Estevenson Solano

It was a crucial morning for an advanced biotechnology lab when something unsettling was discovered through one of its sophisticated genomic research platforms—used to design life-saving treatments based on patients' deoxyribonucleic acid (DNA). The system had been silently compromised. No data was missing. Nothing had been deleted. While a "biological data breach" might have been suspected, instead, a few bases in a cancer genome dataset had been altered. Subtly. Intelligently. Maliciously. The intersection between genomics and Cyber Security is not just a technical matter—it’s a human one, with implications for identity, privacy, and trust in science. At first, the alteration went unnoticed due to limited Cyber Security capabilities and was only flagged when an anomaly emerged during a clinical trial. The implications were terrifying: someone had manipulated the genetic code—not just the data. The attacker hadn’t stolen a genome; they had corrupted it. A few lines of synthetic DNA embedded with malware had passed through the lab’s sequencing system, enabling remote access to the research servers. The cyber threat was no longer just a virus or a data breach—it had crossed into the realm of biology. Vulnerabilities and risks in genomic data protection The NIST defines genomic data as being generated from the study of the structure and function of an organism’s genome, which is composed of genes and other elements that control gene activity. Examples of genomic data include DNA sequences, variants, and gene expression information. Cyberattacks targeting genomic data can also harm individuals by enabling coercion for financial gain, discrimination based on disease risk, and loss of privacy through the exposure of kinship or hidden phenotypes including health status, emotional stability, mental ability, physical appearance, and capabilities. In addition to privacy risks arising from cyberattacks, other privacy concerns unrelated to Cyber Security may surface when processing genomic data. These risks may emerge when genomic data processing lacks sufficient predictability, manageability, and disassociability. Insufficient predictability can lead to privacy issues when individuals are unaware of how their genomic data is being handled. Insufficient manageability arises when there are no capabilities for granular control over genomic data. For instance, individuals may require the option to delete part or all of their genomic data from a dataset. Allowing access to raw genomic data rather than using appropriate privacy-enhancing technologies to extract only the necessary information without revealing the raw data poses risks due to insufficient disassociability. Each of these privacy risks may impact the ability to realise the benefits of genomic data processing. As genomic data becomes a strategic asset, it is increasingly targeted by nation-states, cybercriminals, and companies with opaque intentions. Genomic data lifecycle Genomic data is generated through the study of the genome’s structure and function. This data is largely immutable, associative, and contains important information about individuals’ health, phenotypes, and personalities, as well as those of their relatives—both past and future. In some cases, small fragments of genomic data, even when stripped of identifiers, can be used to re-identify individuals, despite the fact that the vast majority of the genome is shared among humans. Source: Adapted and developed from NIST IR 8432 Cybersecurity of Genomic Data, outlining the attributes of each phase. Just like other sensitive data, genomic information can be intercepted, corrupted, overwritten, or deleted at any stage of its lifecycle—from creation to storage, analysis, and dissemination. Characteristics of genomic data Genomic data shares characteristics with other forms of sensitive information and thus requires secure storage and transmission. However, this data possesses seven distinct attributes that, while not unique individually, form an intrinsically sensitive and valuable combination when considered together. Source: Adapted and developed from NIST IR 8432 Cybersecurity of Genomic Data, detailing the attribute definitions. As genomic technologies evolve and become more integrated into healthcare, research, and consumer services, protecting genetic data becomes an even greater challenge. Unlike other types of personal information, DNA is immutable and uniquely identifiable, containing sensitive details about a person’s health, identity, and ancestry. A breach of genomic data not only compromises an individual’s privacy but could expose entire families to long-term risks such as discrimination, surveillance, or exploitation. The high value, uniqueness, and permanence of genomic information demand a new level of Cyber Security vigilance and ethical responsibility. Traditional Cyber Security models are not designed to address the permanence and familial scope of genetic information, highlighting the need for new paradigms. DNA as a challenge and responsibility in the digital age To address these risks, robust genomic Cyber Security capabilities must be developed balancing innovation with privacy controls, consent, data sharing, and long-term storage. Governments, healthcare providers, genetic testing companies, and researchers must collaborate to establish secure infrastructures, clear policies, and global standards for the protection of genomic data. Ultimately, as we deepen our understanding of DNA, we must also ensure that its management is properly protected, so that advances in genomics do not jeopardize individual rights, social trust, or digital sovereignty. AI & Data Precision medicine: your DNA is a key tool to take care of your health July 15, 2024

In 2024, a global logistics company faced a dilemma: after investing in AI for predictive maintenance, automated route planning and customer analytics, its executives still lacked an answer to a key question: “Are we ready to trust AI for critical decision-making?” Although its AI models worked in most cases, it was unclear whether the organization had the infrastructure, governance, talent and capabilities needed in ethics, privacy, sustainability and Cyber Security to meet new regulations or prevent potential cyberattacks. What executives were really questioning was not the technology itself, but their company’s AI maturity. The lack of clarity on this aspect could create uncertainty in strategic decision-making in an environment marked by volatility, regulation, competition and connectivity. ■ AI maturity cannot be validated solely through documents or statements: it requires tangible demonstrations that practices, controls and governance mechanisms are operational and effective. This uncertainty is common. Today, companies recognize that assessing their level and capacity of AI maturity is more of a strategic necessity than a luxury. This determination defines whether AI adoption remains limited to pilot projects or is integrated as a resilient, scalable and reliable component of the organizational DNA. Why is it necessary to assess AI maturity? A precise, clear and rigorous assessment of AI maturity provides organizations with a roadmap for investment, highlighting gaps and challenges between current capabilities and strategic ambitions. Without it, AI adoption risks becoming an expensive collection of disconnected experiments with unclear returns and, in the worst cases, a liability in terms of security, privacy, ethics, sustainability and compliance. There are currently several AI maturity assessment instruments from organizations such as NIST, OWASP and MITRE, which aim to help companies evaluate, implement, guide and improve AI adoption from a practical perspective. ■ Objective maturity emerges when assessments are tested in real-world contexts —through performance, resilience under pressure and adaptability— rather than in theoretical frameworks disconnected from practice. Frameworks and models for AI maturity assessment NIST AI Risk Management Framework The NIST AI Risk Management Framework can be applied adaptively to assess AI maturity from a risk-based perspective across its functions: Govern, Map, Measure and Manage. By framing AI maturity in terms of governance, reliability and socio-technical integration, this framework enables organizations to critically assess not only whether AI systems perform as expected, but also whether they are trustworthy, explainable, secure and aligned with ethical and regulatory expectations. This approach strengthens decision-making by linking maturity assessment to risk considerations, helping organizations identify gaps in resilience, accountability and transparency throughout the AI lifecycle. From a critical and analytical perspective, it transforms maturity assessment from a static compliance exercise into a dynamic process of continuous improvement, embedding risk awareness as a cornerstone of responsible AI adoption. OWASP AI Maturity Assessment (AIMA) The OWASP AI Maturity Assessment (AIMA) considers domains such as Accountability, Governance, Data Management, Privacy, Implementation, Verification and Operation, while evaluating whether AI systems align with strategic objectives, ethical principles and operational needs. It is based on the OWASP Software Assurance Maturity Model (SAMM). This model defines three maturity levels: Level 1: comprehensive AI strategy with metrics. Level 2: continuous improvement. Level 3: optimization. Applying AIMA allows organizations not only to evaluate AI readiness but also to identify gaps that could lead to ethical, operational or cyber security risks. It naturally enables a more evidence-based decision-making process, ensuring that AI adoption aligns with resilience goals, regulatory expectations and long-term sustainability. Thus, maturity assessment becomes a tool to prioritize investments, foster continuous improvement and build trustworthy AI ecosystems that balance innovation with security and accountability. MITRE AI Maturity Model In addition, the MITRE AI Maturity Model, together with its Assessment Tool (AT), is structured around the following domains, recognized as critical for successful AI adoption: Ethical, Equitable and Responsible Use; Strategy and Resources; Organization; Technology Enablers; Data; and Performance and Application. Source: Mitre. These pillars and dimensions are evaluated across five readiness levels, adapted from the Capability Maturity Model Integration (CMMI), using qualitative and quantitative methods to describe hierarchical, scalable progress throughout AI adoption. Unlike ad hoc or narrowly focused assessments, this framework emphasizes maturity in governance, risk management, workforce readiness, operability and alignment with strategic objectives. Fundamentally, this approach enables organizations not only to benchmark their current state but also to identify gaps —such as ethical oversight, resilience and adaptability— often overlooked when AI is assessed solely through performance metrics. The model drives evidence-based decisions, linking AI maturity levels with organizational outcomes and presenting maturity development as a progressive process that requires aligning people, processes and technology, rather than a static goal. This elevates maturity assessment from a compliance checklist to a strategic tool for sustainable and responsible AI adoption. Assessing AI maturity is key to resilience and responsible innovation Evaluating maturity capabilities is no longer a theoretical exercise but a strategic necessity for organizations operating in an increasingly digital and interconnected environment. These assessments help companies understand not only where their AI initiatives stand today, but also how to align investments, governance and skills to deliver sustainable value in the future. By examining AI capabilities across dimensions such as data readiness, technology infrastructure, governance, security, talent and ethical adoption, organizations can transform maturity assessments into viable roadmaps for innovation and resilience. ■ In this sense, assessing AI maturity is not just about meeting requirements on paper, but about demonstrating through measurable actions that an organization is prepared to leverage AI responsibly, securely and sustainably. Ultimately, assessing AI maturity is less about reaching a final destination and more about enabling a continuous journey of adaptation, accountability and trust. As AI systems advance and associated risks, opportunities and regulatory frameworks evolve, organizations that integrate maturity assessment into their strategic decision-making will be better positioned to deploy AI responsibly, strengthen resilience and achieve sustainable competitive advantage in the long term. Cyber Security Cyber Risk Quantification May 28, 2025

The rapid expansion of space exploration, satellite networks, and commercial aerospace organizations has turned space into a critical domain for global security, communications, and economic infrastructure. However, this evolution is accompanied by a rising wave of cyber threats. Space assets are increasingly at risk—from state-sponsored cyberwarfare to the sophisticated capabilities of malicious actors. I’ve had the opportunity to observe simulations of potential compromises to satellites or communications systems that could disrupt and amplify financial market instability, interfere with military operations, or even endanger human lives in space missions. Given what’s at stake, space Cyber Security is no longer a niche concern, but a strategic priority for nations, companies, and international government bodies. Triad of assets: space-based, ground-based, and digital These assets play a vital role in global and satellite communications, and as a result, are exposed to cyberattacks. This is why it’s urgent to implement robust measures to protect space-based, ground-based, and digital assets. People, processes, and the operating environment must not be overlooked if we are to ensure data integrity and safeguard operations. The field of aerospace cyber security needs to protect its operations as much as—or more than—any other system. Space cyber security is the comprehensive protection of both space and ground assets—from satellites to human operators—against growing cyber threats. Today’s heavy reliance on space technologies for GPS navigation, telecommunications, weather forecasting, and military operations makes these systems attractive targets for cyberattacks. A single breach can cause widespread disruption. Current threats: from malware to espionage According to ENISA, several threats and risks have been identified, including jamming, spoofing, malware injection, ransomware, and direct cyber intrusions into control networks. Nation-state actors can use their cyber capabilities to disable enemy satellites, disrupt communications, or steal sensitive data. Non-state actors, including cybercriminals and hacktivist groups, may target commercial satellites for financial gain, to support political causes, or to raise funds via third parties. —For instance, a well-coordinated cyberattack on internet providers could disrupt global connectivity, affecting businesses, governments, and consumers alike. It’s important to note that many satellites still rely on outdated security protocols, making them vulnerable to cyberattacks. Weak encryption in telemetry, tracking, and control (TTC) systems can allow adversaries to hijack satellite operations. Furthermore, ground control stations often run on legacy software lacking strong cyber security protections and configurations, creating an open door for attackers. Supply chain vulnerabilities further amplify the risk, as malicious actors can implant compromised components during the manufacturing of satellites, launch vehicles, or any related asset. Space as the new battlefield The recognition of space as a domain of warfare—alongside land, sea, air, and cyberspace—has led several countries to develop specialized military branches for space operations, including cyber capabilities to defend or disrupt space assets. A satellite cyberattack by a hostile actor could provide strategic advantage by disabling intelligence gathering, communications, or missile warning systems. This carries significant geopolitical implications, as space-based cyberattacks could escalate tensions and provoke international conflicts. AI: ally and threat Some emerging and disruptive technologies, like Artificial Intelligence (AI), play a crucial role in space cyber security. On one hand, AI-based security systems can detect and respond to threats in real time, providing autonomous protection to satellites and spacecraft. They also help improve encryption techniques and predict vulnerabilities before they’re exploited. At the same time, AI-powered cyber threats pose significant risks, as malicious algorithms could bypass defense mechanisms, automate large-scale cyberattacks, or manipulate satellite data to spread disinformation. The challenge lies in ensuring that this technology is used as a tool for defense—not a weapon in cyber conflicts. Commercialization of space: new opportunities, new risks Private sector investment in space technologies is driving the adoption of advanced cyber security measures, such as end-to-end encryption, AI-based anomaly detection, and zero-trust architectures. However, the rapid commercialization of space also brings new risks. The large-scale deployment of Low Earth Orbit (LEO) satellites increases the attack surface that cybercriminals could exploit. If a malicious actor gains control over even a single satellite—or an entire megaconstellation—they could disrupt the entire network and impact global internet connectivity. Real-world impacts: from GPS to agricultural management Satellite communications and GPS are critical for military operations, financial transactions, and global supply chains. A cyberattack on GPS satellites could disrupt navigation systems for aircraft, ships, and civilian and military vehicles. Similarly, tampering with Earth observation satellites could alter climate data, agricultural monitoring, or disaster response operations. The economic consequences of such attacks could be devastating, affecting industries ranging from logistics to finance. For example, A cyberattack on GPS satellites could disrupt navigation systems for aircraft, ships, and civilian and military vehicles. Likewise, tampering with Earth observation satellites could impact climate data, agriculture oversight, or disaster response. ⚠️ The economic consequences of such attacks could be devastating, affecting industries from logistics to finance. Cyber security must evolve in step with space exploration. The cyber risks facing space assets are no longer hypothetical—they are real, damaging, ever-present, and growing. The safety of our digital and physical world depends on the integrity of our space infrastructure. Cyber Security A new framework for civil aviation Cyber Security March 3, 2025

