Tracking cyber attacks at the internet and security agency in Korea.

Every connected computer, mobile phone, router, vehicle or appliance is a treasure chest. “We all have something that interests a cybercriminal,” says Luis Hidalgo, from the National Institute of Cybersecurity (Incibe). This gigantic individual, corporate and institutional mine is the target of hackers, who have reached unprecedented levels not only in quantity, but also in sophistication. “Every day there are 90 million cyberattacks in the world [más de un millar por segundo] which represent a cost of 10.5 trillion euros. If cybercrime were a country, it would be the third largest economy in the world, only behind the US and China”, warns María Jesús Almanzor, CEO of Cybersecurity and Cloud at Telefónica Tech, during the CSI Radaran international meeting organized by Medina Media Events in Seville.

The profitability of cybercrime has generated increasingly specialized and effective organizations. “One in five crimes are through the network,” warns Juan Salom Clotet, colonel in charge of the Cybersecurity Coordination Unit of the Civil Guard, who expects that they will grow to reach 150,000 complaints in two years, 25% of All annual crimes. “84% of scams are online,” he highlights.

And “every day the bad guys are faster,” says Almanzor. This is corroborated by Isabel Tristán, IBM Security Director:. “Cybercriminals have evolved and are capable of deploying attacks of ransomware [secuestro] in less than three days, while the average time for companies to detect it is seven months and two months to react”. IBM’s management trusts that artificial intelligence will add to the defenses and allow the average investigation time to be reduced to less than 30 minutes, which is now two days.

In addition to being agile, cyberattacks are increasingly innovative: vectors and strategies are increasing, especially those aimed at human error. caixabank has recently alerted of a false SMS that is incorporated into the bank’s message history as if it were its own and that culminates in a call from an alleged manager of the entity.

Anyone, at all levels, is a target of attacks. Sergio de los Santos, director of the Innovation and Laboratory area at Telefónica Tech, recalls cases such as the link sent to an Uber executive, who did not click on a malicious link and received a call from someone posing as a security officer. to demand that he do it because it was necessary. The current president of the European Central Bank, Christine Lagarde, received an SMS from the former German chancellor Angela Merkel, whom she called to confirm that she was hers and discovered that it was a false door. “Probably, to install spyware,” she comments, alluding to attacks such as those generated by the well-known Pegasus, which has infected mobile phones of governments, politicians, journalists, and international businessmen.

“You have to be able to follow them. It is important that the good ones are just as fast and innovative”, warns Almanzor, who calculates an average cost per company affected by a malicious program at 105,000 euros. This game of cat and mouse is defined by Salom Clotet as an “action-reaction spiral”.

But the task is not easy. In addition to the fact that the attacks intensify and become more sophisticated, the Telefónica board of directors warns that there is no “fixed perimeter”. “We don’t know where the border is. They are not physical tangible but digital and they are growing. What we have is not worth it ”, he affirms in relation to the ineffectiveness of individual solutions. Hidalgo corroborates this: “We have made a lot of progress, but it is not enough.

Tristán also agrees, warning that “traditional cybersecurity”, focused on the individual provision of technologies and systems, has become obsolete”. In this sense, José Capote, Huawei’s manager in this area, acknowledges that, in the 5G era, “network borders are blurred and are more complex to defend.”

Zero Trust is not a product, it is an approach. Do not trust even the one inside María Jesús Almanzor, CEO of Cybersecurity and Cloud at Telefónica Tech

Almanzor advocates “zero trust.” “It’s not a product, it’s an approach. Do not trust even the one who is inside ”, he assures. And he affirms this because, as Pedro Álamo, from the security company Proofpoint, points out, “97% of attack breaches are through email and, nevertheless, only 10% of the budget is dedicated to protecting it.”

In this way, each individual is a door to cybercrime. According to Álamo, “60% of incidents are due to an erroneous access by an employee.” De los Santos also agrees, pointing out that, of the 10 most common attack vectors, the vast majority depend on the user.

That is why he defends the involvement of each individual in the threats as a fundamental measure, which will affect everyone, sooner or later. As Almanzor affirms, “there are only two types of companies: those that have suffered an attack and those that do not know it.” In this sense, José Girón, inspector of the Scientific Police of Seville, points out “arrogance” as one of the greatest difficulties in prevention: “Whoever thinks they control everything, does not. Everything is so changeable that in minutes something that is in force at a certain moment no longer works”.

Whoever thinks they control everything, doesn’t. Everything is so changeable that in minutes something that is in force at a certain time is no longer useful José Girón, inspector of the Scientific Police of Seville

But for De los Santos, “awareness without training is just fear”, which is why he is committed to educating all parties, in all spheres. “The user needs to understand,” he warns. In this sense, Hidalgo identifies a common pattern known as “happy clicker” (happy clicker) and that refers to the user who compulsively clicks on each link that arrives. “These are, and a lot, in the upper layers of an organization,” she warns.

Almanzor agrees with the lack of knowledge at all levels, noting that “90% of companies in general do not know their current security status.” “They do not have a recovery and action plan in the face of an attack that is going to happen. They are not prepared, ”he warns.

The scenario is very similar in all sectors, although the greater size and potential risk of a denial of service attack in water supply, sanitation or energy entities, for example, means that the percentage of lack of protection is reduced, although it is not remove. Juan Miguel Pulpillo, coordinator of the Industrial Cybersecurity Center (CCI), explains that, in this sector, “although some risk and incident assessment is made, between 40% and 60% of companies have not defined security measures ”.

Almanzor is committed to cybernetic resilience, which implies permanent verifications, anticipating, preventing, resisting and recovering. And for collaboration, as well as for the incorporation of specialized technological partners.

But this will not be enough because criminal activity will continue and grow, as Salom Clotet warns. Last year, only in Spain, 118,000 cybersecurity incidents were recorded. Therefore, there remains one more front that resides in the prosecution of these crimes. Gabriel González, delegate prosecutor for Computer Crime, highlights that “technological innovations mean that certain crimes are included in the Penal Code a posteriori of the occurrence of the criminal act”. Legislation lags behind reality.

The colonel in charge of the Cybersecurity Coordination Unit of the Civil Guard points out that even the crimes that are already included are punishable with penalties that do not exceed two years in prison for the most part, except for pedophilia, which can be up to four years . Salom suggests analyzing whether the penalties are proportional to the resources they consume and the damage caused by online crimes.

