Since the General Data Protection Regulation came into effect in the European Union and, in that same year of 2018, Brazil published the General Law on the Protection of Personal Data – LGPD – there has never been so much talk about information security, privacy, and the protection of personal data in our country. To the point that the average citizen has become suspicious when asked for their CPF (Brazilian taxpayer ID number) at a pharmacy checkout.
Companies' investments in digital tools and platforms that meet the requirements of the Law, as well as technical measures to protect data from unauthorized access, are absolutely necessary and fully justified in annual strategic plans, reinforced by daily news from around the world of ransomware attacks and other types of scams.
And what about the so-called "administrative measures" mentioned in the LGPD (Brazilian General Data Protection Law)? Typically, privacy policies, data management policies, cookie policies, and others are published. Some best practices in information security are also adopted, some processes are improved, a communication channel with the data subject is implemented (not always effective), and a data protection officer is appointed – very often a DPOaaS – who doesn't have in-depth knowledge of the organization and doesn't have a well-defined focal point within it, someone who is a strong link between them and the employees and suppliers.
Oh, and the training? Yes, they occasionally hold privacy weeks, as if these were temporary measures that would solve the necessary acculturation of employees to comply with privacy by default.
Under the constant threat of social engineering, phishing scams, or potentially malicious or distracted employees, vulnerabilities become imminent risks of materializing.
For example, how about talking to employees about shoulder surfing, the famous glancing over the shoulder to look at computer screens, cell phones, and documents? And what about emails sent to the wrong recipients with confidential information? Or even emails sent to all recipients in copy, blatantly violating the LGPD's (Brazilian General Data Protection Law) principle of necessity, just so they "become aware" when they shouldn't even be?
There are countless ways in which data incidents can manifest themselves daily without us realizing it, like slowly dripping faucets while we keep our eyes wide open and focused on those who, ironically, should already be well under control technically.
Just like physical exercise, which will only be effective if the training is regular and consistent, administrative measures for the prevention, containment, and mitigation of incidents will only have effective results if they are "ingrained" in the employee, if good information security practices are as natural to them as the relaxed atmosphere of "TGIF" (a Brazilian slang term for Friday night).
