Posted in: 02/08/2022
How effectively do you think about how safe you are on the Internet? If you answered, “very much”, you are not alone.
Recent surveys have shown that Brazilians are increasingly concerned about digital threats. However, they ignore an important part of online surfing: the privacy and security of your data.
Surfing the Internet, and performing almost all procedures online, has become commonplace. After all, the ease of paying a bill online instead of queuing is one of the advantages brought by digital technology. Shopping hasn’t escaped this scenario either, almost everything can be checked down to the smallest detail and bought without the person having to leave home.
With the covid-19 pandemic and social isolation, being online has ensured for many people the only way to contact the world. Restaurants have dedicated themselves exclusively to deliveries for orders placed via apps, markets and pharmacies have increased the possibilities for customers to purchase their products, also via websites and apps, and stores have implemented other online ways to reach their audiences.
The establishments that had not yet invested in their digital presence needed to catch up in order not to close their doors.
Obviously, it was not an overnight process. Investments in the online environment were already being implemented by many companies. But the pandemic may have accelerated a process that would still take some time for some areas, which were forced to carry out the digital transformation much faster.
In the health area, for example, the use of new technologies, the regularization of telemedicine and virtual consultations in Brazil in 2020 were considered major advances, even allowing the compilation of more assertive data, which can collaborate to the creation of a more equitable medical assistance.
The development and use of new applications by the federal government, facilitating access to various types of services, was also one of the highlights of the acceleration of digitalization. According to the federal government’s website, in 2020 alone, 251 more digital services were guaranteed, intensifying the digitization process that was already under way.
However, it was not long before news reports appeared that questioned the level of security of these applications, especially those from the government – which failed to specify the privacy policy and the various uses that that data could be put to. The information leaks, caused by system failures, have also worried millions of Brazilians, who may have had sensitive data exposed and their internet security jeopardized.
It is important to point out that the consequences of exposing this data for individuals can range from fraud and financial crimes to document forgery, generating financial losses and moral damages.
For companies, on the other hand, data hijacking and leaks can cause major reputational damage, in addition to the legal consequences imposed by the General Data Protection Law (LGPD).
But how do we circumvent the digital threats that put our data and information at risk, and ensure internet security? We talked to Ellen Martins Lopes da Silva, Data Protection Officer (DPO), in charge of data protection and compliance with legislation related to the control of digital information at Synergia. Check out the interview!
Are secure Internet and information security the same thing?
Information security is like a big umbrella, and under that umbrella I have several topics, like LGPD, internet security, system security… all this is within information security. Today, all data ends up being trafficked over the Internet, and not just in the browser itself, but through e-mail, WhatsApp and Teams and other applications that also have this massive usage.
If we could see the bits traveling in front of us while we are talking, it would be a tangle of information. So it involves everything.
So when we talk about secure internet, we include not only browsing, but the use of applications and other uses of our data. What would they be and what do we need to be aware of?
The issue of secure Internet came with the advancement of technology and the expansion of computer use, which started in the 70s. And today, practically everything we do depends on the Internet.
We have yet another aggravating factor. All the time we have other devices connected to the Internet. It used to be only desktops, then came laptops, today smartphones. We also have other devices being connected to the Internet, which is what we call the Internet of Things. Today we have radars integrated into the Internet, refrigerators, television. We have already had cases where the attacker broke into a home network using the baby monitor.
It is a risk we take. With more connected devices, more possibilities for attacks and more ways to commit scams and extort money from victims. So, I think the area of information security is also growing exponentially.
Do you believe that the pandemic has accelerated this adaptation to a safer Internet?
I can’t tell if there was an acceleration in the development of these methodologies and tools or if these tools already existed, but the companies ended up not using them. So really, with the pandemic, they had to change the key quickly, because companies needed to adapt and make the business continue in a format other than in-person. We had very significant changes and in a very short time.
Can you talk a little bit about the General Law of Data Protection (LGPD) and how it relates to information security?
Since 2012, I have been in Information Security, at the time teaching only, and it was very common for classrooms to be empty. It was not an area that had much demand. Companies did not see an added value within information security. With some attacks that have been happening, companies have started to look a little bit at this side of security as a whole, not so much at personal data, but more at business-critical corporate information.
Then came this concern about personal data and the LGPD to try to put some order into this issue of how data was handled within the internet. For example, not disclosing data and not collecting too much data, because the attacks are there, exposed.
On Google itself, doing simple searches, using Google Hacking techniques, you can find complete listings, with name, CPF and RG. In some cases you even have the bank card number with the CVV code (Card Verification Value), and everything.
I am not talking about being an experienced hacker and using tools, I am talking about a simple Google, which we use in everyday life. Everything is there, very vulnerable, and the attackers take advantage of this to commit their blows.
