News

Start of main content

Coronavirus and cybersecurity

| News | Litigation

Vicente Moret analyses cybersecurity in the light of the COVID-19 declaration of alarm

The outbreak of an unexpected event such as the epidemic of Covid-19, a black swan, is highlighting many different perspectives on addressing a health problem that has already become a national security crisis. If anything, it is highlighting the importance of ensuring that the legal and administrative mechanisms for States to deal with emergencies of this magnitude are prepared and in place in advance in order to respond effectively.

In today's states, the concept of national security and the responsible institutional system are aimed at implementing public policies that comprehensively consider security from all perspectives. The interconnections between the different areas that affect national security are becoming evident in this Covid-19 crisis, in which a health security crisis must also be addressed because of its consequences for economic security, or for public order or food security. In short, it is a question of fully protecting the sphere of rights and freedoms of Spanish citizens in each of the areas of special interest indicated in the National Security Strategy.

One of the approaches that deserves special attention in this complex and turbulent context is that of cybersecurity. As a consequence of the declaration of a state of alarm for the management of the health crisis situation caused by Covid-19, many organizations and companies are implementing work management systems using the digital tools that IT has made available to us and which were unthinkable until a few years ago. Those that already used these ways of working assiduously before the health crisis probably had well designed communications and management systems that consider cyber security as a determining factor when implementing this way of working. Others, however, had not foreseen that this model of online work could be implemented suddenly on a massive scale, and cybersecurity was probably not a central concern when it came to responding to the need to continue with management activity.

For this reason, the National Cryptological Centre (CCN), part of the National Intelligence Centre (CNI), has launched several recommendations in recent days to prevent this massive use of online work systems from favouring intrusions, the spread of malware, disinformation or any other type of malicious activity that could lead to serious cyber-incidents.

This is the time when the importance must be stressed, when it comes to preventing risks and mitigating possible liabilities, that companies and organizations have internal rules and protocols that allow them to deal with these cyber risks with guarantees that the management of these risks is carried out in due time and preparation. Technological tools are essential for this. However, these attacks are almost always based on social engineering mechanisms, and this implies the need to increase the resilience of organizations and individuals who are the target of such attacks. A company or organization's cybersecurity policy must be made concrete by developing and establishing rules for internal use that set out principles, procedures and obligations to which all members of the public are subject. Mandatory internal regulatory tools with legal content can create a series of preventive and reactive guidelines against Internet fraud. In addition, they serve to align and unify criteria, and to clearly attribute responsibilities and functions in the event of cybercriminals.

While there are many general recommendations in this area that are commonly accepted as useful, an effort needs to be made to adapt these recommendations to the purposes and characteristics of each organization specifically. The principles that should inspire the drafting of these internal rules would be, among others, simplicity, commitment to security, accountability, standardization of processes, training, or confidence building. The minimum content of these internal rules should consist of a series of regulations on aspects such as identity verification; alerts; unacceptable uses; incident notifications; use of personal devices, wi-fi connections, or passwords, among others. All these aspects should be supported by the corresponding sanctioning measures in case of serious non-compliance.

In short, good internal regulation of internal processes in this area can be an effective means of prevention, also focus the entire organization in a homogeneous manner around common standards and shared criteria for action. For these rules to be effective, the entire organization must be involved in compliance with these rules, from the highest levels of management down to the very base of the organization. These internally used standards can be a powerful tool for bringing together efforts in a coherent manner and ensuring that commitment to cybersecurity. As this Covid-19 crisis is demonstrating, we cannot worry about extraordinary situations when they have already arrived but must prepare to manage them when they have not yet occurred.

You can see the article in El Economista

End of main content