This exposure to the technological world has also come with greater exposure to cyberattacks, crimes that were already on the rise before Covid-19. In fact, they have soared 509% in eight years. Only In 2023, there were 472,125 computer crimes, 26% more compared to the 374,737 registered the previous yearaccording to the Report on cybercrime in Spain prepared by the Ministry of the Interior. The importance of cybercrime grows so much every year that its proportional weight in crime in general is increasing and has gone from 9.9% in 2019 to 19.2% in 2023.
“In recent years we have made an enormous digital transformation in companies, we have changed our entire infrastructure. With the arrival of the pandemic and teleworking we have greatly expanded the attack perimeter of a company. In addition to the fact that it has grown enormously,” he explains to elEconomista.es Alejandro de la Peña, general director in Spain of A3Sec. The company provides services to help its clients detect, prevent and react to a cyber attack.
This growth in the attack perimeter has caused these crimes to practically double, going from 218,302 in the year before the pandemic to 472,125 in 2023according to data from the Ministry of the Interior. “The tools that attackers have, year after year, are getting better and better. It is true that the defense is also improving, but it is always easier to attack than to defend,” highlights de la Peña.
60% of attacked companies close 6 months later
The objective of these cybercriminals is none other than economic benefit, which is why in general the most common crimes are those based on social engineering, such as phishing and ransomwarebecause it is more profitable to directly attack people than companies. “The calculation of an attack ransomwarewhich is the most typical, is about 5 million euros“says the A3Sec manager.
An economic impact that also goes hand in hand with a reputational impact. “60% of attacked companies close 6 months later. A Spanish SME cannot assume the cost of, for example, 100,000 euros because it completely disrupts its business and makes it no longer competitive,” adds Diego León, CEO of Flameera. Despite the fact that companies are taking more and more measures to protect yourself from this type of attacks, the reality is that there is no definitive vaccine against these crimes. “Cyberattacks have already surpassed the money that moves with drugs. Furthermore, part of the problem is that SMEs do not focus as much on cybersecurity,” denounces León.
These types of companies, which form the majority of the Spanish business fabric, encounter greater difficulties when it comes to taking measures to protect themselves from cyber attacks, above all, because they usually entail an investment that they cannot always assume. Furthermore, it must be taken into account that this is the main objective of cyber attackers. According to Google data, 43% of cyber attacks target SMEs. This is because their resources are more limited, their infrastructure is outdated, they are the gateway to other companies and they have fewer resources to stop and respond to attacks.
“Why are SMEs attacked? A lot of emphasis is being placed on what is called the supply chain. Many times they are attacked because they are providing service to the large company. They do not enter the site that has the strongest security and enter to those who have low security but have a connection with the great one,” says León. “There are several ways to enter a company, one is through the supply chain. And this is fabulous for cybercriminals because with a single attack their malware is distributed to many companies,” adds de la Peña.
The NIS2: the solution?
Last October 18 was a date marked on the calendar regarding the way in which companies and institutions address digital security. The reason? The arrival of the NIS2 regulations. This regulation seeks expand the scope of European Union cybersecurity rules to new sectors and entities to improve incident response capabilities. It affects all EU organisations, industrial and non-industrial, including their suppliers.
“This is a European regulation. NIS1 affected six sectors (banking, energy, water, health, transport and digital infrastructure) and now they have expanded it to 12. They are essential entities, the most critical, and important entities, the least criticisms. Furthermore, NIS2 has included SMEs. The objective is for companies to be more resilient to attacks,” details the general director in Spain of A3Sec.
Among the measures included in the standard and that companies must adopt are “new measures on risk analysis, on the company’s activity, security in the distribution chain, improvement in incident management and in the development of security systems.” information…”, lists de la Peña.
The NIS2 also includes an important sanctioning regime that will affect those companies that do not comply with the requirements. “In the case of essential entities, they face fines of up to 10 million euros or 2% of their annual income. and for important companies up to 7 million or 1.4% of their income,” explains the CEO of Flameera.
NIS1 affected six sectors (banking, energy, water, health, transportation and digital infrastructure) and has now been expanded to 12
The Member States of the European Union had until October 18 to transpose the directive into their national legislation. This means that affected companies must be prepared to comply with the requirements from that date. In addition, by 17 January 2025, Member States must have communicated the sanctioning regime applicable for non-compliance and, by 17 April 2025, they must have drawn up a list of essential and important entities. Although the deadlines are public, very few countries are up to date with the calendar. “The problem is that it had to be done by October 17 and the only countries that have completed the transposition are Belgium, Croatia and Hungary. In the chaos of Italy, Germany or Finland, for example, they have made a draft, but not They have published it. Spain and many other countries do not have a draft or preliminary project. There is still a lot left,” denounces the CEO of Flameera.
The general director in Spain of A3Sec is not optimistic about the deadlines: “October 17 is the date on which everything should be ready, but The reality is that it is not yet known when it will be. The reality is that everything is being delayed.”
Long way to go
Although these are increasingly common crimes and have a very important impact on companies’ accounts, the reality is that there is still a long way to go in terms of security. In fact, only 46.8% of companies claim to have formally defined a specific digital security planaccording to data from the Business Competitiveness Observatory dedicated to cybersecurity carried out by the Spanish Chamber of Commerce.
The data supports León and de la Peña’s story regarding the involvement of SMEs in cybersecurity. So The existence of a cybersecurity policy is lower in microenterprises (29%)among small (56.3%) and medium-sized companies (61.5%), while it is notably higher in larger companies (85.7%).
Furthermore, the study indicates that only 24.3% of the companies consulted plan to reinforce their cybersecurity in the next 12 months, with an average increase in investment of 23.5%. And this is because most companies say they feel safeeither because they are considered to be well protected (73.8%), because they are perceived as little or not at all attractive to cybercriminals (55.3%), or because only 11% of them have suffered a cyberattack in the last 24 months.
In the same way as with planning, the results achieved indicate that concern, the feeling of vulnerability and the self-perception of attraction to cybercriminals increase as the size of the company increases.
#Cyberattacks #grow #represent #crimes