On the beaches of the Caribbean, between white and grey sands, the sea breeze blew gently as Lucía, Marcos, and Pilar, three young executives, enjoyed a cocktail on their hotel’s beachfront terrace. It was their first trip together in several months and, as is typical for their generation, they were constantly using their smartphones: snapping pictures, making payments through mobile apps, sharing content on social media, and connecting to the hotel’s free wifi to check emails and handle pending tasks. Until their peace was disrupted when Marcos received an unusual notification about unauthorized activity in his bank account. In just a few minutes, what had been an ideal holiday experience turned into a digital emergency. What Marcos didn’t know was that he had fallen victim to a cyberattack while enjoying the sun, the sand, and a delicious piña colada. By connecting to unsecured public networks, sharing his location in real time, and accessing sensitive services without protection, he had left invisible doors open to cybercriminals. His story is not an exception, but a reflection of what happens to thousands of unaware travellers every year. Are you ready to protect your time off without giving up a secure connection? Your holidays also have a digital component—protect them by following these recommendations. Your privacy and security shouldn’t take a holiday, even if you do. Public wifi networks Avoid sensitive transactions: Need to check your bank account or make an online purchase? Use your mobile data or wait until you're connected to a secure network. —Public wifi networks (airports, cafés, hotels) are a hotspot for cybercriminals waiting to intercept your data. Use a VPN: If you must connect to a public network, use a Virtual Private Network (VPN). It encrypts your connection and creates a secure tunnel for your data. —It’s your digital shield in unfamiliar environments. “Never trust, always verify.” Disable auto-connect: Set your device to avoid automatic connections to open wifi networks. —Always double-check which network you’re joining. Your memories should live in photos, not in Cyber Security incidents. Social media and geolocation Delay your posts: Do you really need to announce your house is empty by sharing every step of your trip in real time? Wait until you’re back to post detailed photos. —Cybercriminals use this information to plan theft or other malicious actions. Disable geolocation: Review your app settings. Turn off the automatic geotagging feature on your photos and posts. —Don’t give away your location—or your absence—to just anyone. Avoid oversharing information that could put you at risk. Review your privacy settings: Before you leave, take a few minutes to check your social media privacy settings. —Make sure only trusted contacts can see your content. Travelling light doesn’t mean leaving digital security behind. Lost or stolen devices Use strong passwords and remote lock: All your devices (phone, tablet, laptop) should be protected with strong passwords and, if possible, two-factor authentication. —Also enable remote lock or wipe options. If your device goes missing, you’ll be able to protect your data. Back up your data: Before your trip, back up all important data. —If you lose your device, at least you won’t lose your valuable photos and files. Don’t store passwords: Avoid saving passwords in your browser or in unsecured notes. —If your device falls into the wrong hands, don’t make it easier for attackers to access your accounts. Protecting your data is also your responsibility. Identity theft (phishing) Verify the source: You receive an email from your hotel or a rental company asking you to confirm your details or make an extra payment. STOP. BREATHE. —Don’t trust any email requesting sensitive information—always verify first. Check the sender: Look carefully at the sender’s email address. —A small typo or misspelling often reveals the scam. Don’t click on suspicious links. Contact them directly: If in doubt, don’t reply to the email. —Call the hotel or rental company directly using the official phone number from their website (not the one in the suspicious email) to verify the information. Watch out for “last-minute deals”: Cybercriminals create fake websites that imitate travel agencies or airlines with irresistible offers. —Before clicking, contact and verify through official sources. Now, when Lucía, Marcos and Pilar travel, they enjoy a wonderful experience prioritising their digital security by staying calm, verifying before acting, and resisting urgency, ensuring their summer memories are filled with fun and relaxation, not cyber scares. Enjoying your holiday safely starts with you! Telefónica Tech Cyber Security Cyber security for remote work and mobility during holidays: work from anywhere — safely July 16, 2025

The office was almost empty, the systems had been shut down, and the atmosphere reflected the imminent summer break. Carlos, the manager of a small tech company, was carefully going over his final to-do list: notifications sent, billing up to date, systems disconnected, and “Out of Office” messages activated. Everything seemed under control. But what he didn’t know was that, while his employees were logging off to enjoy the summer, a cybercriminal was logging in… to his corporate network. Taking advantage of an unpatched system and a weak password forgotten on an exposed server, the attacker gained access effortlessly. When Carlos returned weeks later, he found encrypted files, halted operations, and a ransom note in his inbox. Every year, hundreds of companies let their guard down during the summer, unknowingly leaving “digital doors” open. For attackers, these moments of disconnection are golden opportunities. And the worst part is that many incidents aren’t discovered until it’s too late. How can you prevent your vacation from turning into a cyber crisis? Real peace of mind starts when security is guaranteed and prioritized. Keys to a cyber-secure business during the holidays Access review and management Limit permissions: Before leaving, review who has access to which systems and data. Temporarily disable accounts of employees who no longer work with you or who won’t need access during your absence. Update critical passwords: Remember that passwords should not be shared, and vacation time is a good moment to reset them upon return. And of course, make sure everyone is using strong passwords paired with two-factor authentication. Document access permissions: Keep an up-to-date log of all system access and privileges. In case of an incident, knowing who can access what is crucial. Check system access: Make sure you have access to all your work tools and that you remember your credentials. Automated backups Verify your backups: Ensure that your automatic backup systems are working correctly and that data is being stored in a safe and isolated location (off the main work network, in the cloud, or on an encrypted external drive). Test your recovery: What good is a backup if you can’t restore it? Run a small recovery test before leaving. It’ll give you peace of mind knowing you can recover your data if something goes wrong. Keep offline copies: Consider creating a “cold” or offline backup of your most critical data, disconnected from the network. This adds protection against ransomware attacks that could also encrypt online backups. System and software updates Install all updates: Before closing, make sure all operating systems (Windows, macOS, Linux), applications (office tools, browsers, accounting software), and security tools (antivirus, firewall) are fully updated. Patches fix vulnerabilities that cybercriminals look to exploit. Disable unused services: If there are services or apps that won’t be needed during your time off, deactivate them to reduce the attack surface. System hardening: Strengthen your systems by hardening their configurations and following the principle of “least privilege.” Also, ensure antivirus solutions are in place to reinforce your security measures. Remote monitoring and critical alerts Set up alerts: If you have network or security monitoring systems, make sure that critical alerts are configured to be sent to a responsible person (yourself or a team member) even while you’re away. Delegate responsibilities: Assign a point of contact (and a backup) who can respond to critical alerts or security incidents during your absence. Ensure they have all necessary information and access rights. Contact lists for authorities and stakeholders: Keep a list handy in case you need to notify regulatory bodies or data protection authorities of any security or privacy-related incidents. Staff awareness Security best practices reminder: If some employees will keep working, remind them of essential Cyber Security practices—especially if working remotely (use of VPNs, avoiding public networks, etc.). Holiday phishing attacks: Warn your team about the increase in phishing attempts during holidays, often disguised as emails from suppliers, banks, or even colleagues. Security culture: Promote the development of a strong security culture across the company to proactively enhance employee readiness and foster a prevention-focused approach. ⚠️ Going on vacation doesn’t mean putting your business security on airplane mode. For entrepreneurs and small businesses, your absence could be the perfect window of opportunity for cybercriminals. In a world where cyberattacks don’t take time off, protecting your business before the break isn’t optional—it’s a strategic priority. Every preventive action—no matter how small—can make the difference between a peaceful holiday and a chaotic return. And the best part is that it’s not just about technology, but also about culture, foresight, and accountability. Because Cyber Security doesn’t take a vacation… and neither should you, without it. Telefónica Tech Cyber Security Cyber security for remote work and mobility during holidays: work from anywhere — safely July 16, 2025

The dynamic nature of innovative and disruptive technologies is pushing companies to act swiftly to prevent gaps that could compromise security, financial stability, and privacy. But just how imminent are these associated or derivative risks, and what measures should organizations and governments take to proactively mitigate them? AI has become essential for both critical and non-critical systems, and is present in sectors ranging from finance and healthcare to national security. Moreover, it is deeply embedded in the fabric of socioeconomic and industrial development. However, its exponential growth and evolution are raising increasing concerns about risks related to Cyber Security, intellectual property, privacy, and others—including the ethical challenges associated with malicious actors. Dynamic shields against cyber threats, privacy issues and ethical challenges AI sandboxes have emerged as isolated environments that serve as essential tools to face these challenges, offering a dynamic, controlled, and secure space where AI models can be tested, analyzed, and protected before deployment. AI sandboxes allow for experimentation without causing repercussions outside the confined environment. These environments allow us to test AI models and systems against various cyber threats, performance demands, and ethical issues before deploying them in the real world. Unlike traditional software sandboxes—mainly used to analyze code, malware, or vulnerabilities—AI sandboxes are specifically designed to map situational heatmaps and the complexities of AI in both substance and form. Testing, threats and governance: the strategic role of isolated environments For developers, these environments make it possible to observe how AI models interact with different datasets, simulate potential cyberattacks, and identify flaws in their decision-making processes. A few weeks ago, I was assessing an AI environment to test a fraud detection system capable of accurately distinguishing between legitimate transactions and sophisticated fraud attempts, triggering compliance or due diligence alerts. By providing a secure space for experimentation, modeling, and analysis, these environments help ensure models function properly before integration into real-world systems. It’s important to note that AI-based systems are becoming prime targets for cyberattacks, and AI sandboxes are key to detecting and mitigating these threats by simulating real-world scenarios and evaluating how models respond. AI under pressure: anticipating, detecting, and withstanding sophisticated attacks In one of my recent analyses, I identified machine learning (ML) techniques used by malicious actors to manipulate AI models. In that environment, developers exposed models to adversarial inputs—subtle data modifications designed to deceive the system—to evaluate their resilience. —For example, if an AI-based security system misclassifies a malicious email as legitimate, the sandbox allows the model to be adjusted and its defense reinforced. ■ Detecting these gaps before deployment helps prevent consequences that could jeopardize the organization’s operations. Strengthening governance and anticipating threats through simulation Cyberattacks are among the most pressing threats to AI systems. They often involve injecting manipulated data to mislead models into making incorrect decisions. Scenario development is key to anticipating and understanding our environment and its potential changes. In fields like computer vision, small modifications to an image—imperceptible to humans—can cause an AI system to misclassify objects. —For example, stickers on a “stop” sign could make an autonomous vehicle interpret it as a speed limit sign, with dangerous consequences. ■ Cyber Security teams in AI environments can generate adversarial models, patterns, and examples, and enhance defenses against cyberattacks. These environments also help address AI hallucinations—cases where Generative AI models produce false or misleading results—by testing and refining responses before actual use and deployment. AI under scrutiny: regulatory frameworks and compliance testing Acknowledging these risks, regulators have begun to establish frameworks to ensure the responsible use of AI. The European Union, through its AI Act, and NIST with its AI Risk Management Framework, highlight the importance of testing, transparency, privacy, and security—areas where sandboxes play an essential role. However, regulatory compliance doesn’t automatically equate to security, though it does help foster a structured environment of best practices for evaluating and mitigating risks. The AI Act, for instance, requires that high-risk systems undergo rigorous testing for bias, safety, ethics, and transparency before being deployed. Regulations provide appropriate safeguards in line with best practices for control, risk, ethics, and legal aspects. AI in critical sectors: healthcare, finance and mobility AI is increasingly integrated into critical applications such as medical diagnostics, financial fraud detection, and autonomous vehicles. Ensuring safe and reliable performance is paramount. Isolated environments allow for rigorous validation before these systems are integrated. In healthcare, for example, diagnostic imaging models may be biased if training data lacks diversity. However, bias or adversarial attacks could lead to incorrect diagnoses, endangering patients. Testing in sandboxes helps ensure accuracy across demographic groups, minimizing the risk of serious errors. It’s essential to balance security and usability: overly strict controls hinder innovation, while overly lax ones fail to detect vulnerabilities. Technical and ethical challenges of AI sandbox environments Designing effective sandboxes comes with challenges. Cyber threats are constantly evolving, and no environment can simulate every real-world scenario. In these environments, it's vital to balance security and usability: too many restrictions hinder innovation, while too few fail to catch vulnerabilities. By enhancing security and reliability, AI sandboxes help organizations build trust in AI systems and prevent potentially catastrophic failures. At the same time, ethical concerns arise when testing AI in these environments. Simulating cyberattacks could inadvertently create gaps that malicious actors exploit. Therefore, responsible and supervised use of these environments is crucial to avoid unintended consequences. Threat intelligence: from analysis to defense reinforcement AI environments can enhance and strengthen cyber threat intelligence capabilities by enabling detection and analysis of AI-specific threats. For example, they are used to test malware detection systems and ensure they can identify sophisticated cyberattacks. Improving these capabilities means stronger defenses. Moreover, Generative AI models—such as large language models (LLMs)—pose specific risks: disinformation, bias, and data leakage. Evaluating them in sandboxes helps detect these risks before they impact real-world environments. In a testing environment it is essential to assess risks before implementation through detailed, realistic, and objective analysis. Security, transparency, and the future of responsible AI In this era of AI enthusiasm, many want to adopt it without putting the right controls in place. The AI Act sets a clear line, and its enforcement regime leaves little room for improvisation. As I often warn: everyone wants AI, but few are ready to manage it as a strategic asset. We all want to embrace AI, but we fail to prioritize control: we see it as a business asset. Developers must use these environments to prevent models from generating harmful or misleading content. To ethically evaluate AI models and conduct security testing, it’s critical to establish control mechanisms that mitigate risks linked to technologies like deepfakes, disinformation campaigns, and fraud. Trust in AI systems relies on transparency and explainability, enabling us to understand and justify their decisions. These environments help organizations test and document how models work, ensuring they operate fairly and transparently. —For example, AI-based credit scoring models must be explainable to avoid discrimination and protect fundamental rights. Developers fine-tune them before they reach end users. ■ As AI evolves, sandboxes will be fundamental in building a future centered on security, privacy, ethics, governance, and compliance. Organizations that invest in them today will be better prepared to face challenges and complexity in an ever-changing landscape. Cyber Security Cyber Risk Quantification May 28, 2025

