“Cybersecurity is a never-ending marathon”
A good knowledge of defense and attack techniques is fundamental to guarantee security in companies, regardless of their size and sector of activity. To win this race it is necessary to create a culture of knowledge in society.
The topic of cybersecurity gained relevance with the pandemic and with a greater digitalization of companies and processes. As an IT consultant, how does Crossjoin evaluate the current panorama of cybersecurity in companies in Portugal?
Portugal has been no exception when it comes to increased investment in cybersecurity. With Covid-19, companies were forced to adapt to a new reality, reinventing how they work and how they relate. This new normal has potentialized risks, often overlooked, and introduced challenges to operations, such as the massification of remote work, adoption of collaborative tools, software/infrastructure as a service (SaaS/IaaS), Cloud Computing, among others. With increased exposure and the escalation of cyber threats, there has been a trend of increased visibility of the population regarding the dangers in the use of technology, a greater attention to the risks of leakage and loss of information, especially in light of regulations such as the RGPD, and the impact that may have on business. This justifies, in part, the increased demand for information security professionals, especially in the area of cybersecurity, as well as the adoption of international standards as a reference of best practices, for example ISO/IEC 27001, which is an international reference standard for information security management. Crossjoin understands that it is imperative to protect against cyber and information security risks and, for this reason, we invest in improvements with the adoption of an information security culture, demonstrated with the continuous audits under our ISO/IEC 27001 certification. In addition, we reinforce this need with our customers and partners, since an increase in investments in this area is perceptible, but still insufficient against the level of attacks to which they are subject.
Is there a growing awareness of the dangers and an increased investment in cybersecurity solutions in organizations?
We consider that there has been progress in society’s self-awareness, as a result of their experience as victims of cyberattacks/burglars, but also thanks to the increase in media coverage of cyberattacks. However, in general, society is still not properly aware of the precautions to take regarding data exposure and transmission, nor of the impact that certain cybersecurity attacks can have on their lives. For this reason, we still see a lot of cases due to lack of attention or carelessness. Unfortunately, many companies do not pay enough attention to the topic of cybersecurity, data privacy and/or do not have the financial capacity to educate themselves or prepare for threats, for example, exposure of critical customer data.
Is the myth that cyberattacks only happen in big companies outdated?
Attacks on large companies end up gaining greater notoriety in the media for their direct impact, seen in the financial values and users affected. On the other hand, small companies are not immune, suffer from attacks at scale and become the choice of strategy by opportunistic attackers who exploit technical vulnerabilities, especially with the lack of capacity to invest in technology, as well as social engineering attacks and with the lack of an information security culture.
Portugal has been one of the countries in the world with the most cyberattacks. Why does this happen?
In 2022, Portugal was the third country in Europe with the most cyberattacks, with those with the greatest impact having the purpose of exfiltrating information. This is due to a sum of several factors, among the main ones being the lack of awareness of the care to be taken regarding the exposure and transmission of data or its impacts by the Portuguese. In addition, outdated or discontinued/unmaintained or improperly maintained software increases the attack surface. However, it was not only our country that was the target of an increase in cyberattacks, in fact, this phenomenon was observed worldwide.
There is a lot of talk about the lack of literacy of users who continue to be the ‘weakest link’ in cyberattacks. What can and should be done to change this picture?
The truth is that a large portion of cyberattacks stem from social engineering, such as phishing attacks. These attacks have a high success rate, because the digital society is not sufficiently prepared to recognize them. Although the investment required to mitigate these types of attacks is low compared to other types of attack, it is an action that requires the creation of a culture of care with information security, in which concerns are daily and continuous. Thus, the best defense against social engineering attacks, more specifically phishing, is awareness. But this awareness should not be restricted to corporate environments and companies. Awareness about information security principles, safe surfing, social networking security, as well as the possible threats, types of attacks and effects, should start as early as possible. Exposure to the Internet and the digital world starts earlier and earlier, so care and awareness should start with the youngest, in public society, schools, universities, etc.
What support can Crossjoin provide to companies in this regard?
In the same way that technology is constantly evolving, forcing a rapid response when it comes to cybersecurity, the services provided in this area also evolve. We continuously evolve our information security and cybersecurity services in order to incorporate this component in any kind of project. Thus, we help our clients with an Information Security By Default & By Design approach, with the integration of information security into processes, as well as development security audits and consulting, with integration of security into the application flow. With current trends, we can also assist with the integration of SaaS and Cloud solutions, with ‘Cloud Security’ analysis and diagnostics, as well as a dedicated information security management service (‘Information Management Security Check’).
Internally, Crossjoin has a security skills center. What is the role of this center?
Internally, we have our own cybersecurity competence center (SIG = Special Interest Group) that allows us to constantly update and improve on cybersecurity issues, both for internal consumption and for our customers. Our responsibilities are the security of our information, investing in a highly specialized team in this area, raising awareness among our employees and preventing threats, with the aim of minimizing the risks of possible attacks and their respective impacts.
What differentiates your offer in such a competitive sector?
Our offer differs from the rest of the industry in the methodology and culture that defines the approach to problems. We define the goal, what we need to achieve that goal, and then the path to the goal, never making assumptions. This approach allows us to arrive at the most viable solution and to be able to solve problems considered impossible by many others in our industry.
What are your internal challenges, and what are the challenges facing organizations in general when it comes to cybersecurity?
Our challenges are the same as in other organizations: keeping up to date with the new technologies that are developed every day, and keeping all our employees prepared for possible attack attempts.
What warnings would you leave to entrepreneurs on the subject of security?
The warning we leave is to always be on alert and in continuous evolution. Cybersecurity is a never-ending marathon, in which our adversary only has to outrun us by a millimeter, once, to win it. We have to be always ready and always on the alert when using cyberspace. That’s why it’s necessary to always be up-to-date with new technologies and new methods of defense and attack that are developed.
SIG team in Exame Informática