Everybody wants to be protected. Before the advent of the digital revolution, keeping our possessions safe, both at home and at work, was easier, or at least more tangible. Now that more and more business is taking place online, and we have more assets on the cloud, and the majority of companies are jumping on board with digitalisation, we are seeing the appearance of a new word that we must bear in mind at all times: cybersecurity.
In large companies, the scope of risk is greater. “Every activity associated with digital transformation makes the display and attack surface broader. In breaking away from classic systems, the assets that need protecting are not so defined,” explains Ignacio García Monedero, head of the Cybersecurity Incident Response Team at MAPFRE. The expert stresses that, faced with the immediacy and agility that is sought in all processes, the problem is that “speed and security do not always go hand in hand”.
This is why when it comes to data protection, it is better to do things slowly and to the letter. First and foremost, when you are setting up your own company. “Cybersecurity has to be deeply entrenched, and we must start to think about it from the very beginning, when we start the concept design of the startup. Including security as part of the very DNA of the startup can generate not only protection, but also a competitive edge in a world that is becoming more and more exposed to global threats”, says Juan Manuel Muñoz Perales, Assistant Director and Corporate Security Manager of Strategic Digital Initiatives at MAPFRE.
Digital vigilance, cyberintelligence, phishing, credential leaks, technology misuse… With so many potential threats and vulnerabilities, how can we keep watch on cybersecurity? The two MAPFRE experts explain the key points to be aware of.
Invest in security from the beginning and continue to do so
Ensuring cybersecurity does of course have a cost. However, it is cheaper if you implement it in the first stages of a business. In any case, it is definitely a necessary expenditure. As García illustrates: “Before, technology was seen as a wasteful expense, yet now, people’s mentality has evolved to understand it as an investment. The same must happen with cybersecurity”. Muñoz stresses that “just as no company would propose to do business without legal and financial advice, neither should any company propose to do business without ensuring security”.
The problem is that emerging companies simply do not have the financial or personal clout to be able to do this easily. If a startup is made up of 10 employees, it is difficult to a have a full-time CTO or a CISO, but neither may it be efficient for cybersecurity tasks to be shared by everyone.
“Before, technology was seen as a wasteful expense, yet now, people’s mentality has evolved to understand it as an investment. The same must happen with cybersecurity”
In order for start-ups to be prepared to demonstrate their level of cybersecurity to another company (a potential client), one idea is “have independent third parties undertake audits based on recognised standards, and be proactive in obtaining validations before a provider asks for them”, notes Muñoz. Cybersecurity is no stranger to the current startup evolution; in fact, it forms an active part of this entrepreneurial movement. More and more companies are developing, and in turn, security services on which they can rely are emerging.
Act before an incident, swiftly and transparently
Although he tries to foresee any possible means of attack, “everyone is exposed to a possible breach”, admits Muñoz. When this happens, communication is key.
On the one hand, with the company this has been entrusted with security. “The paradigm of protection is to be able to ensure that the third parties on which you are relying have security measures in place that you can trust. In the case of startups, in the ways mentioned previously.”, explains the expert.
On the other hand, communication with the client is vital. When there is a breach of cybersecurity, MAPFRE approaches the privacy and data protection committee, where the breach is analysed and then defined as either a security incident, a problem affecting personal data or a violation of a personal nature. “Depending on the impact, there is a series of actions to be completed, but we always guarantee transparency and speed to the user”, continues García. Finally, “it isn’t what happens that counts, but how you deal with what’s happened”.
Create a culture around network security
What happens with the client? What role do they play in all of this? To what point are they implicated in cybersecurity processes? “In a perfect world, the most practical security model is a non-visible one, one which protects the user without them even being conscious of it, and without demanding too much of their attention”, explains García.
“The more educated and aware our employees are, the more protected they will be in their homes, and the more we will be at MAPFRE”
But the perfect world doesn’t exist and, although the ideal situation would be not to ‘bother’ the client as much, there is a need to provide the client with the necessary tools and knowledge so that they can also integrate themselves into the culture of security, “not only on a professional level, but also on a personal level”, he emphasises. “In such an interconnected world as ours, where we are starting to connect personal devices with professional ones, the security of your home can impact on your business and vice versa” explains the expert. “The more educated and aware our employees are, the more protected they will be in their homes, and the more we will be at MAPFRE”.
Furthermore, Muñoz recalls many times when he has seen the users themselves, having been exposed after an incident, “create a lobby, which generates some legislation, which requires more from us in the form of security checks, such as the obligatory use of double authentication systems when working with particular organisations or standards, or such as the PCI-DSS for credit card payments”. The culture of digital security is growing, in the right way. To be forewarned is to be forearmed; the best protection is preparation.