The sun on your face, birdsong, the sound of the waves, and your laptop open to reply to a few emails. The line between leisure and work is becoming increasingly blurred, especially for digital nomads and remote employees who take advantage of holidays to change scenery without losing productivity. But are you aware of the risks of mixing the beach with remote work? That idyllic image can quickly fade if your corporate data ends up in the wrong hands due to a simple oversight. Steve decided to mix work and leisure by renting a cabin by a lake in a coworking space in Asia. He used his mobile phone’s hotspot and set up his workspace on a terrace overlooking the forest. From there, he replied to emails, joined meetings, and managed documents in the cloud. However, at some point, his laptop started to malfunction: files became inaccessible, pop-up messages appeared, and the network connection was unstable. It was later discovered that he had used an unsecured network, which allowed unauthorized access to his corporate information. These types of situations are becoming increasingly common in the age of hybrid work and hyperconnectivity. Mobility is a huge advantage, but also a fertile ground for invisible risks: unsecured public wifi, unprotected devices, poor digital practices... all of these can become a threat when working outside the controlled office environment or without proper security measures. Always keep your data and your company’s information safe, no matter where you are. Public wifi networks Avoid open public wifi networks in hotels, airports, cafés, or shopping centres—they are extremely unsafe for working. They’re breeding grounds for “man-in-the-middle” attacks, where someone can intercept your data by capturing network traffic. If you urgently need to connect to a public wifi network, always use your company’s virtual private network (VPN). It encrypts your connection and ensures your communications remain private and secure, just as if you were in the office. If your company doesn’t provide one, consider a trusted personal VPN—but first check whether your company policies allow it. Whenever possible, use your smartphone’s mobile data connection. It’s much safer than any public wifi. You can use your phone as a hotspot for your laptop. Personal and corporate devices Only work on the laptop or devices provided by your company. They typically come with security configurations, encryption, and monitoring software. Don’t mix personal and professional life, and avoid accessing sensitive or classified company information from your personal devices—unless it’s absolutely necessary and you have been authorized to do so under strict security conditions. Never leave your devices unattended in public places (cafés, airports, hotel rooms). Take them with you whenever you leave or lock them away. Use security locks if available. Encryption of sensitive information Make sure your laptop’s hard drive (and if possible, your smartphone) is encrypted. If the device is lost or stolen, the data will be inaccessible without the encryption key. If you need to carry documents containing confidential information, store them in encrypted folders or use document management tools that offer encryption. Avoid using USB drives from unknown sources or plugging them into public computers. When using USBs, make sure they are encrypted. Multifactor authentication (MFA) Enable MFA wherever possible, and for your work accounts (email, VPN access, collaboration platforms, cloud software), always activate multifactor authentication (also known as two-factor or 2FA). MFA will ask you for a second verification method besides your password, such as a code sent to your mobile, a token, or a fingerprint. This makes it much harder for someone to gain unauthorized access, even if your password is compromised. Situational awareness and a security mindset Be wary of anything unusual: Phishing attacks (fake emails or messages) increase during the summer. Be suspicious of incredible offers, urgent banking notifications, or any message asking for personal data or prompting you to click suspicious links. Be careful with public charging ports: Avoid charging your device via public USB ports (a tactic known as "juice jacking"). These can install malware or steal data from your device. Use your own charger or a power adapter. Limit the information you share: If working in a public space, be discreet. Don’t speak loudly about confidential company matters, and make sure no one can see your screen. Travelling or working abroad can be exciting and enriching, but it also involves risks that go beyond what’s visible. When visiting countries with high geopolitical tension, weak levels of Cyber Security, or active cybercriminal groups, you significantly increase your exposure—and your company’s—to digital threats. This is why, before connecting your devices abroad, it’s essential to be informed about the local context, follow enhanced Cyber Security protocols, and avoid practices that could compromise your data or corporate systems. In today’s world of global mobility, digital security must travel with you. Before packing your bags and heading to a new destination, it's your responsibility to look beyond the dream landscape: Cyber Security is part of the journey too. Cyber Security Digital nomads and Cyber Security, remote and protected November 25, 2024

Today’s threats evolve rapidly, demanding emerging technological solutions and solid strategic planning. With cyber risks becoming increasingly complex and dynamic, it’s crucial that organizations are equipped to anticipate and respond to these challenges. But are they truly prepared? How does this impact cyber resilience? And what influence does it have on decision-making? Strategic foresight is not about predictions. In the era of digital transformation that fuels global interconnection, Cyber Security remains a key concern for organizations, governments, and society as a whole. Malicious actors' growing capabilities demand a proactive security planning approach. While traditional foresight relies on past data to predict future trends, patterns, and frameworks, strategic foresight explores a wide range of potential futures, helping develop anticipation, prevention, and preparedness capabilities. This calls for constant vigilance, a mindset shift, and a willingness to rethink our approaches and operating models—to imagine, reimagine, and reinvent ourselves. Not just to endure, survive, and succeed, but to rise to the challenges ahead. This isn't just about the future; it’s about enabling us to do what we can and must do, here and now—demanding that we enhance and develop our future, exponential, and systemic thinking. The role of strategic foresight in Cyber Security The European Commission defines strategic foresight as the discipline that explores, anticipates, and shapes the future to help harness collective intelligence in a structured and systemic way to anticipate change. It proactively identifies trends, risks, emerging issues, and their possible implications and opportunities to provide valuable input for strategic planning, policymaking, and preparedness. According to Michel Godet and Philippe Durance, one of the core principles of foresight is that building scenarios is not about predicting the future. Any form of prediction is, as they argue, a deception. The future is not written—it is to be built. It is multiple, undetermined, and open to a wide variety of possible outcomes. Organizations deploy various defensive controls—firewalls, encryption, and, in some cases, zero trust architectures—to protect their digital assets. However, the dynamic cyber threat ecosystem demands more than reactive defenses. A forward-looking approach grounded in cyber resilience is now an essential ally. Scenario planning in Cyber Security The primary goal of adopting a strategic foresight approach is to enhance decision-making in the present by anticipating future possibilities. For it to be truly effective, strategic foresight must be closely aligned with an organization’s mission and goals. However, the benefits of this approach may not immediately be visible. That’s why strategic foresight implementation often hinges on effectively communicating insights, gaining stakeholder buy-in, and translating those insights into actionable plans. This process requires commitment—to bridge the gap between foresight and tangible outcomes, ensuring that long-term planning translates into meaningful, practical action. Scenario planning has become an indispensable approach to studying and communicating future paths' uncertainty and complexity. My experience in strategic foresight enables me to develop defensive skills and thoroughly assess cyberattack forms and connotations. Uncertainty is an inherent trait in the security landscape, challenging the effectiveness of defensive controls to adapt to this emerging, complex, and disruptive paradigm. Strategic foresight methods and techniques Strategic foresight involves using frameworks and methodologies to anticipate future challenges and opportunities. Scenario planning, horizon scanning, and the Delphi method are among the key techniques employed. Scenario planning, for instance, involves constructing detailed narratives of different potential futures based on varying assumptions about key drivers and uncertainties. In Cyber Security, scenario planning helps forecast how emerging technologies or geopolitical shifts might impact threats, enabling the development of robust defense strategies. Scenarios are simulations of what the future could look like. Rather than attempting to predict exactly what will happen, they explore various possibilities by taking into account current trends, major shifts, emerging signals, unexpected events, and the broader context. These scenarios help us to understand and prepare for a range of potential futures, guiding us through uncertainty and enabling better decision-making by illustrating what may lie ahead. By shaping strategies and developing impactful policies, scenarios become a key tool in improving our understanding of change and strengthening strategic approaches. Plausible scenarios are those that could reasonably happen, based on what is happening today—here and now. Illustration: Voros, J. (2003) A generic foresight process framework. According to Joseph Voros in his foresight and anticipation process framework, he outlines examples of types of alternative future scenarios that may be seen, as he puts it, as nested sets or classes of the future, moving from broad to narrow perspectives. In his view, every future is a potential future—even those we can’t yet imagine. Potential: All conceivable futures, representing the full spectrum of possibilities beyond the present moment, grounded in the belief that the future is open and undetermined. Preposterous: Futures that seem absurd or impossible—often dismissed as unrealistic, yet valuable for exploring the outer limits of what could be. Possible: Futures that could happen, based on knowledge or technologies that may be discovered or developed in time. Plausible: Futures that could reasonably occur, grounded in our current understanding of physical laws, social dynamics, the environment, context, and other known factors. Probable: Futures that are likely to happen, often extrapolated from current trends and data. Preferable: Futures we want to see happen, based on our values and norms—frequently contrasted with undesirable outcomes. Projected: The “default” or “business as usual” future, representing a continuation of current trends with no major changes. Predicted: The future someone claims will happen, often with a high level of confidence. The relevance of strategic foresight in Cyber Security today In my current work in applied cybersecurity, combined with strategic foresight and the construction of plausible scenarios, these tools are essential for enhancing readiness and anticipation capabilities in the face of current and future threats. By systematically analyzing potential future events, we can identify a wide range of emerging risks, thoroughly assess their potential impact, and design and test proactive mitigation strategies. In practice, this approach goes beyond traditional risk management, which often focuses on known threats and historical data. Instead, it emphasizes adaptability and resilience, bearing in mind that the cybersecurity landscape—the attack surface, the exposure surface, and cyberspace itself—is dynamically evolving at an exponential rate. Conclusion Strategic foresight has a wide-reaching impact on Cyber Security, enabling organizations to prioritize investments, allocate resources more effectively, and foster a culture of learning, unlearning, and relearning that supports continuous adaptation. In today’s sophisticated and interconnected environment, anticipating and preparing for both today, now, and tomorrow—present and future—becomes a strategic advantage. However, this approach also raises important questions about its implementation and effectiveness. How can organizations balance the need for thorough preparation with the risk of overpreparing for unlikely scenarios? What role should public-private collaboration play in developing and sharing strategic foresight? These critical reflections underscore the importance of adopting foresight methodologies and rigorously evaluating and continuously improving their outcomes in response to the evolving threat landscape. Cyber Security Cyber Risk Quantification May 28, 2025

As we've seen in previous instalments of this series on the NIS2 Directive, organisations and companies that fail to meet the established requirements will face severe financial penalties, operational restrictions, and reputational damage that could undermine—or even worsen—their position in the market. These threats go far beyond fines: they represent existential risks to organisations. Non-compliance leads to substantial financial penalties, scaled according to the severity of the breach and the classification of the entity involved. Fines of up to €10 million or 2% of global annual turnover apply to essential entities, and up to €7 million or 1.4% of global turnover for important entities. Unlike many other regulations, NIS2 ties penalties to global revenue, meaning that multinational organisations could face significant financial losses. Picture a company that fails to meet requirements: a lapse in Cyber Security could result in multi-million-euro fines, significant enough to impact profit margins and erode investor confidence. Beyond fines: enforcement measures and legal consequences But beyond financial penalties, the directive also foresees business restrictions, professional liability risks, and even shutdowns. Regulators are not limited to imposing fines—they have the authority to suspend business operations and hold executives accountable. Non-compliance may lead to: Operational bans Mandatory audits Legal battles and lawsuits Administrative fines Disqualification from executive roles Criminal liability Civil lawsuits Violations could even trigger forced restructurings or market exit, especially in highly regulated sectors. This underscores the fact that failing to comply can cause collateral damage, such as loss of corporate partnerships, termination of supplier contracts, and heightened scrutiny from regulators. This reality makes it clear that Cyber Security is not just a technical issue, it is a strategic imperative that must be embedded into corporate governance. One key aspect is the responsibility of both executives and board members: they must ensure that cyber risk management is a top priority to avoid legal consequences, reputational damage, and other associated risks. Disregarding or stepping away from Cyber Security is a professional risk for executives. The reputational cost of a breach The financial and legal implications are serious, but the reputational impact can be even more damaging. In today's digital economy, trust is a competitive advantage, and a public Cyber Security breach can result in: Loss of customers who turn to competitors with stronger Cyber Security practices Erosion of trust among suppliers and partners, potentially leading to contract cancellations and supply chain disruptions Investor scepticism, which can drive down share prices and shake shareholder confidence Cyber Security breaches can quickly escalate into high-profile public crises, especially when they affect a large number of customers or disrupt essential services. The cost of rebuilding trust after a cyber incident is usually higher than the cost of early compliance with regulatory requirements. A tougher regulatory environment Regulatory bodies have already shown their willingness to enforce Cyber Security rules. A clear example is the GDPR, which has imposed multi-million-euro fines for data privacy and protection violations. Meanwhile, DORA is extending its scope in the financial sector. We are seeing a similar path with NIS2: regulators are likely to be extremely strict on enforcement. In the event of non-compliance, the question is not if there will be penalties, but when they will be imposed. Ensuring compliance and mitigating cyber risks requires a strategic and proactive approach. Organisations must treat Cyber Security as a top-level priority, fully integrating it into their overall business strategy. This demands an integrated, cross-functional, and holistic mindset: No one should be left out of our digital strategies, people are at the centre. ■ Engagement across all areas of the organisation is essential to drive compliance initiatives, allocate resources, and promote a security-first culture. Robust governance as a lever for resilience Without solid governance (which we know can be challenging but also requires the right mindset to enable transformation and drive change) Cyber Security efforts and synergies may become fragmented, leaving organisations vulnerable to both fines and cyberattacks. The urgency to comply with NIS2 has never been greater. Beyond financial repercussions, last-minute audits and security reviews can disrupt operations and weaken competitive positioning. On the other hand, organisations that develop proactive capabilities in Cyber Security and compliance, with a focus on prevention and anticipation, will gain a strategic and competitive advantage by demonstrating resilience and reliability in the market. Cyber Security as a strategic asset Today, Cyber Security governance is a fundamental responsibility of the C-suite. From corporate governance (including boards of directors), investment in digital capabilities must be prioritised as a core element of risk management strategies. Embedding compliance into everyday operations strengthens the security posture, boosts stakeholder trust, and ensures long-term business sustainability. Compliance is no longer just about avoiding fines: it represents a key opportunity to build resilient, competitive organisations in a digital world. Those who treat Cyber Security as a strategic asset won’t just meet regulatory requirements—they will position themselves as leaders in security and trust. Ignoring compliance is no longer an option. ■ Organisations must act now to secure their future, mitigate cyber risks, and drive adaptive, sustainable growth in an increasingly complex and demanding digital environment. MORE FROM THIS SERIES Telefónica Tech Cyber Security NIS2 Directive (I): Rethinking Cyber Security in a complex and hyperconnected context June 17, 2025 Telefónica Tech Cyber Security NIS2 Directive (II): Cyber Security obligations and their impact on European businesses June 24, 2025 Telefónica Tech Cyber Security NIS2 Directive (III): Main obligations, security measures and key requirements July 2, 2025

