Posts

This is how an effective cybersecurity plan is developed

In order to have an effective cybersecurity plan, first of all one must know what assets need to be protected, whether they are tangible or intangible (buildings, computers, programs, data…). Once known, one must investigate the possible vulnerabilities in order to determine the risks. What is the purpose of the plan? To prevent, avoid or eliminate those risks.

In the first half of 2017, many computers around the world were affected by a harmful program called “WannaCry“, which once executed on the computers encrypted the data in such a way that it prevented the normal execution of the programs. And users were forced to pay in bitcoin at a hidden network address. Once the payment was made, they received the key to decode the data, and were able to return to normal, if such an abusive situation could be called that, when both individuals and employees received an email simulating a known company and ran an attachment.

Why were both individuals and companies affected? Because the course they followed until they fell into the trap was easy and simple, since in both cases they had received an email simulating a company known in the market and they executed an attached program starting the process, becoming unstoppable. Could the previous situation have been avoided?

Collaboration, intentional?

Nowadays, we know that there are many people in the world dedicated to understanding the vulnerabilities of operating systems, whether for large corporations or for security services, even sponsored by countries, which could make it easier for this group to carry out intrusive cyber-attacks on computers. But to this specialization we must add how important is the collaboration, intentional or not, of people who receive or use emails. Some additional questions arise: does everyone need to have access to the internet? can everyone enter or extract data by clicking on an external hard drive, (pendrive) or similar? which employees can have open communications? are the access keys used secure? If we have equipment in our charge, do we apply the security policies that software manufacturers recommend? It has been observed, and it is well known, that even though the vulnerability is known, many companies do not apply the appropriate policies.

All this leads us to think about how many resources, in time and money, should be devoted to cybersecurity and how far to go. Questions that everyone has to answer in one way or another. Finally, in order to avoid cyber security being taken as an activity that prevents the daily development of any business and to live it as an ally that allows working in a safe way, even if certain processes and procedures have to be followed, we must have a proper communication policy.


Manuel García Ramírez
MGR Consultants IT y Security Manager

Proa Communicación’s Digital Director Moderates a Roundtable on Cybersecurity and Robots

Bárbara Yuste, director of digital communication at Proa Comunicación, participated in a roundtable last Friday, November 15, about “New Professional Profiles” organized by the Spanish Digital Foundation. This roundtable was part of the Digital Employment Forum that took place at La Nave in Madrid. During the debate, Fernando Davara, president of the Spanish Digital Foundation, Roberto Menéndez, CEO of Grupo ADD, and Pablo San Emeterio, from Telefónica, tackled questions like cybersecurity’s current challenges and who can help solve them, as well as the issues of AI and robots.

The most in demand professional profiles or if robots will replace humans in certain tasks, especially those that are mechanical, were two of the topics that brought out the most opinions of attendees.

How to Create an Effective Cyber Security Plan

In order to have an effective cyber security plan, first, you need to know what assets must be protected, whether they are material or immaterial nature (buildings, computers, programs, data …). Once you know this, the possible vulnerabilities must be investigated to determine the risks and how prevent, avoid or eliminate them. Once this is determined, the plan is done.

In the first half of 2017, computer equipment around the world was affected by a harmful program called “WannaCry.” Once executed, it encoded data in such a way that prevented the normal function the programs. Users were forced to pay in bitcoin to some address on the dark web. After the payment was made, they received the key to decode the data and to be able to return to normal, if such a situation of abuse could be called that. When either private individuals or employees received an email simulating a well-known company and executed an attached program, they started the hacking process.

Why were both individuals and businesses affected? Because the path they followed the same simple and easy path of deception. Since in both cases they had received an email that simulated a company known in the market and clicked on an attachment, they started an unstoppable process. Could the previous situation have been avoided?

Intentional Collaboration?

Today we know that in the world there are many people dedicated to understanding the vulnerabilities of operating systems, whether for large corporations or for security services, and some even sponsored by countries. These people could facilitate this group, given their deep knowledge of theme, and allow them to perform intrusive cyber-attacks. But apart from this specialization, it is necessary to add the importance of the collaboration, intentional or not, of people who receive or use emails. Some additional questions arise, do all employees need access to the internet? Can everyone enter or remove data by clicking on an external hard drive (USB) or similar? What employees can have open communications? Which ones are restricted or no restricted at all? Are their passwords safe? If are responsible for our computers, do we apply the security policies that software manufacturers recommend? It has been found that although many companies are aware of the vulnerability, they do not apply the appropriate policies.

All this leads us to think about how much time and money should be devoted to cybersecurity and how strict company policies should be. Questions that everyone has to answer in one way or another. Finally, companies must prevent cybersecurity from being an activity that prevents the daily development of any business and convert it into an ally that allows working safely. Although certain processes and procedures must be followed, we must have an adequate communication policy.

Security and Cyber Security

Nobody nowadays understands how our homes could lack doors with locks, considering all of the kinds available, armoured and protected in many cases by an alarm that can be connected to an alarm centre; and if necessary, motion detectors and a thousand other devices that I could go on enumerating. Cybersecurity deals with other types of areas such as mobile phones, notebooks, laptops, computers, cars and all kinds of devices that connect to a network (Internet). With the launch in mid-September of the European Payment Directive, better known as PSD2, which requires having a “strong authentication” (which involves using two of the following three: something that the person knows, PIN, password, etc. Something that the person owns, credential, magnetic card … etc. Something that the person is, facial recognition, retina … etc.) in these types of transactions, economic ones specifically, we are forced to review what we do from our devices as safe or not.

How can we protect them? Beyond the physical protection that prevents scratches or deterioration while carrying them, but nobody carries their cellphone or laptop completely bundled up, what kind of protection are we giving these devices? As always, logical protection is an option to consider with non-obvious passwords and changing them from time to time seems simple, but it requires discipline. If we use our cellphones like computers, and sensitive data is stored on them, we have to ask ourselves if we need to increase the security levels using payment programs to protect them, antivirus, or biometric measures, which have their limitations, even if we apply them all at once.

There are facts in cybersecurity that can go unnoticed, such as having private data and files on the same computer that we connect to the internet, however, we do not know if those files are safe. Our computers can be infected with viruses and even cause us to lose the information we have saved. Does it make sense to use two computers, one with sensitive data and the other for connecting to the internet, hobbies and leisure? In the hyperconnected world we live in, how can we be sure that nobody has connected to our car’s computer, and accessed and compromised the information?

There are issues that cybersecurity is already offering solutions for, like the solutions of older times against theft, abuse and invasion on your own land such as locks and windows with bars. The topic is diverse, exciting and complex, but in the meantime it would not hurt to use common sense and some basic rules that help to safeguard the privacy of the information such as avoiding negligence when exchanging files, not connecting to an unreliable network, changing passwords more often, and ultimately being reasonably distrustful and, if possible, informing a cybersecurity expert in advance.


Manuel García Ramírez
Director at MGR Consultants IT y Security