Educational work alerting servers to cybersecurity

With an interest in good security and information technology (IT) practices, Companhia de Saneamento Ambiental do Distrito Federal (Caesb) has developed an educational procedure targeting its employees with the goal of raising awareness, promoting a culture of fraud and preventing data leakage.

152 users who clicked on the link in the body of the email, allowing access to their credentials, were redirected to a course highlighting points of interest to be aware of when receiving suspicious emails.

Email staff IT security teamtrolling –A kind of social engineering attack – which talked about things that matter to employees. The email has several points indicating that it is a fake message, therefore, users should monitor data such as incorrect sender address, non-existent HR area name and Portuguese errors, among others.

152 users who clicked on the link in the body of the email, allowing access to their credentials, were redirected to a training session in which the points of interest that everyone should have when receiving suspicious emails were highlighted, as well as a promotion Care with information security.

Educational procedures at Caesb will be carried out periodically, without prior notice, following the planning of the IT security team | Photo: Publicity / Kisp

Before sending the email phishingThe Office of Information and Communications Technology (PRT) promoted Information Security Awareness Week. During this period, alerts and information security risk prevention guidelines were sent daily with the aim of increasing awareness among Caesb employees, collaborators and trainees.

“The action was to alert staff that although Caesb has many tools to prevent the actions of hackers, the user is part of the security equipment.”Luiz Marcelo Serique, Director of Technology and Communications Infrastructure at Caesb

Beyond email phishingAs a precaution, an attack simulation has been made in Microsoft Defender which allows simulations of benign cyber attacks on the organization. This simulation tests security policies and practices, and trains employees to increase their awareness and reduce vulnerability to attacks.

Caesb’s Director of Technology and Communications Infrastructure, Luiz Marcelo Serique, explains that these security measures follow guidelines for Good IT Management Practices and Caesb Information Security Policy Guidelines.

You will periodically, without prior notice, follow an action plan by the IT security team, allowing to monitor the development of employee awareness of this subject. “The measure was to alert employees that although Caesb has many tools to prevent intruders, the user is part of the security equipment,” Serique highlights.

In 2013, Caesb began developing an Information Security Policy and established a committee to analyze rules and good practices and establish benchmarks on this topic. Caesb’s Director of IT Products and Services, Uanderson de Oliveira, explains that thanks to this policy, the company has implemented many improvements in its operations and in its IT infrastructure, such as the creation of two data centers and the development of security systems to control access to the company’s systems.

“Information security is achieved by implementing controls, processes and policies that enhance business and reduce risk and thus enhance the company’s security. Among the methodologies we evaluated, we decided to adopt for reference the National Institute of Standards and Technology publications – NIST 800-37 and 800-53, US methodologies recognized for being comprehensive and flexible for managing cyber risks,” says Anderson de Oliveira.

*With information from Kisp

Leave a Comment