Cyber security has been on everyone’s lips for a few years, mainly due to two very prominent facts. The first was the entry into force of the new General Data Protection Regulation, and the second was the massive involvement of Wannacry. Both facts put on the table issues that, although they were not unknown, were very obviated by most companies, especially SMEs, such as exposure to risk and responsibility in case of damage caused by the lack of countermeasures.

Big companies, in most cases, had been investing in cybersecurity for years, perhaps driven by a market increasingly oriented towards electronic commerce, or by their relationships with third parties, as suppliers or customers. In addition, they have the financial muscle that allows them to invest in technologies that generate confidence and a sense of protection. A good implementation of a cybersecurity framework, can carry out the addresses of our companies to think that attacks are not really happening and the company is not really at risk.

So … Should my company start evolving its cybersecurity systems?

Strongly yes. All companies, regardless of their size, must evolve their security systems, and in addition, they must establish guidelines to review these systems with a certain frequency.

The cyber risk ecosystem has changed, while before the attacks were directed at companies with some interest, today they are launched massively, with no specific objective. While it is true that the hacker behind an attack is less professional, the economic reward he receives makes many more. All companies, even the smallest manufacturing companies are connected to the internet, and all use some computerized management or production system capable of paralyzing their businesses to some degree.

 
Now, you have to demystify some things and lay the foundations for cybersecurity action:

  • To discourage attacks. You have to eliminate the concept of all or nothing. There is a maximum in cybersecurity that is “Your security is as strong as the weakest point of your security”, but as we have pointed out, the hacker behind is less professional than before and in most cases the attacks are not directed, therefore, the greatest achievement that can be had in cybersecurity is to discourage the attacker, to put obstacles so that a useless hacker does not cause us catastrophic damage. In an environment of thousands or millions of companies, basic security measures will repel an attack by a very high percentage because the reward will not compensate the attacker’s effort.
  •  

  • It is not necessary to protect everything, but the important thing must be protected. With this idea we can affirm that security is not “expensive”, in fact, it must be sufficient and proportionate to the asset to be protected. The most important point of cybersecurity is therefore the evaluation of the assets of each company and its value to identify the limits and efforts to be made to protect them.
  •  

  • Define how and who is responsible for the security of my company. As well as what is the relevant information that my address should receive, to achieve a good and sufficient security implementation and a minimization of the risk and the resulting impact.
  •  

  • Technology an ally in a hyperconnected world. Technology evolves nonstop to protect our assets from the new risks that exist on the network in a hyperconnected world.
  •  

  • Establish access policies. The boundaries between what is allowed and not allowed in our companies are increasingly diffuse if we take into account that the mobile elements, connected or not, that roam our facilities do not stop growing, that the IoT elements have come to stay, and that applications for general use and / or social networks, for mass access, are now also for business use.
  •  

  • Employee awareness and training. It is perhaps the most important part of the security implementation plan and surely the most effective measure to avoid high impact attacks in our organizations.
  •  
    “Security is everyone’s business”

    Justo Lopez