The law brought a way to make companies look at the security issue as a whole, but mainly at the most vulnerable part, which would be the people who are in those databases and can have their information leaked. And I am not only talking about name and CPF, which are less critical, but many times we have sensitive information, such as exams, medical reports and religion, which can cause some discrimination.
The LGPD has come to limit somewhat how institutions handle personal data.
The LGPD has changed a lot about how companies need to behave toward consumers. But do you think it has changed the view of consumers themselves, or do we still agree to terms and conditions of use without actually reading them?
I won’t say that it has totally changed. But from what I have been following in the market, we already have requisition. The starters are starting to get smarter. But we still need to raise awareness a lot more. People still don’t stop to think and question “Why do I need to pass this die?” You have to question, try to understand, and assert your rights.
Here at Synergia, I find it very nice when a department or someone from a project comes to me with a question. We planted the seed of doubt, and that is already a long way off.
Fake news also fits in as a form of lack of internet security. How can we avoid them and be more attentive?
In the case offake news, the main thing is, before sharing, to check the veracity. If it is an Internet news story, there are sites that you can check to see if it is real or not. Usually fake news has some typo or misspelled words.
On the issue of scams [malicious links that arrive via WhatsApp, email, or SMS], be careful not to click on links that can direct to fake pages. If there is a link, you can stop the mouse over to check if the hyperlink is correct, for example.
When shopping online, what do we need to pay most attention to?
Having an antivirus on your machine, and keeping it up to date, is primordial.
Be careful with prices: a price that is totally out of line indicates that there is something wrong there.
Will you buy with a credit card? If you have the possibility, use the virtual card, which will generate a number valid for 24 hours, and only for one purchase. Use that number, because if they try to clone the card and the person uses that number on the new purchase, it won’t work anymore.
Always pay attention to the URL of the site, be careful which links you click on, and which tracking cookies you accept.
On the subject of passwords, what would you give as protection tips?
Today, on many sites, we already have the option of two-factor authentication, MFA [Multi Factor Authentication]. For the password itself, the important thing is to avoid weak passwords: very short passwords, passwords consisting only of numbers or only of letters. The ideal is to make a mix, put letters, numbers, special characters, upper and lower case, and with a minimum of 8 to 10 characters.
And, if you can, don’t use the same e-mail password for e-commerce sites. Because if [the attacker] finds out a password, it is easy for them to gain access to all the other places you have signed up. Today we have vault applications, to save all the passwords you have registered on the websites. It is safer.
I also avoid the option that Google gives to save the password in the browser, because anyone who accesses your browser, on mobile or computer, and has the site already saved with the password, automatically logs into your account.
And how do we keep the online environment safe for children?
This is very important. The CERT.br [Center for Studies, Response and Handling of Security Incidents in Brazil] site has safety primers aimed at children. It is very cool because it brings this information in a playful way, even about LGPD itself.
In the old days, our mothers used to say “Be careful, don’t talk to strangers. I will leave and you lock the house, which will be safe.” Today, the way of passing on this information has to change a little bit. If accessing the internet, be careful about posting pictures on social networks – this is not only for children, but also for young people. Beware of WhatsApp groups and jokes that can be perceived as a form of bullying. Never talk to strangers, to avoid the cases of pedophiles.
Ellen also talked to us about the changes companies needed to make to comply with LGPD and keep their data secure, especially about the process Synergia adopted to ensure a secure Internet for both internal information and customer and community data. Check out the answers!
How important is secure Internet for Synergia?
For Synergia, mainly protecting that information that we have both at the business, corporate, and strategic level of the company, and the data that we have in the database.
Most of the data we have in the bank are from the owners, individuals, not just employees. But we have data on families assisted, often in complicated situations and complex scenarios of vulnerability. So I think the main care we take is to avoid data leakage, which would be bad for Synergia both for the people impacted and for our client contracts.
And what is being done to improve this security? What changes were made internally?
The process of implementation and adaptation of the LGPD was a major milestone. There, we started to review all the processes that have personal data handling, review some procedural issues – what are the processes themselves, and not only the data handling, but internal processes even – information security issues and the implementation of policies and technical measures. This part was very important. The company finished its suitability process in December [2021].
Another gain we had was the conversation, the integration between areas. Commercial, legal, LGPD, supplies… all talking so that the contracts, both suppliers and customers, already come out with contractual clauses focused on LGPD.
In the beginning, we were kind of “indoctrinating” our clients. Even in the role of a vendor, Synergia was showing her client the importance of having processes in place for information security and LGPD.
I have also always been working on this issue of bringing the employees to our side, because I can have technical measures implemented, but if I don’t have my human part well aware, well trained, and with this broader look, we can’t achieve a high level of security.
I always say that “together we are more”, because it doesn’t depend only on Ellen, only on the IT [Information Technology team] or only on the legal department. It depends on the company as a whole and looking at the same goal: keeping both corporate and personal data secure.
Sign up and receive our news.