In response to the rise in cyber threats and increasing digital dependency, the NIS2 Directive sets out its guidelines to enhance the cybersecurity of critical infrastructures, while also ensuring supply chain cyber resilience and governance. Who is required to comply with the directive? What provisions must be followed? It is important to note that the NIS2 guidelines cover a wide range of entities deemed either "essential" or "important". These entities may have fewer than 10 employees or more, and an annual turnover or balance sheet below or above 43 million euros, and must meet the established requirements. However, entities considered relevant to national security or economic stability—regardless of their size—may also be designated as subject to NIS2 obligations. Entity classification and levels of supervision Entities are classified into two groups based on their importance and potential impact: Essential: These are subject to stricter regulatory supervision, including periodic audits and proactive cybersecurity assessments. Measures must be applied both “ex ante and ex post”, particularly in the event of cyber incidents, which may lead to suspensions, fines, or bans. It is crucial to consider the concept of “professional civil liability” for non-compliance. Important: These face a less stringent enforcement regime, where actions are typically taken only after incidents or breaches are detected. Here too, the supervisory regime—led by qualified professionals—can be affected by “professional civil liability” in the event of non-compliance. Key responsibilities in cyber risk management Management bodies play a vital role, regardless of the classification of the entity, as failure to comply with the directive can have significant consequences. They are responsible for: Approving the adequacy of cyber risk management measures. Overseeing the implementation of cyber risk management measures. Acquiring sufficient knowledge and skills to identify and assess cyber risks and their business impact. Developing a culture of awareness and ongoing training across all levels of the organization. Being accountable for non-compliance. Cyber Security Cyber Risk Quantification May 28, 2025 These responsibilities must materialize through the implementation of technical, operational, and strategic measures or controls that are proportionate to the level of risk, with the aim of preventing and minimizing their impact on the business and third-party supply chain services. Sanctions and measures for non-compliance with the NIS2 directive NIS2 also grants national regulatory authorities powers over affected entities following non-compliance. These powers include suspension, fines, the appointment of a supervisory officer, orders to inform involved parties, enforcement of corrective measures, and/or formal warnings for breaches. It is important to highlight that the temporary prohibition from holding executive functions for the CEO or legal representative would apply only to essential entities, not to important ones. ■ Sanctions for non-compliance may include fines of up to €10 million or 2% of global annual turnover for essential entities, and up to €7 million or 1.4% of global annual turnover for important entities. Conclusion The new financial and operational demands introduced by NIS2 are clear, including investments in technology, cybersecurity, training, and mandatory cyber insurance to mitigate the financial exposure resulting from a cyber incident. To align these compliance costs and efforts with business strategy, organizations must prioritize cyber risk quantification, cost-benefit analysis, and make strategic investments in robust, proactive cybersecurity. MORE FROM THIS SERIES Telefónica Tech Cyber Security NIS2 Directive (I): Rethinking Cyber Security in a complex and hyperconnected context June 17, 2025 Telefónica Tech Cyber Security NIS2 Directive (II): Cyber Security obligations and their impact on European businesses June 24, 2025 Telefónica Tech Cyber Security NIS2 Directive (IV): the cost of non-compliance in Cyber Security July 8, 2025

The NIS2 Directive significantly expands the scope of cybersecurity obligations for companies and organizations, covering a wide range of industries and sectors across the European Union, regardless of their size (micro, small, medium or large) or whether they are public or private. For this reason, the directive refers to Recommendation 2003/361/EC to define the scope of application. It’s important to note that some smaller organizations are included, as the directive addresses both highly critical sectors and other critical sectors, where factors such as national security or economic stability are relevant, regardless of company size. Furthermore, it ensures that not only large organizations but also companies that play an essential role in society must comply with strict cybersecurity controls. You may be wondering: how does this affect me, and how is my organization subject to this regulation? Impact of the NIS2 Directive on companies by size and sector This depends on the distinctions established in Annex I and II, based on the criticality, sector, type of service, size, and other variables. Broadly speaking, organizations fall under two categories: essential entities or important entities. It’s worth highlighting that although requirements are strict, partial exemptions apply to SMEs that do not play a critical role in the national or EU-wide security landscape. Larger companies, depending on their classification, are subject to more frequent audits, tighter deadlines for cyber incident reporting, and a direct professional liability regime for senior management in cybersecurity-related incidents. ■ It’s important to highlight that while SMEs that are part of critical infrastructure or supply chains may generally be required to comply with the directive depending on their sector and risk level, micro and small businesses are usually exempt, unless they provide critical infrastructure or services. Cybersecurity control measures follow a risk-based approach, requiring organizations to implement technical, organizational, and governance controls, including: All measures must be proportional, based on risk, size, cost, impact, and severity of the incidents. They must also consider technical aspects and, where applicable, relevant European and international standards. Proportional measures and the management of significant incidents Essential entities are subject to greater regulatory scrutiny, including on-site audits, detailed risk assessments, and direct enforcement actions. Meanwhile, important entities must meet the same cybersecurity standards, but with less frequent monitoring and reporting obligations. In terms of incident management, an incident is considered significant if it has caused or may cause major operational disruptions or economic losses, or if it has affected or may affect other individuals or legal entities by causing material or immaterial damage. Notification obligations are as follows: It is worth noting that the 24-hour notification requirement compels organizations to enhance their monitoring and response capabilities, highlighting the need for increased investment in Security Operations Centers (SOCs) and threat intelligence. ■ Smaller organizations may face challenges meeting this requirement, potentially leading to compliance risks and sanctions. NIS2’s impact on organizations and cybersecurity management Severe non-compliance penalties include fines of up to €10 million or 2% of global turnover for essential entities, and €7 million or 1.4% of turnover for important entities. At the same time, C-suite executives and board members can be held personally liable — professional civil liability — for failing to implement cybersecurity measures, and may even be temporarily disqualified from holding leadership roles. This, in turn, aligns cybersecurity with corporate governance, forcing executives to prioritize security investment and risk management. As a result, complying with NIS2 requires a strategic shift in Cyber Security investment management, encouraging greater investment in cyber risk management, advanced security technologies, third- and fourth-party assessments, compliance teams, and Cyber Security talent development. At first glance, large enterprises are better positioned to absorb these costs. However, smaller companies often face financial pressure and uncertainty due to the need for specialized personnel, cybersecurity infrastructure, and legal services. That said, the long-term benefits include stronger cyber resilience, reduced risk of financial losses from breaches, and enhanced stakeholder trust. ■ The NIS2 Directive strengthens cyber resilience capabilities and enhances supply chain security while reducing exposure to cyber threats from third countries. The directive influences cybersecurity policy beyond EU borders. MORE FROM THIS SERIES Telefónica Tech Cyber Security NIS2 Directive (I): Rethinking Cyber Security in a complex and hyperconnected context June 17, 2025 Telefónica Tech Cyber Security NIS2 Directive (III): Main obligations, security measures and key requirements July 2, 2025 Telefónica Tech Cyber Security NIS2 Directive (IV): the cost of non-compliance in Cyber Security July 8, 2025

Cyber Security is a key component of any organization's strategy. We navigate a highly complex cyber landscape, as cyber threats have become systemic, transnational, and increasingly sophisticated. For this reason, the European Union (EU) has introduced the NIS2 Directive 2022/2555, which highlights the need for robust measures to strengthen cyber resilience capabilities. Cyberattacks targeting critical infrastructure, supply chains, and government institutions are not only increasing in frequency but also in impact, with financial, operational, and geopolitical consequences. Should organizations, then, rethink their entire approach to Cyber Security and cyber resilience? Impact of the NIS2 Directive on governance and corporate Cyber Security The NIS2 Directive is the EU’s updated Cyber Security framework, replacing the NIS1 Directive 2016/1148 to address cyber challenges and threats as well as regulatory gaps and inconsistencies in implementation across member states. ■ The NIS1 Directive laid the groundwork for Cyber Security governance, though it was significantly affected by fragmented national implementations, exposing vulnerabilities in critical sectors. As a result, the NIS2 Directive broadens its scope to cover more sectors, reinforcing security requirements and introducing stricter control mechanisms, including higher fines and executive accountability—standing apart from NIS1 through its flexible application. The new directive enforces a unified, risk-based approach to ensure greater cyber resilience across the EU. It significantly expands the scope of regulated entities, going beyond traditional critical infrastructure sectors like energy, transport, and healthcare to include digital service providers, public administration, waste management, and manufacturing industries. The new directive enforces a unified, risk-based approach to ensure greater cyber resilience across the EU. With this expansion, the EU acknowledges that modern cyber threats are not limited to traditional critical sectors but also affect interconnected or transnational supply chains and essential services. Organizations are now categorized as 'essential' and 'important', and must comply with strict Cyber Security measures. This shifts the perception that Cyber Security is no longer just an IT issue, but a foundational pillar of business continuity, resilience, and risk management. Measures and requirements to ensure cyber resilience Accordingly, a set of minimum measures is introduced for cyber risk management that all in-scope entities must implement. These include identity and access management, encryption, strong authentication, supply chain security, and cyber incident response plans. This also requires ongoing monitoring, regular security assessments, and crisis management strategies to ensure that organizations can detect, respond to, and recover from cyber incidents effectively. In addition, compliance must be demonstrable, with clear governance documentation, making Cyber Security a board-level responsibility rather than an operational concern. Cyber Security is a foundational pillar of business continuity, resilience, and risk management. A key aspect of this directive is its emphasis on supply chain security, recognizing that many cyber incidents stem from third- and fourth-party vendor vulnerabilities. Organizations are now required to assess and manage risks across their supply chain to ensure technical and regulatory Cyber Security compliance. This shifts responsibility from merely protecting the technological infrastructure to actively overseeing the Cyber Security posture of third- and fourth-party vendors, transforming Cyber Security into a collective effort of capability and cooperation, rather than an isolated responsibility. However, enforcing security standards in complex global supply chains remains a significant challenge. Penalties and executive accountability in Cyber Security At the same time, stricter penalties are introduced to ensure compliance, with fines of up to €10 million or 2% of global annual turnover for entities classified as essential, and up to €7 million or 1.4% for important entities. Moreover, executives and board members may be held professionally liable for Cyber Security matters. These penalties underscore the shift of Cyber Security from an IT issue to an executive-level priority, requiring organizations to embed security into their governance frameworks. Governance, therefore, is no longer a technical or operational issue but a strategic and legal obligation across executive functions. Boards and executives must actively oversee cyber risk management, ensuring that decision-makers are informed about the corporate Cyber Security landscape, regardless of their current maturity and the potential impact of cyber threats. Cyber Security has shifted from being an IT issue to an executive-level priority. Training, notification, and Cyber Security strategy Executives are required to undergo Cyber Security training and may be deemed “professionally liable” for any non-compliance. This reflects a broader shift toward integrating Cyber Security into business strategy, pushing organizations to prioritize proactive management over reactive compliance. In addition, cyber incident notification requirements are very strict, compelling organizations to report significant cyber incidents. ■ It is essential not to view NIS2 as a burden. Organizations with a clear vision and mission in their strategies can use compliance with this regulation as a market differentiator. Proactively adopting and exceeding the established requirements enhances corporate cyber resilience, builds customer trust, and positions companies as sector leaders committed to security. Strong Cyber Security practices can become a compelling value proposition for companies seeking to attract partners and customers who value security. Moreover, organizations that incorporate NIS2 compliance into a risk management strategy will be better prepared to adapt to future regulatory changes and confront cyber threats. Conclusion Beyond mere compliance, a shift in corporate cyber strategies represents a key moment in the evolution of Cyber Security governance in Europe, as the focus moves from isolated technical controls to strategic cyber resilience across organizations. It is important to emphasize that an organization's success with NIS2 will depend not only on compliance, but also on how well it adapts, innovates, and manages within an increasingly complex cyber environment. NIS2 fosters a Cyber Security culture centered on cyber resilience, innovation, and proactive cyber risk management. MORE FROM THIS SERIES Telefónica Tech Cyber Security NIS2 Directive (II): Cyber Security obligations and their impact on European businesses June 24, 2025 Telefónica Tech Cyber Security NIS2 Directive (III): Main obligations, security measures and key requirements July 2, 2025 Telefónica Tech Cyber Security NIS2 Directive (IV): the cost of non-compliance in Cyber Security July 8, 2025

