Corporate Security - Best Practices for Conduct and Compliance for Employees and Business Partners

2. Purpose The unquestionable purpose of this manual is to share with our employees and partners the values, principles and procedures, especially with regard to ethics, legality and transparency of our business. Specifically, we hope to: - Build a unified discourse among employees and partners, in order to highlight our values; - Consolidate ourselves in the market as a safe, ethical and cutting-edge company in our segment. 3. Who we are GMG INTERNET SERVICE LTDA. - is a company headquartered at Av. Emilio Trevisan 655, suite 303, Bairro Bom Jardim, CEP 15.084-067, in the city of São José do Rio Preto, state of São Paulo. Owner of the platform and software: 1. Gmg Ambiental is an ecosystem of proprietary software integrated into a single proprietary platform developed in Brazil by GMG INTERNET SERVICE LTDA., Gmg Ambiental is a SaaS platform - Software as a service or software as a service, accessed by login and password, which runs on the Gomapsgo software, which is a Georeferenced Information System - GIS, web format (in the cloud), with support from maps provided by a network of satellites integrated via API, with the objective of generating products intended for the following solutions: 1.1. Fire Monitoring and Analysis: This is a system for monitoring and georeferencing fires and outbreaks on rural properties. Functionality: This solution allows the client's entire area to be monitored via satellites. When we identify a fire outbreak, with the help of algorithms, the coordinates of the exact location on the property are quickly determined. From that moment on, an alert is sent to the client, guiding decision-making for fighting the fire; 1.2. Climate Monitoring for the Field: This is a climate monitoring solution related to the following features: - “Velocidade e Direção do Vento”, “Previsão de temperatura”, “Chuva Acumulada Diária”, e “Alerta Triplo 30”: “Velocidade e Direção do Vento”: Esse recurso entrega muito mais segurança, afinal, ele apresenta a direção e a velocidade do vento. Assim, se houver incêndios em áreas vizinhas, pode-se calcular se existem possibilidades de que ele atinja a área monitorada, auxiliando nas providências que deverão ser tomadas. Vantagens: Maior segurança; e Brigada de Incêndio melhor informada para tomada de decisão.​​ “Temperature Forecast”: The temperature forecast presents the data predicted for the following day, helping with daily harvest planning. Advantages: Reduces productivity loss and contributes to decision-making. “Daily Accumulated Rainfall”: The resource provides information regarding the amount of rain in previous days in millimeters. It is possible to choose the date on which you want to access the information, helping to understand the rainfall levels of certain periods. Advantage: Work strategically for a productive harvest. “Triple Alert 30”: The Triple Alert 30 resource is an exclusive Gmg Ambiental technology. It is organized based on 3 (three) data points: temperature, wind speed and humidity. In other words, if the temperature is above 30º C, the wind speed is greater than 30 km/h and the humidity is less than 30%, an alert will be issued. Under these conditions, if a fire were to break out, it would be more difficult to fight, posing greater risks to firefighters. That is why alerts about the meeting of these three factors are so important. Advantages: Greater safety; and a better informed Fire Brigade for decision-making. 1.3. GMG Scar Report: The scar report is a type of dossier for defending against environmental fines. The report presents data related to the day of the fire, such as: temperature, air humidity, the probability of fire risk, whether there was a triple factor 30, where the fire started and how it reached the client's area. All of this information helps to prove that the person responsible for the fire was not the owner of the area. Advantages: Helps in defending against environmental lawsuits; Reduces the chance of fines; Climate data from the day of the fire; and Fire traceability. 1.4. GMG Field Applications: “GMG Field Management” - The application assists in field management. It allows you to enter data mainly about fires, but also about police, flies in the stable, and firebreak checklists. The application is customizable, meaning it can be adapted to the needs of each client. Advantages: Information agility; Connected to monitoring; Fire alert via notification; 100% customizable; Works offline; Firefighting images; and Dashboard to download reports in PDF format. 1.5. GMG Fire Management: Through our platform, it is possible to extract reports on fires that have occurred, filtering by month, unit and type of filling. In addition, we provide a dashboard, where managers can quickly measure the system's assertiveness. Advantages: Database with all outbreaks that occur in the areas; Extract reports in graphs, PDF and Excel; and Measure the assertiveness of the system through reports. 2. GomapsGo: It is a landbank and viability management and information system; allows demarcation and georeferencing of an area, allows based on the demarcation to generate spreadsheets with business viability, allows based on the demarcation to obtain information about the region such as per capita income of the inhabitants, population density, commercial establishments and other points of interest, allows to create and register users, manage user access, allows to create folders for digital content files (PDF, XML files, videos, spreadsheets); ​​​3.1 Organizational Chart Marcelo Rodrigues Ferraz – CEO - Executive Director 4. Prevention and Corporate Security The focus of this manual is on Prevention. This is because most frauds that occur within companies are only discovered during audit processes, which are REACTIVE processes, that is, they only occur after the deviations have occurred. Unlike the thinking of large institutions that delegate the reduction of their losses to computer processes, we understand that simply implementing these systems does not solve the issue of corporate fraud, essentially because crimes within corporations, including cybercrimes, are committed by employees at all hierarchical levels. Preventive security processes must always consider the human factor as a key element and the most vulnerable of corporate resources. 4.1 Legal responsibility of organizations In addition to the organization's labor and tax obligations, according to the laws in force in the country, there is currently another legal issue that must be taken into consideration: the use of technological resources by its employees. Technically, it is important to clarify that, according to art. 935 of the Brazilian Civil Code, civil liability is independent of criminal liability, but only the former may be attributed to the legal entity. However, in crimes involving pedophilia and piracy, using technological resources, committed within the institutional environment, the manager may be held liable, since he assumed the risk knowing that the illicit act could occur. Also according to the Civil Code, art. 932: The following are also liable for civil compensation: [...] III - the employer or principal, for his employees, servants and agents, in the performance of the work that is their responsibility or by reason thereof. Summary 341 of the Supreme Federal Court also provides: The employer or principal is presumed to be at fault for the negligent act of the employee or agent.​​​

