How a security company protects itself

 

Redesigning cybersecurity at Prosegur

Would you open an email promising you a 75% discount on the next generation iPhone? Anyone with a basic understanding of cybersecurity would say no, never. But a small percentage are taken in. Literally, because it's a classic phishing technique: : millions of little “hooks” are sent in the form of an enticing email so that an unwary person who opens it will infect their company's systems with malware.

It turns out, however, that this iPhone email was not designed by a hacker, but by Prosegur's Information Security Department, the internal unit responsible for protecting the company's information. It is a simulated attack that trains employees in the best possible way: through personal experience. And it is also a good metaphor to describe the leap in scale in cybersecurity that the company is experiencing worldwide.

Prosegur is a global benchmark in the industry, so cybersecurity has always been a key factor, but now it is even more so, as we benefit from the digital transformation the company is undergoing.

Information security covers needs from the general to the specific and has a complex structure of functions. It has a governance, risk and compliance department that sets the general policies and control model aligned with international standards, reporting to management and communication with business CISOs.

There is a security engineering department that sets the requirements for armouring systems and applications, seeing them through to deployment and thus guaranteeing their security.

There is also a CyberSOC 24x7, managed by Cipher, the company’s cybersecurity division, that monitors all the Group's systems around the clock, neutralises threats.

and simulates attacks on the infrastructures and applications themselves to identify vulnerabilities and strengthen them These threats can come from both outside and inside, which is why they have different types of controls to detect and stop them in time.

On the other hand, the cyber intelligence service reviews the published vulnerabilities on a daily basis, as well as information about the assets and the Prosegur brand present in the network.

In terms of business continuity, the information security team works with the business units to identify critical processes as well as cybersecurity scenarios that could lead to a business interruption. In this way, they define and test the plans that need to be implemented in the event of a serious disruption.

There is also a CyberSOC 24x7, managed by Cipher, the company’s cybersecurity division, that monitors all the Group's systems around the clock, neutralises threats

 

The multifunctional arsenal

This vision comes from the very top, with the CISO in direct contact with senior management and the CEO. "While this may seem logical, it is often not the case in such large companies," Miranda explains. Furthermore, the CISO usually reports hierarchically to the CTO. Not at Prosegur, they are at the same level. "It is a more efficient model. We report the risk situation directly to the management committee to support decision-making. It allows us to independently report on risks and propose solutions to mitigate them," says Miranda.

Each business unit also has its own CISO to strengthen the network. They all report to the Information Security Department, which centrally manages the security of the entire group's IT systems. By this means, the company can escalate without multiplying resources in the 26 countries where it operates.

Corporate cybersecurity usually has a very technical profile, but Prosegur's model relies on a mix of technology and risk management that thoroughly understands the functioning of each company and its threats in order to develop the necessary technological solutions and understand the root causes.

A profile that focuses only on the technical aspects can lead to misunderstandings between the cyber department and the company. "Our model does not run this risk; it eliminates the traditional security role that tended to reject everything that seemed dangerous. Today, it's different. The CISO must be a security advisor who understands the business strategy, speaks its language and helps it succeed by providing the appropriate measures and/or controls."

In this strategic commitment, which runs from the very top to the entire workforce, direct experience also plays a role: the incident the company suffered on 27 November 2019. Systems recovered quickly, but it marked a definite turning point, a commitment to maximise cyber protection and integrate it into the company's deep technological and cultural transformation.

Thus, the information security division was re-designed with a more ambitious vision and adapted to the personality of each company. "Prosegur is a global benchmark in the industry, so cybersecurity has always been a key factor, but now it is even more so, as we benefit from the digital transformation the company is undergoing. We do not see this transformation as a risk, but as an opportunity to further strengthen our processes," says Enrique Miranda, Global Chief Information Security Officer (CISO).

"Our goal is for Prosegur to open its doors every day and offer security services to its clients," Miranda adds. In other words, Prosegur's internal cybersecurity helps secure society as a whole by protecting thousands of institutions, organisations, administrations and companies: its customers.

Cybercrime has now become an industry and it deserves no less. Against the backdrop of accelerated digitalisation, millions of attacks are registered every year, sometimes uncontrolled, as was the case in the first months of the pandemic. In Spain alone, the National Centre for Cryptology handled almost 43,000 incidents in 2019, 12.5% more than the previous year. In 2020, which is a new record, the number of very high-risk incidents has doubled. The global trend is similar, as studies like the one from IBM show.

 

Security culture, the last line of defence

 

Technology at the service of every business

The Prosegur information security team's plan includes cybersecurity training and awareness as part of the aforementioned arsenal.

Most attacks exploit human carelessness, gullibility in the face of a social engineering ploy. But Prosegur's cybersecurity department sees humans not as the weakest link, but as the last line of defence. To be the latter, and not the former, awareness must be truly raised throughout the organisation. And that is the other big task of information security, besides technological armouring.

It does this by all possible means: reports to the Management Committee, courses at the Prosegur Corporate University, simulations of fraudulent emails (phishing), tips and monthly refresher courses... All with the aim of preparing employees for the techniques used by criminals to maliciously gain access to the company's systems.

For example, someone who fell for the simulated phishing campaign has the following excuse: "The thing is, my inbox is overflowing, I get a lot of emails and that's why I opened it.” "OK, if you are doing several things at the same time at home and there is a knock on the door, do you open it without looking and let someone else in?” "No, of course not". "That is the level of awareness that should protect the other family and our other home: the company," Enrique Miranda points out.

Let's ask the original question again. After reading this article, would you open an email promising a 75% discount on your next iPhone?