Quantum Technologies (QT) are on the verge of redefining the technological landscape, promising significant advances in areas such as metrology, AI, or materials science. However, as with any transformative technology, quantum computing also entails considerable risks, particularly in the realm of Cyber Security. The ability of quantum systems to perform calculations at unprecedented speeds poses a threat to the cryptographic foundations that underpin today’s digital world. The convergence of opportunities and risks in quantum computing calls for attention from governments, businesses, and Cyber Security professionals alike. The new era of computing: what makes quantum computing different? It introduces a paradigm shift in computational power. Unlike traditional computers, which process data in binary bits (0s and 1s), quantum computers leverage 'qubits', a term coined by theoretical physicist Benjamin Schumacher, that can exist in multiple states simultaneously thanks to the principles of superposition and entanglement. This capability enables quantum systems to solve complex problems exponentially faster than traditional computers, revolutionizing optimization, drug discovery, and AI. Cryptographic risks: an existential threat to digital security However, this same power creates an existential cyber threat to today’s encryption standards. Public-key cryptography, which underpins secure communications and digital transactions, is vulnerable to quantum cyberattacks capable of decrypting information that would take traditional computers millennia to crack. While quantum computing represents revolutionary advances, it forces the world to rethink Cyber Security strategies. Peter Shor’s quantum algorithm, developed in 1994, can factor large prime numbers, a process traditional computers struggle with. It reveals the potential to directly undermine RSA encryption, whose security is based on the difficulty of prime factorization. Similarly, elliptic curve cryptography (ECC), used in secure communications and digital signatures, is also at risk. The HDNL cyber threat refers to the possibility that cybercriminals may steal encrypted data today with the intent to decrypt it in the future, once quantum computers have reached the necessary capabilities. This means that sensitive financial, governmental, and personal information could be vulnerable in just a few years, rendering today’s security measures insufficient against future cyber threats. Global response: toward post-quantum cryptography In response to quantum cyber threats, NIST is working on the development of post-quantum cryptographic (PQC) algorithms that are resistant to quantum cyberattacks. NIST is finalizing new encryption standards to replace RSA and ECC. However, the transition to encryption robust against quantum cyberattacks poses major challenges. Organizations must reassess their current security infrastructure, update protocols, and ensure backward compatibility—all while maintaining operational integrity. This could be particularly complex and challenging for sectors that rely on integrated and interconnected systems, such as banking and telecommunications, as well as in the OT environment, where hardware and software updates are costly and complicated. Quantum computing represents revolutionary advances, but it forces the world to rethink Cyber Security strategies. New attack vectors: quantum AI and advanced signal processing By breaking encryption, these technologies introduce new risks. Cybercriminals could exploit machine learning driven by quantum intelligence to develop more sophisticated cyberattacks—automating vulnerability discovery and optimizing attack vectors. Quantum computing could also be applied in advanced signal processing, allowing malicious actors to breach security measures in encrypted communications across data, voice, video, and satellite. There is a convergence with AI that accelerates these risks, enabling the identification and exploitation of Cyber Security weaknesses more efficiently than ever before. Quantum supremacy and digital geostrategy Quantum technologies are poised to become the cornerstone of cyber warfare and intelligence operations. Several governments are investing in these technologies and recognizing their potential to enhance cryptographic capabilities and disrupt adversary communications. Quantum supremacy is becoming a key goal for state actors. The strategic implications are vast, as nations achieving advanced quantum decryption capabilities could jeopardize intelligence, disrupt financial systems, and undermine global stability. It’s a high-stakes race for quantum dominance in terms of national security and geopolitical power. Advanced solutions, persistent challenges Quantum Key Distribution (QKD) is often presented as an advanced solution for communication security in the quantum era. This method leverages the principles of quantum mechanics to establish encryption keys that, according to the no-cloning theorem, are theoretically immune to tampering. While it enhances security, it is not a universal solution. It requires specialized infrastructure, is vulnerable to side-channel attacks, and does not protect data at rest or previously encrypted data exposed through HDNL strategies. ■ QKD is an essential tool in quantum security and it must be complemented by strong, robust encryption standards. Critical infrastructure and economic consequences Some cyber threats could disrupt processes, invalidate signatures, and compromise systems. Meanwhile, critical infrastructure, including energy and telecom networks, faces the risk of quantum cyberattacks that could render essential services inoperable. The question is not whether quantum technology will disrupt Cyber Security, but when—and how prepared we will be. Global supply chains, which depend on secure data exchange, could be compromised by quantum decryption capabilities. But the economic consequences of failing to adopt quantum-safe security could be catastrophic, leading to financial instability, espionage, and national security vulnerabilities. Recommendations: anticipating with strategy and talent Organizations should take proactive steps to prepare for the post-quantum era: Conduct quantum cyber risk assessments. Adopt hybrid encryption models. Invest in training and specialized talent. ■ Developing a Cyber Security strategy today that is resilient to quantum technologies is essential to avoid improvising solutions when decryption capabilities become widespread. Conclusion It’s important to act now to avoid being caught off guard. Emerging technologies like lattice-based cryptography, quantum random number generators, and AI-driven Cyber Security will shape the future of quantum security. Organizations must keep their security posture agile and constantly updated to adapt to these advancements. This represents both an unprecedented technological revolution and an imminent security crisis. The question is not whether quantum technology will disrupt Cyber Security, but when and how prepared we will be. Get our handbook on protecting data from the quantum threat At Telefónica Tech we advocate for a cryptoagility-based strategy, enabling systems to adapt to new threats without disrupting operations. ■ We invite all organisations to access our complimentary handbook Strategic preparation for Post-Quantum Cryptography and take the first step towards a resilient cryptographic infrastructure ready for the quantum era.

Quantum computing is no longer a futuristic concept; it is an imminent technological revolution that will transform industries, economies, and Cyber Security. While its capabilities promise major advancements in fields such as cryptography, Artificial Intelligence, and complex problem-solving, it also introduces significant risks, such as the potential to break traditional encryption algorithms and create geopolitical power imbalances. Therefore, its governance is not just a technical challenge but also a strategic priority to ensure security, ethical use, and equitable access. As nations, companies, and academic and scientific institutions join the race toward achieving quantum supremacy, it is necessary to ask: Who controls the development and deployment of these technologies? How do we safeguard global security while promoting innovation? And what governance models will shape the quantum era? Key principles for responsible governance When we talk about quantum computing governance or quantum technologies (QT), we refer to the frameworks, policies, and regulations that guide the development, deployment, and responsible use of these technologies. The World Economic Forum (WEF) defines the following governance principles: Transformative capabilities: harness these technologies and their applications for the benefit of humanity, while appropriately managing the associated risks. Access to hardware infrastructure: ensure broad access to quantum computing hardware. Open innovation: foster collaboration and a pre-competitive environment to accelerate technological development and practical applications. Awareness building: ensure that the general public and quantum computing stakeholders are aware, engaged, and informed to enable dialogue and decision-making under proper oversight in their respective domains. Workforce development and capacity building: build and maintain a workforce equipped for the quantum era. Cyber Security: ensure the transition to a quantum-secure digital world. Privacy: mitigate potential data privacy risks caused by quantum-powered theft and processing. Standardization: promote standards and roadmapping mechanisms to accelerate technological advancement. Sustainability: develop a sustainable future with and through responsible and continuous quantum computing innovation. The core of governance lies in its impact on cyber resilience. Quantum computers have the potential to break widely used cryptographic protocols, rendering current security systems obsolete. Without a structured governance approach, adversarial states or malicious actors could exploit quantum advancements for harmful purposes, causing economic and financial losses, data breaches, and threats to national security. Establishing clear governance mechanisms ensures that innovation can thrive without compromising Cyber Security. Quantum technologies, like AI, risk becoming a tool for geopolitical and economic dominance without proper regulatory conditions. Countries with advanced quantum capabilities could gain an asymmetric advantage in Cyber Security, finance, and military applications. To prevent a quantum divide, international collaboration and cooperation are essential to guarantee equitable access to resources and talent. It is crucial to establish guidelines regulating the use of quantum technology to prevent its concentration in the hands of a few organizations. Open-source quantum research initiatives, technology transfer and exchange agreements, and investment in quantum education in developing economies can help narrow the gap. Moreover, ensuring these technologies comply with international regulations on human rights and Cyber Security will help prevent misuse. ■ Quantum computers, particularly those implementing Shor’s algorithm, can break widely used public-key cryptographic algorithms such as RSA and ECC. This is a known HNDL vulnerability. To mitigate this, organizations must adopt quantum-resistant cryptography, or post-quantum cryptography (PQC). We’ve already seen this through the NIST development of post-quantum cryptographic algorithms, as governments and organizations prepare to transition. The urgency of global quantum governance Quantum governance demands the adoption of PQC algorithms across all critical industries or essential sectors, regulation for encryption updates and key management, and global cooperation to prevent quantum cyber warfare. Quantum cyber risk assessments must be conducted to evaluate how quantum computing could impact an organization’s infrastructure and technological architecture. This includes: Identifying encrypted data management processes. Identifying vulnerable encryption protocols in existing systems. Implementing proactive cryptographic agility to enable systems to transition to quantum-secure encryption. Analyzing quantum cyber threats. Governance highlights the need to develop a corporate roadmap for quantum transition, ensuring compliance with emerging and disruptive Cyber Security regulations before quantum threats materialize. ■ In the context of cyberspace operations, quantum computing introduces a reconfiguration and paradigm shift in cyber warfare and intelligence, as governments invest in quantum cryptography and quantum hacking capabilities to gain espionage and Cyber Security advantages. Nations with quantum supremacy will seek to gain the power to decrypt communications, leaving much exposed. Conclusion It is imperative to unite governance efforts, including the development of international treaties, Cyber Security and privacy guidelines to prevent the malicious use of quantum technologies in state-sponsored cyber conflicts, and the establishment of quantum arms control agreements that may be necessary to preserve global stability. These technologies will directly transform industries and society, which means governance must be driven by standardization, collaboration, quantum cloud computing services, international policy harmonization, talent and capacity development, and a resilient quantum socio-economic fabric. It is essential to ensure an ethical, secure, and viable quantum future. The time to act is now. Get our handbook on protecting data from the quantum threat At Telefónica Tech we advocate for a cryptoagility-based strategy, enabling systems to adapt to new threats without disrupting operations. ■ We invite all organisations to access our complimentary handbook Strategic preparation for Post-Quantum Cryptography and take the first step towards a resilient cryptographic infrastructure ready for the quantum era. Main image (cc) IBM Quantum System One computer at the Voorhees Computing Cente.

Given the increasing relevance of cyber threats in the financial sphere, Cyber Risk Quantification (CRQ) has become a strategic necessity for organizations. Traditional risk assessments, often based on qualitative scales and subjective judgment, face challenges in delivering the level of accuracy and precision required by corporate governance. CRQ, in contrast, translates cyber risk into financial terms, enabling organizations—through C-suite leadership, corporate governance bodies and other stakeholders—to make data-driven decisions, justify cybersecurity investments, and integrate cyber risk into broader enterprise risk management frameworks. ■ Cyber Risk Quantification (CRQ) assesses, identifies, validates, measures and analyzes cyber risks using data along with mathematical and statistical techniques to quantify the financial impact and frequency of cyber threats, attacks, or incidents. According to the World Economic Forum (WEF), CRQ can be aligned with the Value at Risk (VaR) methodology. Cyber risk Quantification It’s still common to find cyber risk assessments that rely on qualitative methods using scales such as high, medium or low to evaluate threats and vulnerabilities. While this approach offers a general view of cyber exposure, it lacks precision and often fails to communicate risk in terms that corporate governance and the C-suite can act upon effectively. Cyber Security shifts from being a cost center to becoming a strategic asset when it delivers measurable value, drives accountability, and strengthens a culture of business resilience. CRQ helps prioritize Cyber Security investments based on potential monetary losses. Qualitative assessments need to evolve into quantitative ones, as organizations increasingly seek to allocate budgets more effectively, measure the ROI of cybersecurity initiatives, and meet growing legal and regulatory demands for quantifiable risk metrics. —For instance, imagine a company facing a potential ransomware attack. A qualitative assessment might simply label the risk as “high.” CRQ, on the other hand, would estimate the probability of the attack occurring, calculate the expected financial loss, and determine how mitigation efforts—such as cyber insurance or asset protection enhancements—could reduce that exposure. Several frameworks exist to support quantification, each with its own advantages. However, Factor Analysis of Information Risk (FAIR) stands out as one of the most widely adopted. It breaks cyber risk down into components such as frequency and loss magnitude, providing a structured, quantitative approach. Its strength lies in translating cyber risk into financial terms, making it an ideal tool to justify Cyber Security investments. Decision-makers often face challenges when prioritizing investments, assessing profitability, and justifying cybersecurity budgets. Methodologies and tools for cyber risk quantification Organizations aiming for more advanced capabilities can combine FAIR with other standards such as NIST, ISO, CIS, and even link it with tactical and technical indicators from cybersecurity operations and cyber intelligence. This results in a holistic risk management perspective. Key performance indicators (KPIs) and key risk indicators (KRIs) also play a crucial role. Common CRQ metrics include: Annualized Loss Expectancy (ALE): Expected yearly losses from cyber incidents. Financial risk exposure: The monetary value of potential cyber risks, based on probability and impact Mean time to detect (MTTD) and Mean time to respond (MTTR): Indicators of an organization’s ability to manage and mitigate threats Cyber Security ROI: Return on investment from cybersecurity initiatives Additional financial modeling techniques—such as Monte Carlo simulations and Bayesian analysis—help organizations quantify risk by estimating various cyberattack scenarios and their potential financial consequences. —For example, a company might simulate how a cyberattack would disrupt its supply chain and use this insight to determine whether investing in enhanced protection tools is worthwhile. ■ Unlike credit, market, or liquidity risks—whose financial models have matured over decades—cyber risk is dynamic, unpredictable, and influenced by adversarial behavior. Financial risks follow historical trends and market behavior, whereas cyber risk is driven by emerging threats, technological change, geopolitical factors, human actions, and specific organizational contexts. Integrating cyber risk into enterprise risk management Despite these differences, cyber risk should be embedded within enterprise risk management (ERM). CRQ can be used to translate cyber threats into financial exposure, allowing cyber risks to be managed alongside traditional business risks. For instance, some financial institutions include cyber risk in their Value at Risk (VaR) models to estimate potential cyber-related losses. Artificial intelligence, machine learning, and big data analytics enhance cyber risk quantification by enabling organizations to: Identify attack patterns from vast data sets. Predict threats based on past incidents. Automate risk assessments to improve accuracy and efficiency. Develop strategic foresight and forecasting capabilities. I’ve worked on projects where a financial institution sought to develop a cyber risk model based on AI to analyze ransomware trends and other attack vectors in the sector, aiming to predict the likelihood of being targeted. The model integrated threat intelligence, historical data, and technical indicators from cyber operations, which helped refine risk quantification and improved decision-making. Without quantifiable data, Cyber Security spending can become inefficient—overinvesting in low-impact threats or underinvesting in high-impact vulnerabilities. Cyber insurers and organizations with cyber insurance policies rely heavily on quantification to set premiums and define coverage. Key factors they consider include: Corporate cybersecurity posture. Management of cyber operations (incidents, attacks, and data breaches). Response capabilities. Industry and regulatory compliance landscape. Economic and financial sustainability, solvency, and liquidity. Interdependencies between cyber risk and other risk categories ■ Organizations with mature CRQ models can negotiate better cyber insurance premiums by demonstrating risk mitigation strategies and quantifying potential losses. The importance of quantification in Cyber Security Quantification is a living process that can be integrated into any cybersecurity framework that demands cyber risk management. This includes SEC cybersecurity rules, GDPR, NIS2, DORA, ENS, and others. It aligns with these frameworks by providing quantifiable risk metrics, making compliance efforts more structured, transparent, objective, and defensible. The C-suite and corporate governance increasingly require cost-benefit analyses to approve cybersecurity investments and resource allocation. Quantification enables CISOs to frame Cyber Security investments as financial decisions, such as demonstrating how a €2 million investment could potentially prevent €20 million in cyber losses. Translating cyber risks into financial terms improves communication between technical and executive teams, facilitating governance and the acceptance of strategic decisions. By aligning cybersecurity with business strategy through quantification, organizations ensure their cyber strategies meaningfully contribute to corporate resilience and financial stability. ■ Systemic cyber risks—such as widespread ransomware attacks or those targeting critical infrastructure—can negatively impact global economies. Quantification supports modeling cascading risk effects and identifying systemic vulnerabilities. In the financial sector, it enables simulation of how a cyberattack on the payments system could trigger global market contagion and affect other sectors. Emerging technologies will redefine cyber risk quantification: AI models will enhance predictive analysis of cyber risks. Blockchain will strengthen data integrity in risk assessments. Quantum computing could introduce new risks—but also improve cryptographic security models As cyber threats continue to evolve, quantification has become essential for navigating the digital economy. It gives organizations the clarity and precision needed to manage cyber risk as a high-impact strategic business function. Downloadable guide: Practical case study on cyber risk quantification Following a ransomware attack, a hypothetical financial entity seeks to quantify the cyber risk affecting its online banking services. The attack encrypted transaction data and disrupted services. The organization uses ISO 27005 as its risk management framework, complements it with NIST 800-30 for qualitative risk assessment, and employs FAIR to quantify financial exposure. There is uncertainty around the potential financial loss caused by business interruption, recovery costs, legal and regulatory penalties, and strategic or reputational damage. As a result, the organization needs to assess the financial impact of the breach and determine the best strategy to mitigate the risk. Bayesian analysis and Monte Carlo simulations are also used. ■ Download the practical case study on cyber risk quantification →