​

In the labor sphere, organizations must still be concerned about the consequences of the lack of organization, procedures and rules for the use of their technologies, because among other problems, there may be an incidence of overtime and issues involving privacy.

​

​

4.2 Social responsibility and sustainability Companies have indirect responsibilities for collective non-patrimonial damages in social and environmental terms, as they are considered transformative agents, which exert a high influence over their human resources and have economic and technological resources that allow them to direct their employees towards certain results. For better clarification, the following definitions are considered here regarding social responsibility and sustainability. 4.2.1 Social Responsibility: comprises a broad concept, according to which companies voluntarily integrate actions of social and environmental concern into their operations and in their interaction with other stakeholders.

 

4.2.2 Sustainability: from a corporate perspective, this is a new business management model in which all processes effectively take into account the social and environmental dimensions. Combined with good governance practices, this model has a positive impact on the economic dimension. Specifically in the case of GMG, concerns regarding social responsibility and sustainability are integral concepts of our products, since fire prevention is one of the most important features of our main software.

 

5. Security and protection For a better understanding, the concepts of security and protection incorporated herein are as follows: Security: is an intrinsic concept of human need, a state of mind, since all people need to feel safe in all aspects of their lives; Protection: is a term used to characterize actions planned in advance to avoid or reduce damage caused by aggression against people, processes, technologies and organizations. In the corporate world, security represents a level of comfort achieved by implementing protective actions, which can typically be quantified as low, medium or high, or be certified as adequate, according to internationally accepted rules and standards, such as those proposed in the ABNT NBR ISO/IEC 27002:2005 standard (Code of Practice for Information Security Management), (ABNT, 2013c) and certified by the ABNT ISO/IEC 27001:2005 standard (Information Security Management Systems – Requirements), (ABNT, 2013b). Once a certain level of security is accepted, we arrive at the concept of trust, which presupposes a state of human consciousness that considers itself safe.

