Enrique Ávila has a privileged point of view from his position: he is the director of the Spanish National Center for Excellence in Cybersecurity (CNEC), a key organization when it comes to the subject of cybersecurity. It integrates three core capacities: the university as a center for generating knowledge, companies for providing economic support and innovation, and the national law enforcement agencies as the main users of technologies and knowledge in the fight against cybercrime. Our subject, then, knows the evolution of cybercriminality in Spain like the back of his hand, as well as the efforts of this country to fight it, and the struggle to make companies and citizens aware of this subject.
When we asked him whether there is an upwards trend, or to put it another way, whether cyberattacks are going to keep growing in 2018 and 2019, he didn’t have to think twice: “In 2019, in 2020… Unless there’s some kind of technological catastrophe, cybercrime will become more and more profitable, at least as long as the current circumstances don’t change: the lack of territoriality in cyberspace, the use of pseudonyms by the actors, and the asymmetry of the resources used to cause harm or to illegally make money are all behind the exponential growth in these kinds of activities”.
Ávila is no stranger to one of the most important Trojan horses for this kind of crime: carelessness and lack of awareness. And the fact is that “the perception of the risk is both low and poorly understood, both by citizens and companies”. In fact, in his opinion, “companies must work on resilience and risk mitigation”.
How can an SME protect its cybersecurity?
In any case, it is clear that many small companies may have trouble investing in their own cybersecurity, so “protecting SMEs, which generate the majority of jobs in our country, needs to be a State policy”, although it is true that “both the Government and the INCIBE (Spanish National Cybersecurity Institute) are making an enormous effort to create an ecosystem of services, contact networks, awareness campaigns and training courses aimed at SMEs. It is also their responsibility to know about and make use of these resources”.
But, moving beyond the abstract, how can a small company with very limited resources protect its corporate cybersecurity? For the director of CNEC, “the best thing would be to have an expert acting as an interface between the SME and the cybersecurity service providers. But if the cost of this kind of service means that it isn’t viable for you, it will always be more economical – and generally speaking more secure – to get these services from unmanned centralized infrastructures. However, with these shared infrastructures, there’s a risk that, if they are the target of a cyberattack, you could become a collateral victim, even if you’re not the main target”.
“Cybersecurity is not optional”
In any case, the context has also changed. Until recently, protecting corporate cybersecurity depended (for the most part) on each company’s wishes, and however they defined their own needs. Nevertheless, the definitive implementation of the GDPR, which imposes hefty fines on companies that aren’t diligent with their cybersecurity, has forced a change in attitude for companies.
Enrique Ávila is in no two minds: “Cybersecurity is not negotiable. Regulatory compliance when it comes to cybersecurity and the protection of personal data also affects companies. And, whether they like it or not, in our current society, the loss of IT resources is highly likely to mean the end of the company – whether it’s because the business can no longer operate, because of the loss of reputation, or because of administrative or even penal sanctions, with the economic and social cost that this represents for our country”.
Thus, in this respect, the director of the Spanish National Center for Excellence in Cybersecurity points in two directions: making things compulsory and raising awareness among the public, as well as among employees, because every company “has the obligation to invest in protecting their IT infrastructure, as well as training their employees in the subject, since a great deal of the company’s profits are derived from the use of this same IT infrastructure”.