AI systems are increasingly integrated into and transforming business environments due to their powerful capabilities. This growing integration underscores the need for robust, forward-looking incident management strategies. Traditional incident response approaches are no longer sufficient when it comes to managing the complexities of emerging and disruptive innovation technologies based on AI. It’s essential to keep in mind the unique features and particularities of AI—such as its nature, probability of errors, self-learning capabilities, and ability to operate autonomously—which highlight the need to rethink how incidents are managed. AI systems are not like traditional systems. By their very nature, AI models rely on machine learning algorithms that predict or generate content by identifying patterns in large datasets, which makes them difficult to predict and control, often behaving in complex ways. AI is vulnerable to attacks by malicious actors and prone to errors, biases, and unintended behaviors. The need for a holistic approach to AI management Cyber incidents impact the confidentiality, availability, or integrity of data or information systems. In the case of Artificial Intelligence (AI), these cybersecurity dimensions are crucial. Moreover, organizations must have broad and visible oversight of AI systems throughout their entire lifecycle, which will facilitate a systemic and holistic approach to incident management. Following the approval of the AI Act regulation, many organizations have started defining their AI policies—though not always effectively—which creates gaps in their incident management and response strategies. According to the OECD, every organization should first understand that AI is defined as: “A machine-based system that, for explicit or implicit objectives, infers how to generate outputs such as predictions, content, recommendations or decisions from received inputs, and which can influence physical or virtual environments. AI systems vary in their levels of autonomy and ability to adapt after deployment.” Implementing AI policies and strategies Organizations are increasingly moving away from specifying what is not AI, which can lead to confusion when managing incidents. AI is now integrated into many applications, including traditional ones. It is therefore essential to consider AI’s scope within an entire system, including its dependencies and integrations, as these are key. The Institute for AI Policy and Strategy (IAPS) proposes a high-level framework outlining a four-phase process inspired by National Institute of Standards and Technology (NIST) cyber incident response practices. These four phases—preparation, monitoring and analysis, execution, and recovery and follow-up—provide a structured approach to AI incident response. Source: IAPS. End-to-end process for AI incident management Phase 1: Preparation AI governance model: Establish clear governance models to streamline decision-making in critical situations, aligned with AI Act regulatory practices. Risk management: Improve readiness by integrating comprehensive risk assessments into AI security and privacy frameworks. This includes evaluating wider interdependencies across supply chains and ecosystems, whether third-, fourth-, or nth-party. Internal organizational capability: Develop tools, procedures, and decision-making frameworks to respond swiftly to incidents. This includes threat identification, corrective and mitigation actions, and defining response protocols. Continuity management: Define alternative solutions to reduce service disruption impact on users, ensuring resilience and reliability. Focus on cyber resilience: Expand readiness efforts to include proactive defense controls, threat intelligence sharing, and scenario-based simulations for AI-driven security incidents, including those without a “cyber” nature—privacy must also be considered. Crisis management: Implement a structured response plan that integrates AI incident management with broader strategies for cybersecurity, privacy, and business continuity. Phase 2: Monitoring and analysis Data collection: Ensure adequate visibility of the AI model or system to collect data from various sources and assess its capabilities, behavior, and real-time use. Anomaly detection: Once data is collected, it’s crucial to analyze it to detect anomalies and classify incidents, escalating them to decision-makers for timely intervention. Integration with threat modeling: Relevant findings may be incorporated into threat modeling processes to strengthen security measures and enhance AI risk assessment maturity. Phase 3: Execution Decision-making and mitigation actions: Once an AI incident is identified, determine corrective actions and implement necessary adjustments to the model or system. Regulatory compliance: Notify, alert, and coordinate with relevant regulatory authorities to ensure alignment with legal and industry standards. Impact mitigation: Consider implementing alternative measures and notifying stakeholders based on the model’s or system’s scope, aiming to prevent greater disruption despite minimal downtime. Phase 4: Recovery and follow-up Recovery and restoration: Focus actions on restoring affected AI models or systems to normal service functionality and maintaining business operations. Lessons learned: Conduct a thorough review of the incident to extract key takeaways and improve future response strategies. Use the findings to update policies, enhance AI governance, and apply best practices across the sector. External collaboration and cooperation: Sharing insights and information with regulators and industry partners boosts preparedness and aligns response strategies across the ecosystem. ■ You can consult several AI incident databases as useful information sources to gain a broad perspective on current trends, such as: MIT AI Incident Tracker, AIID AI Incident Database, AI Controversy Repository, MITRE AI Risk Database, OECD AI Incidents Monitor (AIM), DAIL The Database of AI Litigation, Label Errors Database, Goals, Methods, and Failures (GMF) y el Center for Security and Emerging Technology (CSETv1). Conclusion In an era where AI systems are increasingly embedded in critical operations, it is essential to have a solid incident response framework in place. AI incidents lie not only in reacting to them, but also anticipating them before they occur. As AI models and systems become more sophisticated and integrated into critical infrastructures, resilience is no longer optional—it’s fundamental. By implementing a structured approach that includes preparation, monitoring, execution, and post-incident follow-up, organizations can ensure rapid and effective response, while achieving sustainable improvements in security, privacy, and trustworthiness. The future of AI incidents lies not only in reacting to them, but in anticipating them before they occur. However, true resilience goes beyond internal controls. The future of AI depends on proactive governance, continuous learning, and a commitment to adaptability, because in the fast-evolving landscape of Artificial Intelligence, the best defense is a prepared, responsive, and forward-looking strategy. Much like how brakes allow cars to go faster by giving drivers control, a well-designed AI incident response plan enables organizations to accelerate AI adoption by ensuring they can quickly address and recover from potential issues. With the right strategies in place, companies can harness AI power confidently, knowing they are prepared for any challenge that may arise. Telefónica Tech AI Risks: a comprehensive look at Artificial Intelligence incident management and security May 14, 2025

AI is rapidly becoming an essential part of business operations, with significant potential to transform multiple industries. However, alongside its promises of efficiency, agility, and innovation, AI also introduces risks that companies must actively consider. These risks can range from algorithmic failures to AI-powered cyberattacks, making the landscape of potential AI-related incidents broad and unpredictable. AI risks can range from algorithmic failures to AI-powered cyberattacks, making the incident landscape broad and unpredictable. AI Incident classification and definitions According to the OECD, an AI Incident is defined as an event, circumstance, or series of events in which the development, use, or malfunction of an AI system directly or indirectly causes actual harm—such as injuries to individuals, disruptions to critical infrastructure, violations of human rights, labor or intellectual property laws, or damage to property, communities, or the environment. This definition aligns with the European Union's Artificial Intelligence Act under the category of a Serious Incident. By contrast, an AI Hazard refers to an event where an AI system has the potential to cause harm but hasn’t yet done so. If left unmanaged, such a hazard could evolve into a full-blown incident with serious consequences, and might also qualify as a Serious AI Hazard. The real danger arises when a risk materializes into tangible harm—to people, property, or the environment—thus constituting an actual incident. Source: OECD. Classification of AI Incidents and Hazards by Damage Severity. An AI Disaster is a severe AI incident that disrupts the functioning of a community or society to the extent that it challenges or overwhelms its capacity to respond using internal resources. The effects of an AI disaster can be immediate and localized or widespread and long-lasting. A Near Miss is an event in which an AI system almost caused harm, but the damage was averted due to circumstantial factors rather than built-in safety measures. Source: OECD. AI Incident Concepts by Level. Source: OECD. Key Differences Between Incidents, Hazards, and Near Misses. To illustrate these concepts, I participated in controlled testing for a globally impactful project on AI application in clinical or medical diagnostics. An AI incident occurs when an AI system malfunction leads to actual harm, such as disruptions to critical infrastructure or violations of rights. An example from the healthcare sector A renowned hospital at the forefront of scientific and technological advances in healthcare sought to implement an AI-based diagnostic system to assist physicians in proactively identifying diseases through medical image analysis. This system was trained on large datasets to detect clinical and pathological conditions such as cancer, fractures, and infections. Throughout the process, we prioritized continuous evaluation of risks and potential failures associated with AI-related incidents. Following my involvement in the project, I conducted an in-depth investigation after a Serious Incident. The incident involved an erroneous diagnosis that resulted in an incorrect low-risk prognosis for a patient who was, in fact, suffering from an aggressive disease. The implementation of AI systems in healthcare must be accompanied by robust safety measures and incident management protocols to protect patients and uphold the integrity of healthcare operations. This situation could have led to a critical delay in treatment, potentially worsening the patient's condition and causing irreversible harm. In evaluating the scenario, we always consider the standard diagnostic outcomes and processes without AI involvement for comparison. Following this, we officially identified the case as an AI Incident. Root cause analysis revealed that a software update introduced an error into the algorithm, which increased the rate of false negatives in detecting the condition. This meant early-stage patients could be discharged without further testing, delaying essential treatment. We also encountered Near Misses, where medical staff reviewed AI-generated results and noticed the system was misclassifying benign pathologies as malignant in patient scans. Medical professionals identified this issue timely to preventing unnecessary and invasive procedures. ■ In parallel, through the identification of Hazards, we discovered that the AI model exhibited biases in its training data, showing significantly better performance for certain patient groups while underperforming with others. This raises serious concerns about ethical and regulatory implications stemming from misdiagnoses. Conclusion AI highlights the critical intersection between Cyber Security, privacy, and data protection. Effective AI incident management requires not just technical oversight, but also comprehensive risk governance. As AI systems become increasingly embedded in business and societal functions, it's essential to implement thorough oversight, secure protocols, and control strategies, along with incident response frameworks that help prevent, detect, and mitigate risks. In the realm of AI, safeguarding outcomes depends on securing both the technology and the processes that govern it. Ultimately, managing AI risks is not just about prevention—it’s about cultivating a culture of safety, accountability, and continuous improvement. This allows AI to thrive while minimizing harm. Only by confronting these risks head-on can we build a future where AI serves as a powerful tool for progress, innovation, and social good. Telefónica Tech Anticipating the unthinkable: how can companies prepare for AI incident management? May 21, 2025