​

6. Corporate risks Within the corporate universe, risks are determined by the combination of threats, vulnerabilities and loss of asset values, values ​​measured based on the impact of the assets on the organization's business. Losses can be financial, material, human, intellectual and moral and can be valued numerically.

​

6.1 Information security Sector responsible for taking care of the company's information assets, based on the pillars of integrity, confidentiality and availability.

​

6.2 Physical, asset, monitoring and auditing security Among corporate security actions, all aspects of physical, asset, people, monitoring processes (CCTV, access control, biometric authentication, Single Sign-On SSO S3O, fire and building automation) are effectively highlighted, as well as risk management and internal audit processes.

​

6.3 ECM, SPED, IRPJ-e Other activities within the company that process data in general, of specific responsibility, ECM (Enterprise Content Management / GED, or Corporate Information Management system which, as a rule, is digital or digitized information and stored and processed in the organization's networks and Storages / BIG DATA; fiscal and tax commitment systems, such as SPED (Public Digital Bookkeeping System) and electronic declaration processes, such as IRPJ-e that use digital certificates.
 

7. Occupational fraud Occupational fraud can be characterized as fraud that occurs in a structured manner in various areas of the company and is rarely reported, due to the huge scandals it causes the institution.

​

7.1 Best practices for combating occupational fraud - Anti-fraud certifications granted by companies that perform internal and external audits; - Preparation of a Code of Moral and Ethical Conduct that can be operational and that is, in fact, implemented; - Internal training program; - Clarification program on changes to the company's Code of Ethics; - Strategic and safe HR practices.

​

As we are a small company, ethical and moral issues that should govern the conduct of all employees are discussed in monthly meetings that address this topic and its impact on the company's image in the market. As the number of employees increases, initially to ten, these principles will become part of a written manual that will be made available and discussed among all employees.

​

8. Cyber ​​fraud With the advent of computers and networks, frauds committed against institutions have become more advanced and supported by technological devices, such as computer networks that allow employees to access corporate data in a legitimate manner, as well as the manipulation of data that is improperly processed or lost, which can lead to major losses and irreversible damages for companies. In order to combat electronic fraud, auditing has evolved, also serving the verification of practices automated by computer and network programs and processes, called Systems Auditing. The evolution of electronic devices, cell phones, laptops, among others, has allowed the growth of electronic frauds to a level called Electronic Crime. Electronic Crimes are “crimes committed against or through computers or other computing devices” (JORGE; WENDT, 2012, p. 18). For example, “chupa-cabra” and/or tampering with skimming devices, to circumvent bank ATMs and steal money, to tamper with gas pumps, use cell phones and GPS to detonate real bombs, among others. With the popularization of the Internet, new types of losses due to financial embezzlement have emerged, with electronic and cyber frauds, which occur internally or externally to the organization's perimeter, growing exponentially. These new fraud practices committed with the support of systems and networks, mainly the Internet, have characterized the new scenarios of electronic crimes. Cybercrime, characterized by the use of technological resources, can materialize and cause very real consequences. Examples of this type of crime include: fraud through fake e-commerce stores, crimes against honor committed through company computers, crimes of violation of copyright of computer programs, child pornography crimes, among others. Typically, the perpetrator of an electronic crime committed against the company does not need to be on site to carry out the criminal conduct; with the use of a computer device connected to the Internet, he or she can carry out the intended criminal actions from anywhere. In general, the press and information media have contributed greatly to the dissemination of new types of crimes that employ technology, which has been promoting awareness in society.​

​

8.1 Organized Cybercrime Recently, Law No. 12,850/2013 (BRAZIL, 2013c) was approved, which defined criminal organizations. According to Article 1 of this legal norm:

​

“[...] a criminal organization is considered to be an association of 4 (four) or more people, structurally organized and characterized by the division of tasks, even if informally, with the objective of obtaining, directly or indirectly, an advantage of any nature, through the practice of criminal offenses, whose maximum sentences are greater than 4 (four) years, or which are of a transnational nature. (BRAZIL, 2013c).”

