On this occasion, we talk about cybersecurity with Marco Lozano, head of cybersecurity services for companies at INCIBE. In this interview, Marco tells us about the importance of protecting our business, regardless of size, and how crucial it is to prevent cyber attacks, since the consequences of suffering one can even lead to having the closing of our business.
- How would you define the importance of cybersecurity for companies and what are the consequences or impact on the business in case of neglecting it?
That a company takes care of its elements related to cybersecurity since its technologies are secure the use of digital services is done properly, is a major issue. Especially, because there are many reports from different companies that are dedicated to the issue of cybersecurity, such as antivirus companies, antimalware, etc… Where they make clear that many companies, especially SMEs, microenterprises or freelancers, if they suffer an accident, it is quite likely that after six months that company will close. If they have not taken care of their database or their reputational level, it is quite likely that, if its technological dependence is very high, it will not be able to continue developing its business, so cybersecurity is essential for SMEs.
- What are the most frequent cyber risks faced by any SME in its daily processes?
We can say that within the top three, we find all those problems related to malware infections, especially those related to ransomware. This would be the first threat that for many organizations has a great impact since they will not be able to operate normally if they do not have access to their files. Secondly, we have everything related to fraud, i.e. Internet scams and problems arising from the use of technologies that can deceive certain users through social engineering attacks. And the third problem is everything related to operating system updates and upgrades. We always recommend that all organizations keep their computers and applications up to date. This is something crucial because everything that is derived from this is exploited by cybercriminals to carry out their deception and infection maneuvers and any maneuver that can harm organizations.
There are also incidents related to CEOs´ frauds and to the upper layers of the organization, especially to the financial layer. This fraud is called email account compromise, i.e. someone has impersonated your account or they have infiltrated your account and through that they are able to carry out notifications from bank accounts so that money goes to your account or similar.
- What are the existing sensitivity mechanisms to make everyone in a company aware of the potential risks associated with cybersecurity?
There are multiple strategies to raise awareness among the employees of an organization: from the delivery of documentation that we consider not very effective. We are advocating everything that are gamification technologies or of a much more playful nature since the learning of an employee and the acquisition of skills is very important. Employees are the ones that have more cybersecurity incidents in an organization, so employee training is essential in order to identify these incidents before they materialize. From INCIBE what is awareness, skills acquisition and training is a very important issue. Recently, INCIBE launched a free cybersecurity MOOC for SMEs and freelancers to enjoy the training and put it into practice.
- What are the main measures to avoid exposure to existing risks?
Today, we advocate simple issues that most companies, SMEs and freelancers can put in place and can be restored relatively quickly. On the one hand, establish a backup policy appropriate to the needs of the business so that in a case of ransomware, if all the data is affected, with those backups we will be able to restore the information relatively quick and we will be able to continue with the business.
It is very important to carry out awareness and cybersecurity skills training with employees so that these threats do not materialize in companies.
On the other hand, at the technical level, in terms of updates and operating systems, it is important not to have obsolete systems. In some organizations there are discontinued systems such as Windows XP or Windows 7 with known vulnerabilities that cybercriminals exploit. Also use trusted services, through the use of strong passwords, use of two-factor authentication, etc.
Also receiving and using the support of all cybersecurity solutions and services that we can implement. You should have a balance that is done on one hand on everything related to the conditions of people and services and, then to the technologies that offer in that support. You should also have anti-malware and intrusion detection systems and technologies that are appropriate for the business.
- How much budget should an SME have to boost cybersecurity in its business?
This is the million-dollar question; there is no fixed figure. What is known is that everything that has to do with cybersecurity cannot exceed a certain threshold, because if you invest more in cybersecurity than in what has to do with business strategy, you are doing something wrong. INCIBE offers solutions that today have become very democratized, such as cloud backups, antimalware applications, and the use of services that were previously only for large companies, such as the implementation of a security office. Now there are online SOC services that are extremely inexpensive. For example, an organization that has a technological dependency such as a consultancy, a law firm or an agency that has five workstations and a server, we would have to use a server and balance a budget between €800 and €1,000 per year. A priori you may think that it is a lot of money, but what happens if our information is kidnapped and we are asked for a ransom, obviously with the protection measures implemented previously, it is guaranteed that this will not happen. It is something that should be invested in since they are economic balances that all companies that use technological services should have. This is for medium-sized security measures; for smaller companies, this could be achieved with a smaller budget. But for an average company, around €800 and €1,200 per year will be enough to guarantee protection measures that ensure business continuity.
- We have seen in sessions with SMEs that the issue of cybersecurity is one of the lowest priority areas, why is that?
It may be either because of a contextual error, not being considered a target for attacks and incidents that can be generated by cybercriminals or, on the other hand, because I don't have the capacity or time to dedicate to cybersecurity.
SMEs start to become aware of the importance of cybersecurity when the incident materializes in the SMEs themselves or when they know a nearby company that has suffered a cybersecurity attack. From INCIBE we seek that the incident is not allowed to materialize and try to prevent it as it can cost so dearly to an SME to such an extent that it leads to leave it without service and its closure.
Through 017 companies can contact us from 9.00 am to 11.00 pm and is a free and confidential line to contact INCIBE technicians for any questions or queries.