua Paulistânia, nº 381, 2º andar,
Sumarezinho
São Paulo - SP,
ZIP CODE: 05440-000

Contact

(11) 3670 - 3825
(11) 3865 - 1124
[email protected]

Copyright © 2023, EVAL TECNOLOGIA EM INFORMÁTICA. All rights reserved - CNPJ 05.278.889/0001-97