When hacking spells protection: lessons and tips from cybersecurity experts

When the team of Adriel Araujo, CEO and co-founder of Hackmetrix, a latin american company that specializes in cybersecurity, received a SOS from a startup that had just been cyberattacked, they started working against the clock. “They were deleting their clients’ databases, so we compiled best practices and decided to put ourselves in the attacker’s shoes to see all the potential vulnerabilities”, says Araujo.

He and his team performed what is called “ethical hacking”: going in through the “back doors” to find out which one was providing access to the database of the startup’s users. Yet they found that none of these vulnerabilities were compatible with the attack in question. What did they do?

They put themselves in the cyber-attacker’s shoes once again and concluded that only company developers had the power to administer the databases. It was then that they discovered that the hacker had planted a virus on the Chief Technical Officer’s (CTO) computer. “We wiped the CTO’s computer, as well as all the computers that were connected from the same network and implemented a security program from the ground up”, explains the Hackmetrix CEO and co-founder.

Far from being an isolated case, the situation Araujo describes is repeated in different ways around the globe. The fight against cyber threats is a daily one, although new firewalls are gradually coming onto the scene that prevent companies from putting their services, as well as their customers’ information, at risk.

Risk is at the back door

Companies and startups have placed the focus of their cybersecurity strategy on their agreements with partners. Connecting with APIs or other services is tantamount to increasing the risk of cyber-attacks, so increasingly more efforts are being made in this area to reduce the risks.

Vanesa Gil, Head of Cybersecurity Institutional Affairs in BBVA’s Corporate Security area, cites this “increased area of exposure” as one of the challenges that every company must face when addressing threats. “As a consequence of the acceleration of the digital transformation, many companies have started to use external platforms or ‘cloud’ environments. So, you have to contractually require that companies who join organisations have security certifications that are internationally recognized”, says Gil.

This is an opinion shared by Adriel Araujo, which he puts simply. “There’s no point investing massive amounts of money in cybersecurity programs and installing top-level software when your services are connected to third parties that don’t invest enough in this area”, he warns.

This is no trivial issue, but one that directly affects not only companies’ reputation, but their development as well. Cristina Bentúe, Chief Operating Officer and co-founder of IriusRisk, a Spanish cybersecurity startup, illustrates, through a case in point, the danger of not implementing a successful cybersecurity strategy.

“Recently, some colleagues mentioned to me that, by chance, a member of their team’s cybersecurity department discovered a vulnerability in the app of the occupational risk organization their company uses to conduct medical analyses. He found out that by simply changing the patient’s number in the browser URL, he could access the records of other employees”, says the co-founder of IriusRisk.

The consequences of this organisation’s failure to invest in data protection soon became apparent. “My colleagues’ company changed its risk management service provider”, Bentúe adds, “and now the company is extremely worried about both its funding and its reputation”.

Fortunately, cases like this can always be avoided by adopting a cybersecurity strategy like the one that many companies have adopted in the wake of the coronavirus pandemic.

A short cyber security handbook

With the rise of working from home, cybersecurity has become a critical element in any organisation’s strategy. The shift has been drastic and, according to PwC’s Digital Trust Survey 2022, 70% of companies in Spain plan to increase their cybersecurity budget by the end of 2022.

“We now have time to realise that it isn’t reactive security that we need, but rather proactive security, with specific budgets and which come from the companies’ management bodies”, says Bentúe.

Cybersecurity has become so critical for businesses that the focus of the fifth BBVA Open Summit 2022 will be on data security as one of the main issues for the successful development of startups and companies.

The goal is to address the new dangers that threaten companies and startups, although there are already several lessons that companies can apply to mitigate cybersecurity risks. The BBVA Open Innovation’s Innovation Masterclass held in October 2021 provided a number of keys, but what other steps can be taken?

• Invest in employee training. Training company employees in cybersecurity is one of the primary avenues that businesses have taken. BBVA, for example, opened up its cybersecurity training content after instructing more than 60,000 employees. “Employees that have this training are more aware of the risks that exist and know the main attacks they could face. This helps them to manage information securely”, says Vanesa Gil of BBVA.
• Know the risks. As recommended by IriusRisk’s Cristina Bentúe, in Spain the National Institute of Cybersecurity (INCIBE) “offers a space where companies and the public can have tools and advice based on good practices for preventing vulnerabilities and being victims of cyberattacks”.
• Draw up a Business Continuity Plan (BCP) and a Disaster Recovering Plan (DRP). Finally, Hackmetrix’s Adriel Araujo says that organisations should have these preventive programmes in place. The first is designed to ensure that a company can continue to operate as normal despite an attack, while the second plan refers to the strategy and steps that the organisation should take “to recover after the disaster”.

Learning about cases like those described here and implementing these practices help to build an ironclad defence that can repel the threats circulating online that put startups and companies at risk. Consequently, engaging in cybersecurity can no longer be relegated to the background. As IriusRisk’s Bentúe concludes, “just like an airbag isn’t added after a car is built, cybersecurity can’t be left out of companies’ architecture”.