Cybersecurity is no longer a concern exclusive to the IT department: it is a top-tier business risk with economic, reputational and legal consequences. The question every organisation must accept today is not whether it will suffer an incident, but when—and how prepared it will be to detect it and respond. This article walks through the two inseparable halves of modern defence: prevention—the barriers that reduce the probability of an attack—and response—the disciplined process that limits the damage when the barrier breaks.
The current paradigm: from the wall to "zero trust"
For decades, security was conceived as a castle: a perimeter wall (the firewall) protected a trusted interior. That model has become obsolete. Remote work, the cloud and distributed services have dissolved the perimeter, and the attacker who manages to get in moves freely on the inside. The sector's answer is the Zero Trust architecture ("never trust, always verify"), formalised in publication NIST SP 800-207: every access to every resource is authenticated and authorised individually, regardless of whether the request comes from inside or outside the network. The operating principle is least privilege: each user and each service receives only the permissions strictly necessary.
Complementary to Zero Trust is the principle of defence in depth: instead of a single impregnable barrier, layers of control are stacked (network, identity, endpoint, data, application) so that the failure of one does not compromise the whole system. The useful metaphor is no longer the castle with a single wall, but the airport: access control to the premises, identity verification, baggage scanning and surveillance at the boarding gate, each operating independently of the others.
Knowing the adversary: the MITRE ATT&CK framework and attack surface management
Defending blindly is inefficient. That is why mature teams rely on frameworks that catalogue how attackers actually operate. MITRE ATT&CK is a public knowledge base that documents the tactics and techniques observed in real incidents—from initial access to data exfiltration—and lets an organisation map its controls against the adversary's real behaviour, identifying gaps in its coverage.
In parallel, attack surface management starts from an uncomfortable premise: you cannot protect what you do not know exists. An up-to-date inventory of assets—servers, internet-facing services, accounts, software dependencies—is the foundation of everything else, because the forgotten, unpatched asset is precisely the door the attacker finds open. Periodic vulnerability assessment and controlled penetration testing (pentesting) turn that inventory into a living picture of real risk, rather than a still snapshot that ages from the day it is taken.
Layers of prevention: the technical barriers
Prevention is built by stacking complementary controls:
- Firewall and network segmentation: filters traffic and divides the network into zones, so that a compromise in one segment does not spread to the rest.
- IDS/IPS: the intrusion detection system (IDS) observes and alerts on suspicious traffic; the prevention system (IPS) additionally blocks it actively. They operate on known signatures or on behavioural anomaly detection.
- Multi-factor authentication (MFA): adds a second factor to the username and password. It is, by far, the highest-impact-per-cost measure for stopping credential theft.
- Encryption of data in transit and at rest: protects the information even if an attacker gains physical or logical access to the storage.
- Patch management: most breaches exploit known vulnerabilities for which a patch already existed. Keeping software up to date neutralises a huge share of the risk.
- EDR/XDR: endpoint detection and response tools that monitor the behaviour of each device and allow it to be isolated when faced with a threat.
The human factor and the most frequent threats
No technical barrier compensates for an employee who clicks a malicious link. Phishing and social engineering remain the predominant entry vector, and that is why staff training and awareness are a security control in their own right, not an add-on. Among the threats that hit organisations hardest are:
| Threat | Mechanism | Priority control |
|---|---|---|
| Ransomware | Encrypts the data and demands a ransom | Isolated backups (3-2-1 rule) and segmentation |
| Phishing | Deception to steal credentials or run malware | Training + MFA + email filtering |
| Supply chain attack | Compromise of a software supplier | Dependency inventory and integrity verification |
| Denial of service (DDoS) | Resource saturation to bring the service down | DDoS mitigation and CDN |
| Insider threat | Abuse of privileges from within | Least privilege and audit logging |
Incident response: the NIST process in six phases
When prevention fails, what makes the difference is the capacity to respond. The reference guide NIST SP 800-61 structures incident handling into phases that every organisation should have documented in a response plan before it needs one:
- Preparation: define roles, tools, communication channels and playbooks. This phase is done in calm time, not during the crisis.
- Detection and analysis: identify that something anomalous is happening and determine its scope. Here observability (centralised logs, SIEM) is decisive.
- Containment: isolate the affected systems to halt the spread, first in the short term and then in a sustained way.
- Eradication: eliminate the cause: malware, compromised accounts, exploited vulnerability.
- Recovery: restore services from a clean, verified state, watching that the attacker does not reappear.
- Lessons learned: a post-incident analysis to improve controls and the playbook. The incident that teaches nothing is doomed to repeat itself.
European regulatory framework: NIS2, GDPR and mandatory notification
Cybersecurity in the EU is also a legal obligation. The NIS2 Directive (EU 2022/2555) considerably expands the number of sectors and entities required to adopt risk management measures and to notify significant incidents to the competent authority within very strict deadlines. For its part, the GDPR requires, in the event of a personal data breach, notification to the supervisory authority (in Spain, the AEPD) within a maximum of 72 hours from becoming aware of it, and communication to those affected when there is a high risk to their rights. Having identified who notifies, whom and within what deadline is part of the preparation phase: improvising this during an incident guarantees non-compliance.
Common mistakes in the security posture
- Backups connected to the network: modern ransomware searches for and also encrypts accessible backups. Without isolated copies (offline or immutable), paying the ransom becomes the only option.
- Confusing prevention with response: investing everything in firewalls and nothing in a response plan leaves the organisation paralysed on the day of the incident.
- Not testing the backups or the plan: a backup that has never been restored and a plan that has never been simulated are documentary fiction.
- Forgetting the human factor: the most expensive technology falls to a single click; without continuous training, the human link stays open.
- Ignoring the legal notification deadlines: discovering the GDPR's 72 hours or NIS2's deadlines during the crisis adds penalties to the technical damage.
Frequently asked questions
What is the 3-2-1 backup rule?
Keep at least 3 copies of the data, on 2 different types of media, with 1 of them off-site or isolated from the network. It is the most effective defence against ransomware, because it guarantees a clean copy that is out of the attacker's reach.
Is multi-factor authentication really essential?
Yes. It stops the vast majority of attacks based on stolen credentials, which are one of the most exploited vectors. Its ratio of implementation cost to risk-reduction impact has no equivalent among security measures.
What is the difference between IDS and IPS?
The IDS (detection) observes traffic and generates alerts without intervening; the IPS (prevention) acts inline and actively blocks malicious traffic. The IDS warns, the IPS stops. Many modern solutions combine both functions.
Does an SME need an incident response plan?
Yes, and precisely because of its lesser capacity to absorb the blow it needs one more. It does not have to be lengthy: a document that defines who decides, how a system is isolated, where the backups are and whom to notify, reviewed and simulated periodically, is enough.
Conclusion
Effective security does not consist of being impregnable—no one is—but of reducing the attack surface with layers of prevention and, above all, of shortening the time between an incident occurring and being contained. A resilient organisation is one that has accepted it will be attacked, has isolated its backups, has trained its people against phishing and has written down and rehearsed what it does in the first hours, including whom to notify in order to comply with NIS2 and the GDPR. Prevention buys time; a well-prepared response turns a catastrophe into a manageable incident. At Summum Systems we help design Zero Trust architectures and write and simulate incident response plans aligned with European regulation.