​

This law also applies to: “[...] I - criminal offenses provided for in an international treaty or convention when, having begun their execution in the country, the result has or should have occurred abroad, or vice versa. [and] II - terrorist organizations, understood as those focused on the practice of legally defined acts of terrorism. (As amended by law no. 13,260, of 2016) (BRAZIL, 2013c, Art. 1, § 2, items I and II).”

​

From this perspective, when faced with a Cyber ​​Criminal Organization, it is possible to refer to criminal actions of multiple types, which are carried out directly or indirectly by groups of people who collaborate with each other to produce them through the Internet. The community of Crackers (commonly called Hackers) acts collaboratively on a global level, producing advanced programs to facilitate criminal acts. Today, software products (computer programs) developed to exploit generic or specific vulnerabilities constitute a true Commercial Market in the underworld of the WEB, called Prèt-à-Porter Hacking. 24Anyone interested in attacking organizations or individuals can purchase, among many offers, a Zero-Day Exploit and obtain guaranteed results. It is also worth noting the use of the so-called Deep WEB as an instrument for disseminating a wide range of criminal content, mainly due to the fact that this platform is not indexed by search engines, including because its users use anonymous browsing, generally through the TOR program, making it difficult for the police to investigate such crimes.

​

8.2 Examples of some actions of Organized Cybercrime: - Hacktivism: characterized by the controversial movement organized by crackers to produce advanced computer program codes. These organizations often have a global reach and are formed by all kinds of backgrounds in the technical production of WEB exploits, Trojans, backdoors, among other viruses. The ideology can be political, social or religious. An example is the Anonymous group, which gained worldwide popularity for its attacks on the websites of large companies and governments, including in Brazil.

​

- Scareware: cybercriminals who deceive people by offering free software downloads (e.g., fake antiviruses and utilities); they use coercion tactics and other unethical marketing practices. The downloaded software may be ineffective or, at first, may appear to prevent the action of certain types of viruses before infecting the computer with their own viruses. Individuals may then have to pay criminals to remove the viruses and their impacts. Sometimes, this software does not produce any apparent effect, but turns machines connected to the Internet into true “Zombies” (machines infected by bots – malicious codes that remotely control infected machines) for carrying out DoS (Denial of Service) and DDoS (Distributed DoS) attacks, among other crimes.

​

- WEB Money Laundering: criminal groups carry out various actions to transform money from drug trafficking and other illicit activities into easy enrichment, illegal money into money that is accounted for and legalized by tax authorities.

There are many different types of forged accounting scams, from e-commerce stores that sell products at below-market prices, pornography sites, drug sales sites, and even WEB gaming sites that make money and distribute prizes. Nowadays, this practice is even easier, since the creation of virtual currency (Bitcoin) allows financial transactions to be carried out without identifying the parties. Sites that sell illegal products and services on the Deep Web, such as the recently closed Silk Road (drug sales), use this new form of payment.

​

8.3 Conventional Threats In the cyber fraud genre, some generic terms are used, given that these have already become common in Brazilian society due to the large number of occurrences and the impacts of all levels reported by the News Media. Among them, as examples of development and evolution, we have the following: - Virus Attacks: many organizations, in the last 20 years, have experienced losses of various kinds due to the entry of Viruses, Worms, Trojans, Rootkits, Spyware, Adware, Malware, among many other threats that exploit the vulnerabilities of unprotected or outdated systems and privacy in general, as well as exploit the naivety or carelessness of users. All these terms, to designate types of attacks in the digital world, are part of corporate daily life, and are widely combated by various software tools (computer programs).

