Jesús Pacheco, Hispasec: “you can have the best security system, but one mistake can put everything at risk”
Cyberspace is filled with hackers trying to exploit companies and individuals. And it’s no secret that most cyber incidents happen due to human error.
There are various threats that companies can face, including ransomware attacks, fraud, or data breaches. Oftentimes, attacks are successful due to such mistakes as weak passwords, unencrypted data, or other. That’s why cybersecurity measures and awareness should be some of the top priorities for any business.
There are various solutions for cyber protection that organizations can make use of, some of them being anti-fraud tools or employee training services.
Tell us how it all started. How has the journey been since its release over two decades ago?
It all goes back to 1998 when four friends who are passionate about computer security decided to create a blog in which to publish news related to a cybersecurity incident every day, thus unaaldia.es was born, and although it may seem easy today as there is a multitude of incidents daily, in that now-distant time, it was sometimes really difficult to find incidents worth mentioning. This idea was the first piece of machinery that would build Hispasec, the company we know today, a pioneer in Spain in the world of cybersecurity, top projects used all over the world and a team of professionals and young promises with a great future ahead. As an example of this, I can mention Google's well-known “VirusTotal” project, which was born precisely within the walls of Hispasec. With this, you can imagine without a doubt that the trip has been interesting, with enriching experiences and very valuable lessons that have forged the core of Hispasec.
Can you introduce us to what you do? What are the main problems it helps solve?
I currently work as a Product Manager. I am involved in the entire product creation process, from an idea or a sketch on a blackboard to its materialization and use by customers, through the process of analysis, development, marketing, and after-sales. Ensuring the quality of the service and customer satisfaction is my priority. I am very lucky to have the best professionals in all our departments involved, without them my work simply would not make sense. Neither can I forget the enormous work of the Hispasec management that provides us with all the tools and comforts that we may need.
What would you consider to be the most significant changes you have witnessed over the years in the cybersecurity industry?
From the beginning of Hispasec until today, very significant changes have occurred in all areas of information technology, which in turn has led to the appearance of new vulnerabilities, threats, and scams that have forced the market to give cybersecurity the importance it has and this has resulted in the creation of solutions and multidisciplinary teams specialized in computer security both in defense and attack. The fact that everything is now connected increases the surface of exposure to the dangers that are becoming more sophisticated every day, elaborated by organized gangs dedicated to cybercrime. But I would like to point out that there is something that has hardly changed in all this time and that is the lack of awareness or training in cybersecurity that people generally have, the users of all this technology are still mostly in the dark as far as cybersecurity understands. Although it seems that in recent months this has begun to change more quickly.
How do you think the pandemic has affected the way people approach cybersecurity?
The pandemic has been an accelerator in this aspect, the obligation to work remotely has made clear the great lack of knowledge in terms of cybersecurity by most of the companies and has been very evident by the large number of incidents that have occurred in a very short time mostly caused by ransomware. Faced with this barrage of incidents, both companies and workers have been aware of the problem and have started to work to minimize the consequences. This is a big step, although there is still a long way to go, never forgetting that cybercriminals also continue to improve themselves as if this were an arms race between them and us – computer security professionals.
What types of cyberattacks are prominent today? What warning signs should businesses be on the lookout for before it's too late?
It is clear that mobile banking malware, ransomware exfiltration of confidential information, phishing, and brand impersonation campaigns, among others, take the biggest part of the cake. A good 24/7 proactive surveillance system is essential to mitigate or minimize all these dangers, hence the importance for companies and organizations to have services, such as those offered by Hispasec. I can highlight, for example, the case of the largest fraud campaign discovered in 2021 that affected more than 800 international companies around the world known as "Anniversary", discovered by the Hispasec team.
In addition to ensuring security, it also provides cybersecurity training. What techniques do you use to keep the material interesting and easy to understand?
About that, I would like to turn again to the Hispasec team, specifically at the training department, made up of specialists and researchers with extensive experience in the field of university education. Their experience and knowledge of the needs and concerns of the students empower them to develop courses, seminars, and workshops that manage to maintain the interest of the students at all times and are always appropriate to the level of the participants. The use of real practical cases in them is also an incentive that draws a lot of attention from users.
Building a cybersecurity system is often a complex and time-consuming process. What details do you think companies often overlook?
They always ignore Murphy's law, hahaha. Seriously, now, what is most often neglected is precisely the part in which the systems fall under the direct responsibility of the user. Strong password policies, safe habits when browsing or sharing information, such as encryption, use of VPN, etc. We must never forget that we can have the best security system in the world and a simple mistake by its administrator can put absolutely everything at risk.
In your opinion, what cybersecurity measures are essential today? Which ones are more suitable for businesses and which ones for casual Internet users?
The first and most important measure is user training. Let's not forget that more than 90% of the incidents that have occurred in recent months would not have been possible without the intervention of a user who is careless or unaware of the existing threats and tricks. In addition to this, the use of antivirus applications, firewalls, new threat detection systems, DLP software, backup systems, and 24/7 active surveillance is already essential in the business and private environment. Without these systems, companies should not ask themselves “if they can be hacked”, they should ask themselves “when will they be hacked.”
Would you like to share what's next for Hispasec?
I can say that there are many projects underway that will soon see the light and I am sure that they will not leave anyone indifferent. I would dare to say that the next revolution in the field of cybersecurity may once again be forged within the walls of Hispasec, but right now I owe it to professional secrecy and I cannot say much more, I do not like to make spoilers, but I see a great future.