Imagine a scenario in which a malicious actor intercepts or stores vast volumes of encrypted data—trade secrets, corporate and military intelligence, financial records—with no current means of decrypting it. For now, that data remains safe. But what will happen a decade from now, when quantum computers can crack today's encryption? That actor could retroactively decrypt everything, exposing years’ worth of confidential communications, transactions, and classified high-impact information—potentially undermining the interests and systemic operations of targeted organizations or nation-states. This is, at its core, the Harvest Now, Decrypt Later (HNDL) cyber threat—a growing concern as quantum advancements accelerate. This threat highlights the urgent need for organizations to act today to prevent future breaches that could compromise national security, financial stability, and individual privacy. But have we truly considered how imminent these risks are, and what steps are necessary to mitigate them? Quantum computing threat Organizations must act now to prevent future security breaches that could endanger national interests, financial systems, and personal data. But how imminent is this threat, and what must companies and governments do to prepare? HNDL refers to the practice where malicious actors—including nation-state agents—collect and archive vast troves of encrypted data secured by current-day algorithms, even though they lack the computational power to decrypt it today. The underlying premise of this strategy is simple: current cryptographic schemes will be rendered obsolete by future quantum computers, giving these actors the ability to decrypt and exploit stored data. This line of reasoning exposes a growing concern. Encryption is the backbone of modern cybersecurity. If quantum attacks make it vulnerable, sensitive data confidentiality will be in jeopardy. What’s secure today may be compromised tomorrow. Mathematician Peter Shor developed a quantum algorithm to factor large integers and solve discrete logarithm problems. Mathematical foundations underpin widely used cryptographic systems like RSA and Elliptic Curve Cryptography (ECC). Shor’s algorithm is one of the main reasons quantum computing poses a direct threat to traditional encryption. If your most sensitive data were exfiltrated today, how damaging would it be if decrypted in 10 or 20 years? At present, classical computers struggle with these encryption schemes because factoring large numbers takes millions of years. But a sufficiently capable quantum computer running Shor’s algorithm could break RSA in hours—or even in a few minutes, making public-key cryptography obsolete in the near future. ■ This vulnerability creates an urgent need to adopt quantum-resistant encryption, well before quantum machines become commonplace. The urgency of transitioning to post-quantum cryptography The value of data theft extends far beyond the present, because many types of information remain strategically useful for decades. Financial records and credit card data, for example, can be exploited long after being stolen—enabling fraudulent transactions, social engineering, or identity theft. Having worked closely with nation-state security and defense strategies, I can tell you: government secrets and intelligence reports—even if intercepted today—could have profound strategic implications if decrypted years later, exposing national security operations and geopolitical maneuvers to public scrutiny. In the healthcare sector, patient records hold highly sensitive personal data that could be weaponized for blackmail or used to defraud insurers in the future. And beyond that, intellectual property theft is a major concern. Confidential research, patents, and proprietary strategies could all be decrypted in the post-quantum era, creating severe economic and competitive disadvantages for victims. Quantum decryption has staggering implications for industries like banking, healthcare, public administration, and other critical infrastructure sectors. Banks use encryption to protect online banking, digital transactions, and stock trading systems. Should quantum computers break traditional encryption, digital fraud and market manipulation could become widespread. Healthcare systems depend on encryption to safeguard patient data and medical research; a quantum breakthrough could expose medical histories and derail pharmaceutical innovation. Governments worldwide use encryption to protect military communications, diplomatic channels, and intelligence networks—core pillars of national security and sovereignty. If decrypted later, these could jeopardize entire defense strategies. Worse yet, large-scale decryption could disrupt global supply chains, erode trust in digital transactions, and facilitate pervasive state-sponsored espionage. Are governments and institutions ready for the quantum threat—or are they underestimating the urgency of this transition? Global initiatives in the transition to post-quantum cryptography Some global efforts are already underway to counter quantum cyber threats. In the realm of R&D, Post-Quantum Cryptography (PQC) is gaining momentum, focusing on designing algorithms inherently resistant to quantum attacks. The U.S. NIST is leading efforts to identify and standardize such algorithms. NIST advocates hybrid cryptography and emphasizes several key points: Digital signature algorithms and key-establishing protocols like RSA and ECC will no longer offer adequate protection by 2030. By 2035, digital signature families will no longer support 128-bit RSA or Edwards-Curve (EdDSA) signatures. By 2030, 112-bit RSA and ECDSA keys will be deprecated, making stronger, quantum-resistant methods essential. For organizations still using RSA and ECC, NIST recommends transitioning to Key Encapsulation Mechanisms (KEMs) for secure encryption. In hybrid digital signatures, organizations should adopt dual-signature schemes—signing with two or more algorithms per message to reinforce security. Block ciphers like AES, hash functions like SHA1, SHA2, SHA3, and eXtendable-Output Functions (XOFs) are integral to the quantum transition roadmap and future cryptographic architecture. These primitives are evolving to maintain robustness against quantum adversaries. At the same time, NIST has laid out a roadmap emphasizing the need for cross-sector and international collaboration to create a cohesive, quantum-resilient infrastructure. This will demand cooperation, shared standards, and synchronized policy efforts. The European Union is taking parallel steps, while other nations may weaponize quantum capacity to strengthen offensive and defensive cyber capabilities—raising major national security concerns. ■ NIST has selected Kyber for encryption and Dilithium for digital signatures as primary candidates for quantum-resistant cryptography. Based on hard mathematical problems, these PQC algorithms will replace vulnerable systems like RSA and ECC to secure communications in a quantum future. Will the quantum era redefine cybersecurity—rewarding those who invest in post-quantum resilience today? Challenges in the transition toward post-quantum cryptography Organizations face major hurdles when migrating to quantum-safe encryption. A primary obstacle is the overhaul of existing infrastructure to support new cryptographic algorithms across networks, databases, and software platforms. Most current systems are deeply embedded in RSA and ECC, making seamless transitions difficult. Interoperability is another critical issue. Organizations must ensure that their systems remain compatible with partners, vendors, and clients who still use legacy cryptographic protocols. The transition also requires substantial investment in hardware, software, and talent development. Many organizations lack the internal expertise needed to manage quantum-era cryptographic strategies, further complicating the landscape. Supply chain security must not be overlooked; ensuring that third- and fourth-party vendors adopt quantum-resistant standards is vital to ecosystem-wide resilience. ■ Organizations must take proactive steps to secure their data against future quantum threats. A critical concept is crypto-agility, designing systems capable of swiftly adopting new cryptographic standards as they become available. Conclusion Hybrid cryptographic approaches—combining traditional and post-quantum encryption—are essential during the transition period. A recommended first step is to build a cryptographic inventory: mapping all encrypted data, assessing its quantum vulnerability, and analyzing it through a practical risk lens. The real question is: when will quantum cyber threats arrive? While the timeline remains uncertain, quantum computing experts estimate that cryptographically relevant quantum computers could emerge between 2030 and 2040. That said, the transition may take years--so organizations must prepare now. Any delay increases the risk that today’s sensitive data will be exposed once quantum systems become powerful enough to break conventional encryption. I’ve worked on cyber-resilience strategies for the quantum era, incorporating adaptive cryptographic methods, continuous risk assessments, capacity-building, and global collaboration. The future of cybersecurity isn't just about protecting data today—but ensuring its integrity and confidentiality long into the future. Defining a robust strategy is imperative to meet the challenges of quantum computing. Get our handbook on protecting data from the quantum threat At Telefónica Tech we advocate for a cryptoagility-based strategy, enabling systems to adapt to new threats without disrupting operations. ■ We invite all organisations to access our complimentary handbook Strategic preparation for Post-Quantum Cryptography and take the first step towards a resilient cryptographic infrastructure ready for the quantum era. Opening image (cc): Interior of an IBM Research quantum computer.

Extensive technological dependence and interconnectivity in aviation have made cybersecurity a fundamental pillar of air and operational safety. Recognizing this reality, the European Union has introduced Regulation 2022/1645 as a key framework for EU aviation security, set to take effect on October 16, 2025. The proposed guidelines apply to airport operators and apron management service providers (PDS, in English), ensuring that they integrate robust cybersecurity practices to prevent disruptions and interruptions that could compromise aviation operations. This approach is designed to address the evolving cyber threat landscape, where cyberattacks targeting critical infrastructure—such as airports and air traffic communication networks—have become an increasing concern. The EU mandates comprehensive security controls and practices to enhance cyber resilience, detect cyber threats, and mitigate aviation risks. The importance of Cyber Security in aviation In an industry where safety has always been the top priority, is Cyber Security truly treated with the same level of urgency as physical and operational security? As aviation systems become more interconnected, do traditional safety cultures need to evolve to fully integrate cybersecurity into all aspects of operations? It is important to highlight that organizations involved in critical aviation functions have direct implications for cybersecurity. They are required to adopt enhanced information security management practices to protect against cyber incidents and address the cyber risks associated with digital transformation and emerging, disruptive innovations within the aviation sector. Regulatory requirements have expanded beyond traditional physical security concerns to encompass cyber risk assessments, cyber resilience planning, and mandatory cyber incident reporting. The regulation establishes a cyber risk-based approach to Cyber Security controls, aligning them with aviation security objectives, corporate dynamics, operational complexity, and industry-specific challenges. From my experience, the regulation aligns well with established methodologies in cyber risk assessments, vulnerability management, threat intelligence and hunting, incident management, and business continuity. ■ Given the complexity and evolving nature of malicious actors, compliance should not be seen as an isolated effort. Instead, it should be seen as an ongoing process of monitoring, adaptation, and continuous improvement. Various standards can help meet regulatory requirements, such as ISO 27001 and NIST CSF 2.0. However, it is essential to consider both the substance and specificity of the aviation sector’s requirements. Adaptation and continuous compliance efforts To ensure adaptation and compliance, strong commitment, accountability, and leadership in both governance and Cyber Security strategies are essential. It is crucial to appoint cybersecurity officers, establish clear lines of responsibility, and integrate security into risk-focused governance frameworks. Compliance mechanisms play a vital role, including regular audits, security assessments, and adherence to maturity models. Maintaining detailed Cyber Security policies and, most importantly, compliance evidence will be indispensable. The regulation also addresses cyber incident reporting, which can be compared to the NIS2 directive, which is more specific regarding early warning deadlines—requiring notification within 24 hours and an initial update within 72 hours. With the implementation of Regulation 2022/1645, provisions must be harmonised. Effectively managing cyber incidents is essential to minimize operational disruptions and prevent cascading effects that could impact multiple aviation stakeholders. ■ These guidelines align with the European Union Aviation Safety Agency (EASA) provisions, ensuring coherence between regulatory compliance and operational security measures. EASA’s guidelines emphasize cyber risk-based approaches to cyber resilience, sectoral collaboration and cooperation, and cyber threat intelligence sharing. Regulation 2022/1645 requires organizations to develop, implement, and maintain an Information Security Management System (ISMS) to enhance their cybersecurity capabilities. Supply chain security and Cyber Security investment A key aspect of the regulation is the importance of supply chain security. The regulation explicitly addresses contractual and third-party processes. It is critical to recognize that many cyber incidents originate from various sources. Third parties are not exempt from these threats—particularly regarding vulnerabilities that arise when organizations lack proper visibility into a supplier’s infrastructure beyond the provided service. Cyberadversaries exploit these weak points. Under the new regulation, organizations must conduct cyber risk assessments of their supply chains. This is to ensure that third parties adhere to evidence-based Cyber Security practices to maintain compliance. Key measures such as audits, mandatory cybersecurity controls in contracts, and continuous third-party monitoring will be essential in due diligence processes for safeguarding the aviation supply chain. Cybersecurity is not just about financials and regulatory compliance. The regulation underscores the necessity of investing in infrastructure, cybersecurity architecture, workforce training, and cyber risk management to strengthen cyber resilience. ■ While cybersecurity investments may pose significant costs, they are critical to preventing or mitigating potentially catastrophic incidents. Therefore, organizations must reassess their cybersecurity strategies and find a balance between compliance costs and operational efficiency. This is done by prioritizing sustainable, adaptive, and strategic Cyber Security investments. Impact and penalties for non-compliance Non-compliance can lead to various legal and financial consequences. For example, NIS2 clearly defines financial penalties and other sanctions. While Regulation 2022/1645 does not explicitly outline sanctions, the aviation sector remains subject to other regulatory frameworks, which could result in penalties arising from overlapping regulations. Additionally, organizations must consider the reputational impact of a cybersecurity breach in aviation. This could lead to loss of customer trust, financial instability, and increased scrutiny from regulatory bodies. From a methodical perspective—both in terms of substance and implementation—Regulation 2022/1645 aims to develop practical capabilities for proactivity, foresight, and anticipation, contributing to the continuous strengthening of cybersecurity, cyber resilience, and cyber risk management. ■ Under NIS2, regulatory authorities have the power to impose fines, restrict operations, and enforce corrective measures on organizations that fail to meet cybersecurity requirements. Conclusion Looking ahead, this marks a significant shift in Cyber Security governance within the aviation sector. All stakeholders must remain agile to adapt to emerging cyber trends. This includes ensuring regulatory compliance and proactively preparing for future changes that will shape the industry's cyber resilience landscape. Geopolitical tensions, increasing cybercriminal activity, and rapid technological advancements underscore the urgency of a secure and resilient aviation ecosystem. Therefore, the proactive adoption of this regulation is imperative. It not only enhances cybersecurity posture but also contributes to the broader objective of ensuring safe aviation operations for the future. ■ Access the Commission Delegated Regulation (EU) 2022/1645 of July 14, 2022 →

