Cybersecurity  ·  Darktrace

Pegasus has highlighted the need to protect our systems. We tell you how to minimize the risks and threats to your company with a correct cybersecurity policy.

On May 4, 2022, the Royal Decree 311/2022 regulating the National Security Scheme (ENS) was published in the Official State Gazette, supported among other things by the evidence that "information systems are increasingly exposed to the emergence of threats from cyberspace. Cyber-attacks are increasing all the time, both in frequency and impact, and the perpetrators are gaining technical and operational capabilities all the time. ", This is a clear summing-up of the current environment. This applies to private companies, government institutions as well as to individuals who use the internet.

It is hugely relevant that that for the first time the onus is on the "supply chain", i.e., the ENS (National Security Scheme) will become mandatory not only for government organizations but also for "private sector operators that provide services to public sector entities, due to the high degree of overlap between them [which] must guarantee the same level of security that applies to systems and information in the public sector".

This situation can be perfectly extrapolated to any company regardless of its size, given the high degree of intertwining or relationship that technology confers to business processes on the side of customers, employees and suppliers.

Spain, as a country, ranks 8th out of the 160 countries participating in the National Cyber- Security Index (NCSI), an index that measures the cybersecurity mechanisms implemented by central governments, with a score of 88.31, and a digital development level of 73.92. Not bad if we take into account that in the NCSI we are behind most European countries, Japan, USA or China. In this sense, the 2022 special report "Cybersecurity of EU institutions, bodies and agencies", gives us a real picture of the situation in public administration, with a conclusion that also applies to private enterprise: "In general, the level of preparation is not enough to face  up to the threats".

The index is divided into 12 categories and in each of them a score is obtained based on a series of indicators and in some cases evidence of the same. If you link to the URL of the source at the bottom of the image, you will obtain the complete details for each individual one.

Even those companies with high cybersecurity capabilities are surrounded by threats. Juan Carlos García, SOC responsible and Country Manager Spain of Sofistic, Cuatroochenta's cybersecurity division, knows this very well.

Sofistic also has experience in critical infrastructure, such as the "El Dorado" airport in Bogota, Colombia (incidentally, ranked 74th in the NCSI index). This airport is the second busiest in South America, which gives an indication of the challenge of managing its cybersecurity, and yet it achieved complete threat visibility and a 98% reduction in incidents in its first year of operation.

In any case, INCIBE recommends a minimum set of measures to be applied, prioritizing them in each organization according to its specific capabilities:

Authentication improvements

One of the main problems in cybersecurity concerns password management. In fact, one of the first attacks carried out by cybercriminals is aimed at this point. It is therefore very important to establish a model for the use of secure passwords with sufficient complexity and regular change, for all applications and web services in use and particularly on computers (laptops, desktops, mobiles, etc.).

Once cybercriminals obtain a password, it is common for them to launch attacks at other services where an active account has been identified. In order to avoid this problem, it is recommended to use a different password for each service.

Taking into account these two previous points, the necessity to establish additional mechanisms to guarantee safe access becomes clear. We now have the so-called multifactor authentication, which requests an additional element from the user, such as login confirmation from a mobile device or by sending an SMS.

Last but not least, it is important to apply the principle of least privilege, both at the user level (eliminating unnecessary access) and at the resource level (using computers without administrator accounts).

Want to learn more about Sofistic's services?

Contact our specialists

Networks and systems

Optimal segmentation of the different networks used is essential, not only to improve management and performance, but also to ramp up cybersecurity. An example of this segmentation is the separation of corporate networks from guest networks. Another example would be to apply a traffic filtering policy, preventing access to web pages that are deemed to be insecure.

Source: bayshorenetworks bayshorenetworks The image refers to a specific OTaccess Server solution.

Furthermore, don’t ignore the fortification and firewalling of systems in the cloud. This aspect is very relevant especially in secure development environments, where any developer can create and initialize a request. Leaving cloud services exposed is a very high risk.

The organization's backup strategy is vital for business continuity and disaster recovery. This strategy must take different scenarios into account and it is recommended to follow the 3-2-1 rule. These measures are must be reviewed periodically.

E-mail and awareness

Email is of vital importance for companies, so it is essential to implement protection policies and protocols to avoid incidents such as phishing or the so-called "CEO fraud".

Raise awareness and train employees, so that they are able to identify and protect themselves from targeted attacks, and provide them with state-of-the-art security practices. These points are key, as they are often the preferred gateway for criminals to gain access to IT systems.

Contingency plans

Nowadays it is practically essential to have a BCP (Business Continuity Plan) to analyze the possible impact on the business of the different threats, draw up operational recovery plans and periodically carry out validation tests of the BCP itself. The aim is to have "living documents" that help companies maintain, review and periodically test the continuity plan that will enable them to resume activity in the event of any contingency.


To achieve our objectives is to make clear what they are and what steps we will take to reach them


Put into practice what was previously planned... Doing nothing is a sure way to failure.


Just as important as taking action is to verify and reflect on what has been done and identify what has gone well and any areas for improvement.


Resolve the mistakes and enhance the successes.

We saw in the introduction that the ENS approved by RD 311/2022 was set for the first time in the "supply chain". It is therefore advisable to review the access granted to suppliers? and associated companies with their systems and networks, since a third party with whom we collaborate can be used as a vector of entry into the organization and incorporate them into our BCP.

Taking all this into account, below we have stated some basic principles that any company should consider for the sake of its security:

  • Risk-based security management
  • Prevention, detection, response and conservation
  • Existence of lines of defense
  • Continuous surveillance
  • Periodic reevaluation
  • Differentiation of responsibilities

Not only is it important to have an adequate cybersecurity policy in place. It should be implemented urgently. Each company is at a different stage in terms of its implementation, and it is not easy because the solutions require making an effort since they go against the grain of ‘what we have always done’. It is key to take this step, however. and have a plan that allows you to gradually achieve your specific cybersecurity objectives. Your company will thank you for it.