It is hugely relevant that that for the first time the onus is on the "supply chain", i.e., the ENS (National Security Scheme) will become mandatory not only for government organizations but also for "private sector operators that provide services to public sector entities, due to the high degree of overlap between them [which] must guarantee the same level of security that applies to systems and information in the public sector".
This situation can be perfectly extrapolated to any company regardless of its size, given the high degree of intertwining or relationship that technology confers to business processes on the side of customers, employees and suppliers.
Spain, as a country, ranks 8th out of the 160 countries participating in the National Cyber- Security Index (NCSI), an index that measures the cybersecurity mechanisms implemented by central governments, with a score of 88.31, and a digital development level of 73.92. Not bad if we take into account that in the NCSI we are behind most European countries, Japan, USA or China. In this sense, the 2022 special report "Cybersecurity of EU institutions, bodies and agencies", gives us a real picture of the situation in public administration, with a conclusion that also applies to private enterprise: "In general, the level of preparation is not enough to face up to the threats".
Cybersecurity measures from a global perspective
A professor at the Polytechnic University of Madrid and representative of the Foundation Circle of Technologies for Defense and Security, Victor A. Villagrá, at the Innobar meeting, held at the Espaitec-UJI gave an overview of the four pillars of cybersecurity, which all company staff working on these issues should be aware of: Threats, know what they are and who generates them; Cybersecurity Policy, planning and governance; Technologies, understand them and apply the appropriate ones; Cybersecurity operations, i.e. the set of actions for asset protection.
In any case, INCIBE recommends a minimum set of measures to be applied, prioritizing them in each organization according to its specific capabilities:
Keeping software up to date, prioritizing not to have vulnerabilities classified as critical or high, is very important, as we have recently seen with vulnerabilities similar to the past Log4Shell or the current Follina. Consequently, companies must monitor and identify these vulnerabilities using different methods, either by means of vulnerability analysis tools or by subscribing to alerts from manufacturers or CERT-CSIRT type organizations.
Mobile devices should not be overlooked. This is threat not usually covered but is rapidly increasing in criticality. Here Sofistic offers the UareSafe application specially designed for cell phones.
Some of the recommended solutions, depending on the capabilities of the companies, include:
Want to learn more about Sofistic's services?
Networks and systems
Optimal segmentation of the different networks used is essential, not only to improve management and performance, but also to ramp up cybersecurity. An example of this segmentation is the separation of corporate networks from guest networks. Another example would be to apply a traffic filtering policy, preventing access to web pages that are deemed to be insecure.
Source: bayshorenetworks bayshorenetworks The image refers to a specific OTaccess Server solution.
Furthermore, don’t ignore the fortification and firewalling of systems in the cloud. This aspect is very relevant especially in secure development environments, where any developer can create and initialize a request. Leaving cloud services exposed is a very high risk.
The organization's backup strategy is vital for business continuity and disaster recovery. This strategy must take different scenarios into account and it is recommended to follow the 3-2-1 rule. These measures are must be reviewed periodically.
E-mail and awareness
Nowadays it is practically essential to have a BCP (Business Continuity Plan) to analyze the possible impact on the business of the different threats, draw up operational recovery plans and periodically carry out validation tests of the BCP itself. The aim is to have "living documents" that help companies maintain, review and periodically test the continuity plan that will enable them to resume activity in the event of any contingency.
To achieve our objectives is to make clear what they are and what steps we will take to reach them
Put into practice what was previously planned... Doing nothing is a sure way to failure.
Just as important as taking action is to verify and reflect on what has been done and identify what has gone well and any areas for improvement.
Resolve the mistakes and enhance the successes.
Taking all this into account, below we have stated some basic principles that any company should consider for the sake of its security:
- Risk-based security management
- Prevention, detection, response and conservation
- Existence of lines of defense
- Continuous surveillance
- Periodic reevaluation
- Differentiation of responsibilities