Ricardo Cañizares (AES): “Quantum computing and artificial intelligence will pose new cybersecurity challenges.”
Ricardo Cañizares, a cybersecurity expert and member of the board of directors of the Spanish Association of Security Companies (AES), cautions in this interview that the challenges the industry will face in 2024 will be a progression of current ones, but exacerbated by new threats that are not yet known but will emerge from quantum computing, artificial intelligence, and other emerging technologies.
What are the main challenges facing the cybersecurity sector for 2024?
The challenges we face are a continuation of those encountered in 2023 but amplified by emerging threats yet unknown, but certainly arising from quantum computing, artificial intelligence, and other advancing technologies. Dealing with ransomware will continue to be one of the most important challenges. Their entry point is solely through deceiving end-users, and cybercriminals leveraging artificial intelligence will further complicate the detection of deception by end-users.
What could be the potential consequences of cyberattacks for Spanish companies?
Suffering a cyber-attack always has an impact, even if we can detect and stop it. In fact, it always leaves a mark, let alone if we fail to detect or stop it; in such cases, its impact can be devastating, resulting in the complete obliteration of the company, especially for SMEs, however, not limited to them.
It is challenging to determine in advance the impact of a cyberattack when a company becomes the victim. The impact of a cyberattack will be determined by its severity, effectiveness, the company's level of preparedness, and how it handles the attack response, both during and after the event. Effective communication, both internally and externally, plays a critical role in managing the response to a cyberattack.
The impact of a cyberattack will have various consequences, with the initial outcome commonly being financial. Even if we can prevent the attack, it will still incur cost. Interrupting a cyberattack comes with a cost, potentially leading to the disruption of the company's operations.
If we cannot interrupt the cyberattack, it is evident that the attack's economic costs will surge, encompassing expenses associated with containing, mitigating, and recuperating from the damage, in addition to those arising from the interruption or loss of the company's production capacity.
What would the other consequences be?
As I said before, the effects are not solely economic. A cyberattack can severely damage a company's reputation and cause loss of trust, which impacts relationships with customers, suppliers, employees, investors, and regulators. Improper management of a cyberincident could jeopardise the relationship with “stakeholders” and have long-lasting consequences for any business.
Finally, there is the legal risk. If a company falls victim to a cyberattack and the attack proves successful, it raises the question of whether the company has taken the appropriate measures as required by applicable laws and regulations.
I won't list all the cybersecurity legislation that may apply to a company but instead mention the Cybersecurity Code available in the BOE.
What should a sound cybersecurity strategy emphasise?
There are two essential components while determining a cybersecurity approach. The commitment of senior management is crucial for effective cybersecurity. This requires not only approving a cybersecurity strategy and policy, but also providing the necessary resources to implement it. Without resources, any strategy or policy is ineffective.
The second equally important factor is the dedication of all staff members in the organisation to cybersecurity. Without proper training and awareness among all personnel throughout the organisation, from the highest level down to the lowest, no meaningful progress can be made.
The first line of defence against cyberattacks is the people, specifically the users of the computer systems. No matter how many security measures we implement, whether through hardware or software, or how many operating procedures we develop, if individuals lack awareness of their responsibilities along with necessary training and awareness, our efforts will be futile. It is imperative that senior management allocates the necessary resources to ensure that all personnel in the organisation receive adequate cybersecurity training and awareness.
What other factors must we consider when discussing cybersecurity?
Our focus should not be limited to the IT cybersecurity of the information and communication systems we employ to administer our businesses and offer services. It is crucial to keep in mind other technologies like OT, IoT, and others. Additionally, it is vital to prioritise ensuring the cybersecurity of electronic security systems that safeguard organisations, companies, and individuals from physical threats.
AES has been actively addressing this issue for several years. An example of this is the work done by the Cybersecurity Work Area, of which I'd like to highlight the following: "Cybersecurity as part of the new paradigm of Security.”
(https://www.aesseguridad.es/documentacion/GRUPO_TRABAJO_Ciberseguridad_web_v2.pdf).