According to data from the 2022 State of Cybersecurity Trends, a report by Arctic Wolf Networks, nine out of ten cyber attacks target an organization's employees. In this scenario, information security awareness was the main focus of RNPSeg 23, which took place in Brasília, on August 30th. 

Exclusive in person for managers and Cybersecurity specialists and broadcast online, RNPSeg is promoted by CAIS, the Cybersecurity Intelligence area of RNP. Highlighting the need to approach cybersecurity in an educational way for employees of organizations, RNPSeg 23 had the theme "Human factor: awareness to combat cyber threats". 

Among the speakers were Alex Amorim, founder and president of IBRASPD and CISO of Claro, Anchises Moraes, leader of Threat Intelligence at Apura, Jeferson D'addario, founder and CEO of Grupo Daryus, Marcelo Lau, director at Data Security and coordinator at FIAP, and Renato Opice Blum, lawyer, economist and professor. The guests brought valuable perspectives on the importance of raising awareness in public and private institutions. 

Alex Amorim started the event by highlighting the evolution of technologies to state that awareness has become crucial in an increasingly connected world. "When we think about security, many companies end up doing it to 'get a passing grade'. Some security professionals still don't have the goal of impacting people's lives. However, we need to start bringing people to the center of everything. Go beyond simply complying with a corporate policy to show the importance of creating safer practices in the digital environment", he highlighted.

Phishing and scams that use social engineering continue to negatively impact people's lives inside and outside of work. These scams disguise themselves as legitimate communications, exploiting victims' trust and lack of knowledge, or use urgency or sensationalism to make their messages more appealing. To prevent these attacks, cyber education is the solution. 

Marcelo Lau raised the impact of knowledge on changing the behavior of online users. "I, as an academic, usually say that knowledge transforms. There is no point in carrying out a series of actions in the corporate environment, in technologies, if the result is the same over and over again. We have to change our techniques and our vision, thinking about user behavior in the face of online threats and scams", he declared. 

During the event, Jeferson D’addario also added that security awareness needs to impact employees beyond their work lives and into their families. “A company’s security perimeter, security management, is as important as financial management and HR management. Our mission needs to be that our message reaches the employee's child's fingertip. We have to provide education to that person’s child. There is a lot of talk about digital inclusion, but are we talking about security? Every statistic is a reflection of this lack of preparation,” he said. 

Anchises Moraes added, saying that the lack of investment in Information Security in many companies makes the viability of awareness plans more complex and difficult. "The vast majority of organizations barely have a security team. Rarely do they have one person who cares about awareness," he explained.

Regarding the legal issue, one of the comments by Renato Opice Blum, a specialist in cyber law, concerned the use of sanctions so that Information Security is taken as a more serious and alarming issue. 

“At least 95% of online scams could have been prevented if victims had taken different actions. It is a very high rate. Everyone agrees that we have to educate, that awareness involves everyone, but the fact is that the situation is not improving. I bring the seat belt analogy. Many people didn't use it for a while, even though they knew its importance, because it was uncomfortable. However, when there was a sanction, a fine, the legal imposition generated the safest practice”, he compared. 

The RNPSeg 23 event made it clear that awareness is not only a preventative measure, but also a smart strategy to protect companies' assets and reputation. In this scenario of growing cyber threats, the message is: employees are not the weakest link in information security, they are the first line of defense, and awareness is the key to strengthening this line.

Watch the event in full