Imagine you are enjoying a pleasant weekend at the seaside, suddenly your phone rings, your firm’s head of IT is ringing you to say that you have been hacked and that the cyber criminals are demanding payment for not destroying your corporate data. They have set a deadline of 24 hours for paying the ransom. You pinch yourself and…yes, indeed, this is really happening to you.

Fortunately, not all attacks are quite so dramatic, organisations are normally victims of continuous, minor scams over time until they make the final assault, or you “take the bait” by responding to an apparently harmless email in which a trusted supplier gives you a new bank account number for the subsequent payment of their invoices.

Recent years have seen an increase in cybercrime and, accordingly, losses of money, data, reputation and customers, as well as administrative fines. This increase in crimes has meant that organisations, mainly large ones, have spent vast sums of money on protecting themselves out of fear of possible harm. Yet huge investments are not always the best way of defusing the risk.


Today’s workplace is digital; the world has become increasingly reliant on technology, being exposed to new risks. The vast majority of organisations have yet to embrace the changes that were already underway and which COVID-19 has speeded up: the migration of data systems to the cloud, working from home, mobility, the new requirements involved in legal compliance, and the new threats that test our security.

Collaborators, clients and suppliers interact with us through a range of contact points: mobile phones, the internet, e-commerce, social networks, collaboration platforms… an organisation has to keep moving forward and keep pace with its users. Business advances, often overlooking the security of the interactions that these points of contact require, and we tend to leave it up to the marketing department, which knows how to sell but not to reinforce security and trust.


Cybersecurity is a clear example of the meaning of the terms volatility and uncertainty, whereby the first step is to try to understand our operating framework and the challenges we are facing in order to find the best solution for specific requirements. Furthermore, we do so knowing that those measures introduced today will not last long, and may be useless for tackling the challenges of the future.

Organisations do not evaluate their exposure to cyber risk: they are unaware of the threats that may affect their business or their data systems’ specific vulnerabilities. This new scenario requires conducting regular and independent investigations wherever there is a risk of a greater loss or where vulnerabilities may flourish.

Knowing the enemy enables an organisation to define its operating framework for dealing with possible future scenarios involving the bulk of cyber criminals. This 360-degree perspective provides a detailed breakdown of emerging strengths, weaknesses and threats, and enables us to exploit opportunities for resolving present risks and pre-empting coming ones.

This evaluation also enables us to shed light on our defence capabilities, our shortcomings, and the next steps that need to be taken.


The usual response is to react once the attack has taken place, which is when cybersecurity becomes a priority in the organisation. In the same way as organisations draw up financial, sales, and service quality forecasts, for example, it is advisable to have a preventive policy that detects, identifies and responds to weaknesses wherever they are or may constitute a future liability.

Cybersecurity issues do not just affect the Chief Information Security Officer (CISO), the IT department, or the subcontracted company responsible for our security. Organisations need a robust culture in cybersecurity in which everyone is responsible for mitigating the risk to data security.