/cloudfront-eu-central-1.images.arcpublishing.com/prisa/GKZLDHBIHSQDITHPVFJFXIVM2U.jpg)
Follow-up of cyber attacks on the security and internet agency in Korea.
Every connected computer, mobile, router, vehicle or appliance is a treasure chest. "We all have something that interests a cybercriminal," says Luis Hidalgo, of the National Institute of Cybersecurity (Incibe). This individual, business and institutional mine of gigantic dimensions is the target of computer hacking, which has reached unprecedented levels not only in quantity, but also in sophistication. "Every day there are 90 million cyberattacks in the world [more than a thousand per second] that represent a cost of 10.5 trillion euros. If cybercrime were a country, it would be the third largest economy in the world only behind the US and China", warns María Jesús Almanzor, CEO of Cybersecurity and Cloud at Telefónica Tech, during the CSI Radar, an international meeting organized by Medina Media Events in Seville.
The profitability of cybercrime has generated increasingly specialized and effective organizations. "One in five crimes are through the network," warns Juan Salom Clotet, colonel head of the Cybersecurity Coordination Unit of the Civil Guard, who expects them to grow to reach 150,000 complaints in two years, 25% of all annual crimes. "84% of scams are online," he says.
And "every day the bad guys are faster," says Almanzor. This is corroborated by Isabel Tristán, IBM Security Director: "Cybercriminals have evolved and are able to deploy ransomware attacks [hijacking] in less than three days, while the average time for companies to detect it is seven months and two months to react." IBM's management hopes that artificial intelligence will add to the defenses and reduce the average investigation time, which is now two days, to less than 30 minutes.
More information
Cybersecurity advice in the face of the war in Ukraine: "No service or technological system is risk-free"
In addition to being agile, cyberattacks are increasingly innovative: vectors and strategies are increasing, especially those aimed at human error. Caixabank has recently warned of a fake SMS that is incorporated into the bank's message history as if it were its own and that culminates with the call of a supposed manager of the entity.
Anyone, at all levels, is targeted. Sergio de los Santos, director of the Innovation and Laboratory area of Telefónica Tech, recalls cases such as the link sent to an Uber executive, who did not click on a malicious link and received a call from someone who posed as a security officer to demand that he do it because it was necessary. The current president of the European Central Bank, Christine Lagarde, received an SMS from former German Chancellor Angela Merkel, whom she called to confirm that it was hers and discovered that it was a false door. "Probably, to install a spyware," he says, referring to attacks such as those generated by the well-known Pegasus, which has infected mobile phones of governments, politicians, journalists and international businessmen.
"You have to be able to follow them. It is important that the good ones are just as fast and innovative, "warns Almanzor, who calculates an average cost per company affected by a malicious program at 105,000 euros. That game of cat and mouse is defined by Salom Clotet as "spiral of reaction action".
But the task is not easy. In addition to the fact that attacks are intensifying and becoming more sophisticated, Telefónica's directive warns that there is no "fixed perimeter". "We don't know where the border is. They are not physical tangibles but digital and they are growing. What we have is not worth us," he says in relation to the ineffectiveness of individual solutions. Hidalgo corroborates this: "We have come a long way, but it is not enough.
Tristan also agrees, who warns that "traditional cybersecurity", focused on the individual provision of technologies and systems, has become obsolete. In this sense, José Capote, responsible for Huawei in this area, recognizes that, in the era of 5G, "the borders of the network are blurred and are more complex to defend".
Zero trust is not a product, it is an approach. Not trusting even the one inside
María Jesús Almanzor, CEO of Cybersecurity and Cloud at Telefónica Tech
Almanzor advocates "zero trust." "It's not a product, it's an approach. Not even trusting the one inside," he says. And he affirms it because, as Pedro Álamo, of the security company Proofpoint, points out, "97% of attack breaches are through email and, however, only 10% of the budget is dedicated to protecting it".
In this way, each individual is a door to cybercrime. According to Alamo, "60% of incidents are due to erroneous access by an employee." De los Santos also agrees, who points out that, of the 10 most common attack vectors, the vast majority depend on the user.
That is why he defends as a fundamental measure the involvement of each individual in the threats, which will affect everyone, sooner or later. As Almanzor states, "there are only two types of companies: those that have suffered an attack and those that do not." In this sense, José Girón, inspector of the Scientific Police of Seville, points out "arrogance" as one of the greatest difficulties of prevention: "Whoever believes that he controls everything, does not do it. Everything is so changeable that in minutes something that is in force at a certain moment is no longer useful."
Whoever thinks he controls everything, does not. Everything is so changeable that in minutes something that is in force at a certain time is no longer useful.
José Girón, inspector of the Scientific Police of Seville
But for De los Santos, "awareness without training is only fear", so he bets on the education of all parties, in all spheres. "The user needs to understand," he warns. In this sense, Hidalgo identifies a common pattern known as "happy clicker" and that refers to the user who clicks compulsively on each link that arrives. "These are, and a lot, in the upper echelons of an organization," he warns.
Almanzor agrees on the lack of knowledge at all levels by highlighting that "90% of companies in general do not know their current state of security". "They don't have a recovery plan and action for an attack that's going to happen. They are not prepared," he warns.
The scenario is very similar in all sectors, although the greater size and potential risk of a denial of service attack on water, health or energy entities, for example, means that the percentage of lack of protection is reduced, although it is not eliminated. Juan Miguel Pulpillo, coordinator of the Industrial Cybersecurity Center (CCI), explains that, in this sector, "although some risk and incident assessment is made, between 40% and 60% of companies have not defined security measures."
Almanzor is committed to cyber resilience, which involves permanent verification, anticipation, prevention, resistance and recovery. And for collaboration, as well as for the incorporation of specialized technological partners.
But this will not be enough because criminal activity will continue and grow, as Salom Clotet warns. Last year, in Spain alone, 118,000 cybersecurity incidents were recorded. Therefore, there remains one more front that resides in the prosecution of these crimes. Gabriel González, deputy prosecutor of Computer Crime, highlights that "technological innovations mean that certain crimes are included in the Criminal Code a posteriori of the occurrence of the criminal act." The legislation lags behind reality.
The colonel head of the Cybersecurity Coordination Unit of the Civil Guard points out that even the crimes that are already collected are punishable by penalties that do not exceed two years in prison for the most part, except for pedophilia, which can be up to four years. Salom suggests analyzing whether penalties are proportional to the resources they consume and the damage caused by crimes on the network.
You can write to rlimon@elpais.es and follow EL PAÍS Tecnología on Facebook and Twitter or sign up here to receive our weekly newsletter.
Subscribe to continue reading
Read without limits
Read more
I'm already a subscriber