IT security: a business and personal need
As is well known, we are in the era of digitization of information in technological equipment, corresponding, among other things, to the optimization of physical spaces, environmental measures and ease of processing large amounts of information (Big Data).
This is why companies, and even the National Government, are working on the implementation of mechanisms that accelerate the migration from physical to digital information, as is the case of electronic invoicing, databases of customers, suppliers and employees, the structuring of business plans, and taxes to be declared before the Dian, among others no less important.
Thus, since information is one of the most important (intangible) assets in a company, the digitization process of this asset has become very important for companies.
Along with new technological trends to protect this intangible asset, the sophisticated tools used by cybercriminals to damage, eliminate and/or hijack digital information owned by companies are evolving, through the encryption or encoding of documents. Once this process is executed by the criminals (who are usually located thousands of kilometers away), they condition the release of this data in exchange for the payment of money, which is generally expressed in a cryptocurrency, such as Bitcoin. This is due to the fact that the transactions made with this virtual currency cannot be easily traced, since it is not possible to identify the parties involved or the movements they make with it.
This encryption process is carried out through a computer virus known as Ransomware, which is generally obtained by downloading a file attached to an e-mail or by downloading a file or software through a web page. This file encrypts the information contained in the computer or mobile device (Android operating system) preventing the user from accessing it.
These cases have already occurred in several Colombian companies, many of which are located in Medellín.
Although it is important to take into account that the Congress issued Law 1273 of 2009, which modifies the Criminal Code and creates new criminal offenses that penalize computer crimes, it is not known -when filing the corresponding criminal complaints-, due to the atypical nature of the case, whether the perplexity of the victim company or of the official receiving the complaint is greater.
In the same line, the National Police has a unit specialized in computer crimes called "Cyber Police Center" which is in charge of studying the different modalities of Cyber Crimes, receiving reports of computer crimes, among others.
Not unrelated to all of the above, the Newspaper El Tiempo, published last April 2, 2017, the story of four cases out of the 22 that have been presented until February 28, 2017, of companies and individuals who were victims of the Ransomware virus.
By virtue of the above and taking into account that IT security is an indispensable business and personal need, below are listed some recommendations that should be taken into account to prevent the loss or hijacking of the most important intangible asset of the company:
- Implement a continuous internal process of making "back-up" backup copies of the company's relevant information, by means of independent storage devices, which should not be in contact with the web.
- Give instructions for the downloading of programs that are not authorized by the company or of dubious reputation;
- In the case of e-mails, in case their origin generates doubts, refrain from opening them and downloading their attachments before validating with the sender the information contained therein.
- To have an antivirus provider that has the capacity to back up the information in accordance with the size of the company.
Finally, it is advisable for each company to receive specialized advice on how to manage its own cyber risks, as each company is different and has different levels of exposure to the risk of cyber attacks or information hijacking. It is also important to check whether the company's insurance policies cover this type of risk, since it is normal that, when suffering a cyber attack, the businessman finds that this type of risk was not covered or was expressly excluded from the policy's coverage.