Cyber Security

Technological capabilities strengthened and able to protect individuals and institutions that interact with Klabin in the face of new ethical challenges arising from the advancement of technology.

KODS 2030

 

100% of direct and indirect employees included in the digital language necessary to support the cybersecurity culture, ensuring the protection of personal and company data

 

Percentage of direct and indirect employees included in the digital language

Category 2020 2021 2022 2023 (Preview) 2030 Goal
Total number of direct employees 15,037 17,436 18,394 17,739  
Total number of indirect employees 2,304 2,723 2,200 2,400  
Trained direct employees 8,340 8,659 10,739 15,864  
Trained indirect employees 120 962 726 960  
% of trained direct employees 55% 50% 58% 89% 100%
% of trained indirect employees 5% 35% 33% 40% 100%
 
 

An awareness plan on the topic of cybersecurity was developed with the support of the areas of Internal Communication, Klabin Business School, Legal and Automation Technology. This challenge enabled the creation of a cyclical and ongoing process of awareness, up-to-date and flexible.

Below are the numbers of participants and viewers of the content created and developed on the topic of cybersecurity.

  • 740 lectures and workshops;
  • 3,727 training sessions conducted on the Klabin Business School (ENK) platform;
  • 26,579 phishing email simulators sent;
  • More than 5,000 views of security videos and internal podcasts on the topic.

The Cybersecurity Policy and primer are Klabin’s official documents that guide employees on the posture, good practices and duties required to maintain an environment with a reduced risk against cyber attacks. All the content was developed based on the framework of the ISO27001 and IEC62443 standards, focusing on the following main topics:

1 – Information classification;

2 – Confidentiality and privacy;

3 – Workplace;

4 – Internet access;

5 – Social media;

6 – Email and communication APP;

7 – Intellectual property;

8 – Access;

9 – Backup;

10 – Incident.

In 2023, we increased the number of phishing simulation campaigns and, with the support of the Corporate Communication department, we sent out Cybersecurity articles to all users fortnightly, as well as conducting workshops related to the subject.

Undertaking goals linked to the topic by executives

  2022 2021
Managers 6.0% 3.0%
Directors 14.0% 8.0%
Total executives 50 26

Cybersecurity Management is headed by a Chief Information Security Officer (CISO), who is accountable to the Information Technology Board, which in turn is accountable to the Executive Board and the Board of Directors. The topic is included in the Company's risk assessment and all initiatives are guided by standards, frameworks, and legislation applicable to the segment, such as: IEC:62446, ISO27001, NIST, CIS, LGPD, Brazilian Civil Rights Framework for the Internet. All this governance was designed to support control initiatives in the quest to reduce cybersecurity risks and ensure the confidentiality, integrity, availability, and authenticity of information with an integrated vision of the administrative and industrial environment.

Cybersecurity is responsible for identifying, assessing and reporting legal and regulatory, IT and cybersecurity risks, while supporting and promoting business objectives. During the process of creating the cybersecurity journey, aligned with Klabin's strategic drivers and market references on security, an internal framework was developed that objectively addresses these challenges and supports the digital transformation.

 

Mission: to ensure the confidentiality, availability and integrity of Klablin's information through innovative processes and solutions that provide real results for the business and allow for the trust of customers, employees, society, and shareholders to be maintained.

 

Vision: to add value to the organization's image by increasing cybersecurity through efficient risk management with a focus on confidentiality, availability, and integrity of the information in the administrative and manufacturing environment.

 

Klabin created a method for measuring information security maturity, based on the standards and framework (ISO27001, IEC62443 and COBIT). All controls applied are monitored and evaluated based on the maturity defined by COBIT (Control Objectives for Information and Related Technology - set of management practices for management and governance of IT processes), being:

0 - Not implemented;

1 - Initial;

2 - Managed;

3 - Defined;

4 - Quantitative;

5 - Optimized.

In 2022, the measured level of maturity of the monitored processes stood at 3.6, an improvement compared to the level of 3.01 achieved in 2021.

The year was marked by the conflict between Russia and Ukraine, which was undoubtedly one of the most significant events of the year in terms of cybersecurity, particularly because it was the first major armed conflict in history to have significant repercussions in the cyber realm.

Updated and verified on: 12/26/2023

28/09/22