Cybersecurity: preventing and responding to attacks

·

Cybersecurity is no longer a concern exclusive to the IT department: it is a top-tier business risk with economic, reputational and legal consequences. The question every organisation must accept today is not whether it will suffer an incident, but when—and how prepared it will be to detect it and respond. This article walks through the two inseparable halves of modern defence: prevention—the barriers that reduce the probability of an attack—and response—the disciplined process that limits the damage when the barrier breaks.

The current paradigm: from the wall to "zero trust"

For decades, security was conceived as a castle: a perimeter wall (the firewall) protected a trusted interior. That model has become obsolete. Remote work, the cloud and distributed services have dissolved the perimeter, and the attacker who manages to get in moves freely on the inside. The sector's answer is the Zero Trust architecture ("never trust, always verify"), formalised in publication NIST SP 800-207: every access to every resource is authenticated and authorised individually, regardless of whether the request comes from inside or outside the network. The operating principle is least privilege: each user and each service receives only the permissions strictly necessary.

Complementary to Zero Trust is the principle of defence in depth: instead of a single impregnable barrier, layers of control are stacked (network, identity, endpoint, data, application) so that the failure of one does not compromise the whole system. The useful metaphor is no longer the castle with a single wall, but the airport: access control to the premises, identity verification, baggage scanning and surveillance at the boarding gate, each operating independently of the others.

Knowing the adversary: the MITRE ATT&CK framework and attack surface management

Defending blindly is inefficient. That is why mature teams rely on frameworks that catalogue how attackers actually operate. MITRE ATT&CK is a public knowledge base that documents the tactics and techniques observed in real incidents—from initial access to data exfiltration—and lets an organisation map its controls against the adversary's real behaviour, identifying gaps in its coverage.

In parallel, attack surface management starts from an uncomfortable premise: you cannot protect what you do not know exists. An up-to-date inventory of assets—servers, internet-facing services, accounts, software dependencies—is the foundation of everything else, because the forgotten, unpatched asset is precisely the door the attacker finds open. Periodic vulnerability assessment and controlled penetration testing (pentesting) turn that inventory into a living picture of real risk, rather than a still snapshot that ages from the day it is taken.

Layers of prevention: the technical barriers

Prevention is built by stacking complementary controls:

The human factor and the most frequent threats

No technical barrier compensates for an employee who clicks a malicious link. Phishing and social engineering remain the predominant entry vector, and that is why staff training and awareness are a security control in their own right, not an add-on. Among the threats that hit organisations hardest are:

Main threats and associated preventive controls
ThreatMechanismPriority control
RansomwareEncrypts the data and demands a ransomIsolated backups (3-2-1 rule) and segmentation
PhishingDeception to steal credentials or run malwareTraining + MFA + email filtering
Supply chain attackCompromise of a software supplierDependency inventory and integrity verification
Denial of service (DDoS)Resource saturation to bring the service downDDoS mitigation and CDN
Insider threatAbuse of privileges from withinLeast privilege and audit logging

Incident response: the NIST process in six phases

When prevention fails, what makes the difference is the capacity to respond. The reference guide NIST SP 800-61 structures incident handling into phases that every organisation should have documented in a response plan before it needs one:

  1. Preparation: define roles, tools, communication channels and playbooks. This phase is done in calm time, not during the crisis.
  2. Detection and analysis: identify that something anomalous is happening and determine its scope. Here observability (centralised logs, SIEM) is decisive.
  3. Containment: isolate the affected systems to halt the spread, first in the short term and then in a sustained way.
  4. Eradication: eliminate the cause: malware, compromised accounts, exploited vulnerability.
  5. Recovery: restore services from a clean, verified state, watching that the attacker does not reappear.
  6. Lessons learned: a post-incident analysis to improve controls and the playbook. The incident that teaches nothing is doomed to repeat itself.

European regulatory framework: NIS2, GDPR and mandatory notification

Cybersecurity in the EU is also a legal obligation. The NIS2 Directive (EU 2022/2555) considerably expands the number of sectors and entities required to adopt risk management measures and to notify significant incidents to the competent authority within very strict deadlines. For its part, the GDPR requires, in the event of a personal data breach, notification to the supervisory authority (in Spain, the AEPD) within a maximum of 72 hours from becoming aware of it, and communication to those affected when there is a high risk to their rights. Having identified who notifies, whom and within what deadline is part of the preparation phase: improvising this during an incident guarantees non-compliance.

Common mistakes in the security posture

Frequently asked questions

What is the 3-2-1 backup rule?

Keep at least 3 copies of the data, on 2 different types of media, with 1 of them off-site or isolated from the network. It is the most effective defence against ransomware, because it guarantees a clean copy that is out of the attacker's reach.

Is multi-factor authentication really essential?

Yes. It stops the vast majority of attacks based on stolen credentials, which are one of the most exploited vectors. Its ratio of implementation cost to risk-reduction impact has no equivalent among security measures.

What is the difference between IDS and IPS?

The IDS (detection) observes traffic and generates alerts without intervening; the IPS (prevention) acts inline and actively blocks malicious traffic. The IDS warns, the IPS stops. Many modern solutions combine both functions.

Does an SME need an incident response plan?

Yes, and precisely because of its lesser capacity to absorb the blow it needs one more. It does not have to be lengthy: a document that defines who decides, how a system is isolated, where the backups are and whom to notify, reviewed and simulated periodically, is enough.

Conclusion

Effective security does not consist of being impregnable—no one is—but of reducing the attack surface with layers of prevention and, above all, of shortening the time between an incident occurring and being contained. A resilient organisation is one that has accepted it will be attacked, has isolated its backups, has trained its people against phishing and has written down and rehearsed what it does in the first hours, including whom to notify in order to comply with NIS2 and the GDPR. Prevention buys time; a well-prepared response turns a catastrophe into a manageable incident. At Summum Systems we help design Zero Trust architectures and write and simulate incident response plans aligned with European regulation.