These attacks represent real threats and become the basis for more advanced attacks; therefore, they must be properly valued and treated. - Phishing Attacks: Phishing Scan is one of the major corporate concerns regarding crimes committed using the Internet. It is based on sending a message (via email, Twitter, Facebook, SMS, etc.), with the aim of exploiting the naivety of Internet users and obtaining access codes, financial data, personal and family information, seeking identity theft, personal preferences, among other information.

 

The most impactful Phishing situations involve sending emails that, instead of containing links that direct you to a form requesting the desired information, redirect you to fraudulent web pages that contain malicious programs (viruses, Trojans), which automatically install themselves and replicate themselves on the victim's computer, contaminating files that can be passed on to third parties as a virus.

These programs often belong to the class of Key/Screen Logger Viruses and can record the sequence of keys pressed, the screens visited or the activities performed, including the movement of the cursor and/or mouse. After collecting the information, these programs send it over the Internet to a website controlled by the perpetrator of the fraud, who makes commercial use of it. In Brazilian law, Phishing, when used to appropriate the victim's bank details for subsequent withdrawal, constitutes the crime of qualified theft through fraud (BRAZIL, 1940, Art. 155, § 4), with a penalty of 2 to 8 years in prison and a fine. Simply put, identity theft is generally committed through Phishing Scan techniques, which take advantage of the naivety of computer users, through advanced social engineering techniques, and seek to obtain various personal data that can individualize profiles that allow criminals to use the name and data of victims to effectively characterize themselves as them and commit illegal acts over the Internet.

​

- Hoax/Rumor Attacks: A hoax, in an almost literal translation, is a hoax. In practice, it consists of an email message with alarming and false content that has evolved into much more serious cases and practices of WEB Bullying. In a way, they use people's good faith to spread rumors and, thus, become "an attractive truth". A good example of a hoax are the messages that usually circulate through emails, in which they talk about a new virus, a new attack or precautions that should be taken, and ask people to pass on or retransmit the message. There is also the example of chain letters: "Send this message to 15 people and you will earn money (or another good)". In reality, what you will actually get is a scare.

​

- Spam: initially, it referred to the unauthorized sending of emails with commercial content. Nowadays, spam can even have electoral content, and is disseminated through other forms of electronic communication, such as social networks, SMS and instant messaging applications. Brazilian law does not prohibit the practice of commercial spam. In fact, the Superior Court of Justice (BRAZIL, 2009) understood that spam is a mere annoyance and does not violate the privacy of the recipient. However, in electoral propaganda, the candidate may only send messages to previously registered voters free of charge (BRAZIL, 1997, Art. 57-b, III).
 

In practice, it is possible to observe that cybercrimes produced through conventional threats always follow the exploitation of the vulnerabilities of the weakest link, the user, who in organizations are key elements for achieving strategic objectives.

8.4 Advanced Persistent Threats (APA) In recent years, there has been a great advance and greater sophistication in attack techniques, which, their authors, have increasingly started to work on criminal actions and even cyber warfare. The main targets of attacks on the WEB were the websites of organizations and government agencies from various countries, as widely reported by the news media worldwide, with the following being the targets of the attacks: hospitals, banks and companies of all sizes and in various sectors of activity. The attacks always aim to steal sensitive data and information, which can be sold or used for various blackmail, extortion and financial gain practices.

​

In the evolutionary process of attacks, criminals have created improved tools that invade corporate networks, hide their tracks, produce self-defense against firewall protections and security products, hide and remain dormant until they are able to obtain what they want. Today, attacks are characterized by persistent threats in target organizations, that is, if your company is a target, it may have already been invaded by APA (Advanced Persistent Threat). The main targets are businesspeople and employees at the Board and Management level, who legitimately have passwords with the right to make payments, move fortunes and access data from strategic plans and R&D.

​

Some examples of what happens in the world through APA:

- Customer Data Loss: theft of customer registration data, mainly from financial companies, medical services companies, among others. They are carried out through specialized attacks on Corporate Networks, most of which leave no traces or interfere with anything, going completely unnoticed by the technicians of the injured company. The information obtained is analyzed and sold to organized crime factions, which use it for extortion, blackmail and commerce.

