Ignacio Porro (INCIBE): “Los ciberataques pueden generar perjuicio económico y daño reputacional”

What damages could a cyberattack cause to Spanish companies?

This would depend on the attack involved. For example, if it is a ransomwareattack , thedata will be encrypted and the company will probably suffer financial and service availability losses, as well as a possible data breach; this could also lead to financial penalties for non-compliance. These attacks also often result in reputational damage to the company's external image and with its customers.

Other types of attack such as a denial of service, also known as DoS, lead to the company suffering from the unavailability of its service. For instance, if it involves an online retailer, the situation will entail financial losses as it will not be able to sell its products and this will also lead to a loss of customer confidence and reputational issues. We also have to take into account other types of attacks that are common today, such as phishing scams, and their derivatives smishing and vishing. Using fraudulent messages, cybercriminals try to get employees to reveal confidential company information.

In summary, the main consequences of a cyberattack are usually the loss of sensitive information, activity paralysis, economic damage, reputational damage and the risk of legal non-compliance.

How resilient are companies to these cyberattacks?

It is hard to determine an exact figure on the capacity of Spanish companies to withstand a cyberattack. It is also true that, since the Covid pandemic, teleworking and the online environment have become more active, and companies are becoming more cyber-security conscious, investing more in resources to protect themselves from potential cyberattacks. But there is still a lot of work to be done, especially in those companies that can allocate fewer resources to cybersecurity, such as micro-SMEs and the self-employed.

Could we say that we are at a similar level to other European countries in this respect?

Things are going very well in Spain. We are becoming increasingly aware and there is a high level of maturity in terms of cyber security issues. We are not ahead of other major countries like Germany or France, but we are not behind them either, I would say we are in a similar position.

What preventive measures can both large companies and SMEs take?

The first thing is training and raising awareness, both for employees and employers. It should be borne in mind that when an employee is trained and his/her awareness raised with regard to cyber security, he or she becomes the first line of defence against a cyberattack. If you have some basic knowledge in this area, you will be able to distinguish between, for example, a legitimate e-mail from a phishing e-mail. You will also know how to act if you receive an e-mail with an attachment from someone you don't know or don't trust. However, on the other hand, it is also important to have well-defined cybersecurity policies in place, which are accessible to all members of the company and which address essential aspects and elements of that which needs to be kept under control. These policies usually include a list of tasks to be carried out by the company in this area.

How important are drills in preventing these risks?

Conducting drills is very important as it allows you to react to a cyberattack in a controlled environment and to ascertain whether you are prepared to deal with it. INCIBE has launched CyberEx, a series of cyberexercises which allow us to test the participating entities to determine their level of maturity in dealing with this type of situation. The exercises cover all roles in companies, from senior management to trainees, as well as the technical team assigned to deal with these issues. In this way, the present level of maturity and coordination can be ascertained, pinpointing and areas for improvement.