Online scam is one of the most prominent cyber threats in Portugal, taking into account 2021 data, and which involves “quite the human factor”, according to the Cybersecurity Observatory’s September bulletin released this Wednesday.
The September newsletter of the Observatory of the National Cybersecurity Center (CNCS) presents an analysis of the different stages of a cyber-hygiene awareness campaign in organizations, so that this type of action is more effective, taking into account the identified threats.
“For the development of cyber-hygiene awareness campaigns in an organization, it must be identified as the most important cyber threats today and, thus, as they have a greater involvement of the human factor, as they can have a greater impact potential and probability of each one takes place in the organization in question, based on history and available information”, reads the document.
For example, “taking into account the most relevant cyber-threats in Portugal in 2021, it appears that online fraud is one of the most prominent cyber-threats and involves a lot of the human factor”.
Last year, among the first places threatened by CERT.PT, CNCS’s socially developed service, are phishing/smishing (first), engineering and malware distribution [programa que é introduzido num sistema, geralmente de forma encoberta, com a intenção de comprometer a confidencialidade, integridade ou a disponibilidade dos dados da vítima, de aplicações ou do sistema operativo]. Those registered by APAV are sextortion, online fraud and identity theft.
Reporting to the authorities (DJPJ), computer fraud/communications comes first in 2021, followed by illegitimate access/interception and debauchery by computer means.
Among the three main complaints received by the Attorney General’s Office (PGR) are phishing, online fraud and CEO Fraud, which “occurs when an employee authorized to make payments is deceived [por alguém que se faz passar pela chefia da organização] in the sense of paying a false invoice or carrying out an unauthorized transfer from the organization’s bank account”, according to the CNCS.
“In some organizations, a CEO Fraud, which also involves human intervention, although much less than the ‘online’ scam, can have a greater impact and a relevant probability of occurrence. as cyber threats that revealed more risks”, says the Cybersecurity Observatory.
Raising awareness of the techniques used “in CEO Fraud can be as important as raising awareness of those used in online or non-phishing scams. , but with impact, such as ‘ransomware’ [em que é pedido um resgate]”.
In addition to the integration of the important analysis “of human risk, awareness campaigns are based on behavior change”, as “it is not enough to carry out surveys on users’ perceptions of their behavior, due to the fact that a will to be socially desired can interfere with the quality of responses about effective behavior.
The Observatory highlights that “some of the most used methods to assess the cyber-hygiene of employees without reducing the analysis only to surveys are those that use simulations of ‘phishing’ attacks and intrusion tests through social engineering”, which allow evaluate and stimulate the attention of employees.
In short, awareness-raising actions will go through the following stages: first, analysis of human risks; second, definition of messages, target audience and methodologies and, third, awareness-raising actions through diversified devices.
The fourth stage of results through stages, simulations and testing and testing by the fifth and final stage by “updating threats and strategies, the update of the stages must be carried out again to the first stage and the restart of the circular process stage, fulfill the need to circulate”, see the Observatory.
On September 29th, CNCS will host a ‘webinar’ open to cybersecurity topics, under the title ‘The Role of Algorithms in Public Gender Equality’ and “intends to contest the effects that animals have (dis)” Due to to gender equality, considering that a form can be configured”.