 

- Intellectual Property Theft: characterized by veiled invasions, with little likelihood of identification, in the same way as occurs with Customer Data Loss, through which criminals sometimes sponsored by competing organizations or nations, aim to locate and steal ideas, projects, product specifications, trade secrets, process information or methodologies, which can be of great value, and can produce a competitive advantage or even an operational or technological advantage. This modality can be considered the evolution of classic Industrial Espionage.

​

Theft From Business: financial theft from companies has become a global epidemic, and has been occurring through APA techniques of Organized Cybercrime. The use of covert invasions of corporate networks has allowed, almost always with the collaboration of one or more insiders (internal informants), the payment of fraudulent bills and financial transfers, immediately damaging the company's cash flow. In Brazil, the tampering of bank slips with the indication of new payer data is increasingly in the police news.

​

Tax Fraud: using the same resources and tricks as Theft From Business actions, criminals use corporate access to divert legitimate tax payments to private accounts, damaging the company and the government. The company, for the most part, only finds out when a manager not involved in the fraud scheme receives a warning, a charge or a visit from the tax authorities.

​

Theft From Business Extortion: this scam has been on the rise, since, after the APA has been consolidated, the attacker maintains full control over the databases and technology infrastructure of the target organization. From this point on, the extortion process occurs through the request for cash to release access, otherwise the organization will bear the consequences, such as: redirecting its commercial links to pornography sites, data encryption, among other threats that exploit recovery time and the integrity of the corporate image.

​

- Warning: APA-type attacks usually last months, and even years, before becoming harmful.

​

​

8.5 Understanding Cyber ​​Fraud Cyber ​​Fraud, in the business and corporate sphere, is any illicit attempt to access or obtain corporate, business and government agency data, committed over the Internet. It can also be called Cyber ​​Crimes. Cyber ​​fraud has become a true epidemic that causes terrifying consequences within business environments, mainly due to the profound lack of technological knowledge of managers and the real risks it poses to sensitive systems and databases. Therefore, if the administrative body of the board of directors and senior management is not careful to combat it, they can categorically put the organization in a situation of insolvency. Today, in some way, all organizations are exposed to fraud, whether cyber or not. The best and most sophisticated organizational environments, including the most controlled ones, can have unknown flaws, exploited in an integrated manner by their legitimate employees and in partnership with international organized crime.

​

The scientific community and researchers clearly know that a large part of cyber fraud is carried out by exploiting the “weakest link”, that is, the user’s naivety. Therefore, a large part of the effective success of cybercrime is associated with the direct or indirect collusion (direct through active participation and indirect through disregard for the rules) of employees or Internet users themselves. For example, the evolution of technologies has simplified the use of computing resources and networks for all citizens of the civilized world. This revolution in technology, on the other hand, also promotes new opportunities for uses, customs and types of social crimes. We are in the 21st century, the third millennium, and the mobility of personal and corporate communication is growing in a disorderly manner, through smartphones, tablets, ultrabooks and other mobile devices used by all social classes. This fact may represent one of the greatest risks of cyber fraud today.​

​

8.6 Consumerization, BYOT (BYOD, BYOA), BYOW The consumerization of technologies should be understood as a movement by major global industries in search of cost reduction, since the previous strategy established two production lines: Low End Products – for general consumers in the market, and High End Products – for business users or companies, usually with more advanced features. The current cost reduction strategy is to standardize products, such as cell phones, smartphones, tablets, notebooks and ultrabooks, so that they are all in the High End line (high technology), thus serving both ordinary consumers and companies. As a result of consumerization, equipment with more advanced features became cheaper and available for purchase by a large part of consumers. This issue led domestic consumers, whose economically active population also works in companies, to want to use their personal equipment in the business environment, given that, at times, their equipment had better performance characteristics than the equipment offered by organizations.