Mónica Méndez Information Security Consultant

Cybersecurity is not a department, it's a performance

The coronavirus is not the only virus that has brought us the pandemic; internet threats have multiplied massively in recent years. Teleworking has meant that thousands of devices have had to be connected to the network in order for companies or public entities to continue their daily work. This has also led to an increase in the number of access points where cybercriminals can carry out their attacks.

The urgency to try to adapt to this new situation leads to large security and compliance gaps, causing cybercriminals to take advantage of this generalised chaos to attack all types of entities, businesses and/or structures. The end result is that employees become the first line of defence against these cyber-attacks.

When we talk about cybersecurity, we instinctively think of the security tools or procedures that we build into our systems, but in reality, cyber security depends on a common factor, the human factor.

The success or failure of the security measures implemented depends to a large extent on the attitude and the different actions of the people interacting with the device connected to the network, since are they, the people, who manage the main asset, the information.

This first human firewall needs to be made aware of the value and importance of cybersecurity. This can only be achieved by investing in cybersecurity training and awareness plans.

From the highest level of the committee down to the lowest department, a culture of cyber security must be developed

From the highest level of the committee down to the lowest department, a culture of cyber security must be developed. As best practices are internalised to know how to detect and avoid mistakes, along with the inclusion of security policies that are adaptive to new cybercriminals and attack types, the level of cybersecurity risk will decrease.

Cybersecurity in companies

Starting from data, which is the strategic asset of an organisation, entity, and/or business, cybersecurity should not be considered as an additional extra to services, but as an essential and intrinsic part of them. As systems and people have become more connected to the network, the perimeter of cyber security has gone from being static and defined, to being completely elastic. Classic tools such as anti-virus have taken a back seat to defence, with the training and awareness of staff becoming key.

Although in the business or governmental world, there are large corporations that take very seriously the dangers and threats to which they are exposed, there are certain types of companies that have a long way to go in terms of cybersecurity, mainly the large group of small and medium-sized enterprises. That is why, just as we try to make people aware of the dangers that can occur after the spread of a virus or the problems that can be caused in the environment by carrying out different activities and/or actions, we must also emphasise cybersecurity and ensure that all people are aware of and trained on the dangers that exist in this field.

Not a day goes by when we wake up and we do not see a new news about cyber-attacks in any of their variants: phishing, ransomware, security breaches, data and identity theft, adware, etc.

From a distance, it was thought that teleworking was just taking our computers and, instead of going to the office, working from home. But reality has shown us that teleworking has a huge impact. In many cases they have had to replicate, to a large extent, the same security measures that were in place at their premises, creating new cybersecurity challenges.

According to data from the Spanish Data Protection Agency, last March there were 140 notifications of security breaches, 110 in private organisations and 18 notifications from public organisations.

Of these security breaches correspond to cyber-incidents:

  • Encrypted device / kidnapped information 20.71%
  • Phishing 23.57%
  • Unauthorised access to data in IS 27.14%

Given that 100% cybersecurity is unattainable, and even less so when there are a large number of potential threats, users are the weakest links in the chain, as simply through ignorance, they can introduce ransomware into the system that can breach the security of the system.

Even if we are talking about a situation full of uncertainty, one clear and very important conclusion can be drawn, and that is that these human failures are potentially avoidable through continuous training and awareness-raising of all staff involved in information handling.

Different themes for training and awareness raising