Cybersecurity is no longer just a technical issue, but a strategic imperative. At the scale that cyber threats are advancing and growing in complexity, cybersecurity is the anchor of business strategy not only because it protects your technology architecture and infrastructure, but also because you are moving at an accelerated pace to gain competitive advantage and positioning. The ability to safeguard and protect data, ensure operational continuity and cyber resilience, and protect customer confidence are a key differentiator in the marketplace. Where even in industries where compliance and reliability are essential through practices that enhance and transform cybersecurity posture, brand reputation, attract new customers and investors, and even explore new business opportunities. Integration of Cyber Security into the business strategy Sound and continuously improving Cyber Security practices enable organizations to protect their intellectual and industrial property, confidential customer and employee data, and their critical operational integrity, giving them an advantage over competitors who may suffer more frequent or severe breaches. An organization that demonstrates a proactive approach to security is able to avoid the financial and reputational damage and adverse side effects that a data breach can lead to, ensuring resilience and continuity of operations without costly disruptions is crucial in addition to building strong relationships with partners, investors and customers. ■ Prioritizing Cyber Security can be leveraged as a capability in the sales pitch, ensuring security culture practices by projecting themselves as leaders in trust and reliability. Regardless of the type of company, size and systemic importance, cybersecurity should be a priority and a strategic ally. Cyber Security should not be treated as a separate or reactive function, but as a cross-cutting and integral pillar of business strategy, which demands integral cybersecurity principles in product development, risk management and digital transformation initiatives. Corporate governance and the entire organization must recognize Cyber Security as a critical enabler of operational continuity and resiliency and innovation by ensuring its alignment with corporate growth objectives and prospects along with stakeholder expectations. When we incorporate Cyber Security into all levels of decision making, e.g. from supply chain management to customer engagement strategies, there we can ensure cyber risk mitigation without stifling the agility of business processes and activities. Cyber Security as a competitive advantage Cybersecurity should not be seen as an opposing force to innovation, organizations can innovate securely with a focus on security by design, security cannot be applied after the fact. Keep in mind that concepts such as DevSecOps (development, security and operations) allow integrating security in agile development cycles, where innovation will be allowed to flourish while minimizing risks. Security testing, continuous monitoring, quality assurance, among others, will ensure that deployments of new features or products meet security standards without hindering and compromising the pace of innovation. The market sometimes perceives organizations with solid Cyber Security practices as more trustworthy and reliable, which can lead to greater customer loyalty, increased investments and more strategic alliances, especially in industries that handle data or operate in regulated environments. When organizations truly exhibit transparency about their Cyber Security efforts and commitments, they attract customers who prioritize security in their purchasing decisions and may even command premium prices for products or services with corresponding assurances. In contrast, when organizations with weak practices can suffer loss of market share and reputational damage. We must keep in mind that no one is exempt from suffering a cyberattack, we work every day to mitigate risks in a dynamic of technological acceleration. Trust and loyalty as a pillar of customers, when they feel that their data is safe they are very likely to use products and services, repeat their purchases and recommend. Moreover, considering that a data breach can erode trust almost instantly with long-term consequences on customer retention and loyalty. In industries where information is constantly exchanged, cybersecurity is not only a defensive issue but a key to maintaining relationships and brand loyalty. Lately in some sectors, regulatory compliance (such as GDPR, CCPA, HIPAA and others) help organizations transform themselves by amplifying their opportunity for competitive advantage by positioning the organization as a leader in privacy and data protection. While it is true that the leadership of many organizations see compliance as a costly obligation and sometimes fail to understand it, those that go beyond the minimums can differentiate themselves by demonstrating and ratifying their commitment to security, highlighting the avoidance of costly fines, legal and financial ramifications which further solidifies their position in the competitive marketplace. From my experience I have been able to analyze companies that demonstrate cybersecurity practices to become their competitive advantage, for example I have seen how they have consistently marketed products that are highly secure and focused on comprehensive and holistic privacy. Another is how they position themselves as security leaders in cloud computing, making their services attractive and investments to deliver end-to-end solutions that differentiate them from other network infrastructure providers. Numbers and financial indicators of operations are good and important, but Cyber Security permeates all areas of the business. With the accelerating digital transformation, Cyber Security will increasingly become a critical component of business strategy. Cyber Security is evolving from a defensive posture to one that enhances business growth and development by enabling the adaptation of emerging and disruptive technologies such as quantum computing, IoT, AI, and Vlockchain; also shifting its focus to prevention of operational continuity and resilience assurances. Leading in these areas will not only give them the ability to protect their operations, but also reinforce and strengthen their competitive positioning in an increasingly digital marketplace. Cyber Security Sustainable and adaptive Cyber Security investments February 5, 2024

Everything can change from one moment to the next, beyond the visible or invisible of our environment, highlighted by complexity, uncertainty and volatility, which poses a great challenge for cybersecurity. ENISA in its Cybersecurity Threats Forecast Report 2030, highlights that technological evolution, geopolitics, and the cybersecurity landscape, demands that organizations be prepared to face foreseen or unforeseen challenges, that is why retrospective and prospective is essential. According to Alberto J. Ray in his book Liquid Risks, he argues that the term liquid world was coined by Zygmunt Bauman in which he states that realities are fluid and changing, which is a challenge for the identification, analysis and response to emerging and hybrid cyber threats because organizations need to maintain their security, stability and resilience. Liquid risks are in essence global, i.e. they are omnipresent, even if they are not obvious to the eye. Ray states that a risk is liquid because its mutual form adapts and transforms to the environment that shapes it, it is difficult to contain, it spreads easily and although it is intangible at the moment of determining it with any degree of precision, its effects are unstoppable for those who decide to exploit it. It is necessary to manage uncertainty with flexibility and speed. Security challenges in a liquid world In the dynamics of cyber operations with the deployment of proactive and reactive capabilities it was very common to approach threats by their typology or pattern. Where sometimes it was evident to witness them, to know their capabilities and indications, and there could be difference in their impact or behavior according to their environment and their temporal and spatial scope as well as being able to move to other technological assets, which we could even determine in advance. But the reality is that as liquid risks these threats have sophisticated capabilities with an emergent and disruptive approach in which they can appear, disappear, recreate themselves and even mutate in a different, systemic and independent way, adopt appearances of the environment and cross borders in space and time due to the dependencies and interconnections of the infrastructure and technological architecture. In liquid threats, threat actors are very broad and are not easily revealed, they tend to camouflage, infiltrate and even hide. This is why in these times of hyperconnectedness and supply chain dependencies, threats are more anonymous, ubiquitous and unpredictable than they ever were, due to the sophisticated capabilities of the actors. These threats arising from these risks are the consequence of the misunderstanding of the environment resulting from the acceleration of globalization and technology. We can find that these risks include threats such as; zero-day vulnerabilities, supply chain attacks, ransomware and sophisticated malware that dynamically transforms to evade controls. In addition, they can originate several variables such as dynamic environment in the cloud, supply chain or even in the integration of AI and machine learning, because they introduce novel and unpredictable vulnerabilities. Characteristics of a liquid risk There is a big difference between static risks that can be mitigated by predefined controls, in the case of liquid risks, continuous monitoring and adaptation is required due to their mutable and unpredictable nature. The essential characteristic of this risk is its ability to: Adaptability: They transform and evolve in response to new defenses or circumstances in their environment, rendering traditional defenses inadequate. Unpredictability: By their nature, they are difficult to anticipate, assess and manage. Permeability: They can seep into multiple layers of technology architecture and infrastructure, from software vulnerabilities to undermining external vendor ecosystems. Provenance and sources Their provenance and sources can be very diverse, here I explore some of them: Evolution and exponential growth of technologies: Following the constant digital transformation converging in organizations such as the adoption of AI, cloud computing or IoT devices, makes the exposure and attack surface even more extended which introduces vulnerabilities and challenges the capabilities of adversaries. Sophisticated and dynamic threat actors: Throughout cybercrime and nation-state actors constantly evolve their integrated capabilities with their techniques, tactics and procedures (TTPs), making their attack and threat strategies adaptable and evolving in real time, as everything aims to undermine the systemic capacity, liquidity and other operational aspects of organizations. Supply chain complexity and hyper-connectivity: Today this extends beyond the fluid interdependencies between 3rd, 4th and nth party suppliers as they introduce rapidly changing risks depending on external or internal threats or vulnerabilities in the technology infrastructure and architecture. Updates and patches: The insecurity in some processes due to constant changes sometimes not formalized under secure practices can originate new vulnerabilities, due to some factors such as haste, bad practices and others that may depend on quality assurance processes that vary greatly in each organization. Impact for businesses These risks latently and aggressively challenge the security measures that organizations rely on, where we find traditional antivirus, Intrusion Detection System (IDS), Intrusion Prevention System (IPS), Security Information and Event Management (SIEM), or firewalls on which they “offload the responsibility for security”. Where these risks evolve and can evade defenses designed to address known or unknown vulnerabilities. Which makes it necessary for organizations to rethink approaches from a reactive to a proactive security posture, with an emphasis on continuous monitoring, real-time detection and adaptive defensive security strategies. These risks can erode the ability of corporate resilience by significantly exploiting blind spots in their defenses especially in complex and interconnected environments of infrastructure and technology architecture. Over time if not managed, these risks can lead to data breaches, reputational damage, strategic damage and even sanctions of other nature. Detection of liquid risks Detecting these risks requires very advanced techniques beyond common signature-based methods: Behavioral analysis of all components of the technological infrastructure taking into account (processes, people, technologies, information and environment), help to identify anomalies that could indicate a liquid risk. Threat intelligence through real-time sources, will help your organization to stay updated on emerging and disruptive threats and vulnerabilities, it is appropriate to develop retrospective and prospective capabilities through the situational state. AI and machine learning through the use of these technologies can detect patterns and anomalies with emphasis on data through the identification of subtle deviations from normal behavior. Continuous monitoring is necessary for real-time visibility of our network traffic, activities, users and software operations to help detect rapid changes in risk profiles, where analytical capabilities are very important. Red team and adversary simulations allow us to actively test corporate defense capabilities through simulated sophisticated attacks that can uncover potential vulnerabilities before they are exploited or seen by malicious actors. Preventing liquid risks requires a flexible and multi-level approach from conducting dynamic risk assessments, proactive cybersecurity management, “zero trust” infrastructure and architecture, patch management, updates and bastioning, threat hunting, supply chain and vendor management, security due diligence processes, among others. When responding to these risks, organizations must be agile and adaptable with incident response and recovery plans and their corresponding tests, mitigation strategies, incident analysis, among others; all must be up-to-date and proactive to address an evolving landscape. It is useless to have plans when we don't test and exercise to know their capabilities. Liquid risk cases After analyzing countless cybersecurity attacks and incidents, let's recall a case that can be attributed to a liquid risk and that is the SolarWinds attack where cybercriminals infiltrated the software update process, where in a backdoor that spread across thousands of networks around the world, exploiting fluid vulnerabilities in the supply chain affected governments and organizations. Its dynamic nature, including the ability to avoid detection for months, shows the behavior of this risk. As well as this, we can also consider the WannaCry ransomware attack. A systemic cyber risk can also be a liquid risk, depending on the associated vulnerabilities and threats, as has been seen on some occasions in supply chain risks. Such is the case of the NotPetya attack, its speed in its rapid spread through networks and even transcended borders globally through trusted software updates, exhibited liquid and mutant traits as this attack evolved by exploiting systems and mutations to continue to enhance its capabilities even when trying to mitigate the risk. Therefore, liquid and mutant risks are closely related. Where liquids evolve in time and mutants change dynamically to circumvent controls. Cyber Security Systemic Cyber Risk: Threatening organizations and society August 26, 2024

Strategic human talent development in Cyber Security for capacity building It is imperative that decision makers prioritize sustainable cybersecurity talent management. In today's emerging and disruptive digital era, the Cyber Security landscape is rapidly evolving, presenting new challenges and opportunities. The advancement of technologies and increasing sophistication of cyber threats require a robust and proactive Cyber Security approach. Central to this strategy is the development and management of skilled human talent. Organizations must prioritize cultivating a workforce adept at current Cyber Security practices and adaptable to future changes. As cyber threats become more complex and pervasive, the high need for skilled talent that can protect information, critical services and infrastructure is a top priority. However, the Cyber Security professional gap remains a major challenge for many organizations and sectors of the global economy. ■ The demand for Cyber Security professionals has never been higher than it is today, as the World Economic Forum (WEF) states that the Cyber Security workforce will grow by 12.6% between 2022 and 2023, and that there is a critical global shortage of nearly 4 million professionals. Attracting, educating, recruiting and retaining talent is a strategic imperative that demands viable approaches. Gap-closing strategies To bridge this gap, a strategic and collaborative approach to talent development that includes education, training, attraction, retention and continuous professional growth is essential. By investing in workforce capability development, organizations can build their cyberresilient defense squad against threats. Organizations are facing a major shortage trend that seems to be missing from recruitment processes and is a silent reality due to the commitment, criticality and demand for Cyber Security skills and this is what we know as the “shortage” as described by the WEF where it outlines the: Skills shortage: specific technical and soft skills or competencies required for particular roles within the Cyber Security field. Talent shortage: lack of individuals who possess the broader set of skills, knowledge and attributes needed to excel in various Cyber Security roles. Capability shortage: extends beyond Cyber Security personnel and encompasses aspects such as the digital infrastructure and regulatory frameworks needed to establish and maintain robust security measures in the digital landscape. Expertise Shortage: refers to the lack of practical and technical expertise to address real-world Cyber Security issues. Organizations are increasingly struggling to find people with the right drive and motivation. It is important to provide training for HR experts involved in recruiting Cyber Security talent that will enable them to better understand the industry, as well as their skills and qualifications according to roles, to ensure consistency and understanding of the requirements stipulated in job descriptions as well as candidate expectations in order to find the right candidates. According to the WEF, the strategic and sustainable development of talent in Cyber Security is convergent and dynamic in components with an integral and holistic approach that should not be considered in isolation but interconnected for organizations, being key: Talent attraction Have strategies and efforts in place to attract qualified individuals to the Cyber Security field. This involves creating a compelling narrative around the industry, highlighting the importance and impact of Cyber Security, and showcasing the diverse career opportunities available. It also includes outreach initiatives to underrepresented groups, promoting inclusion, and generating awareness of the field among students and professionals. Organizations can participate in industry events, collaborate with educational institutions, and offer internships or apprenticeships to attract potential candidates. Education and talent development Individuals need to be equipped with the necessary knowledge, hard and soft skills and competencies required in Cyber Security. This includes formal education programs and certifications, as well as hands-on training through labs, simulations and real-world experiences. Continuous learning is essential due to the rapidly evolving nature of cyber threats, making it crucial for professionals to stay current with the latest technologies, tools and best practices. Organizations must invest in professional development programs to enhance the expertise of their workforce. Talent recruitment As a central part of the processes and strategies used to identify, evaluate and incorporate skilled people into an organization. This involves creating effective, specific and consistent job descriptions, sourcing candidates through various channels, and conducting interviews and assessments to find the best candidate for specific roles. Recruiting strategies must be agile and adaptable to meet the changing demands of the Cyber Security landscape. In addition, organizations must focus on building a strong employer brand and offer competitive compensation packages to attract top talent. Talent retention It is essential to create an environment that encourages employees to stay with the organization for the long term. This includes offering career development opportunities, competitive salaries and benefits, and fostering a positive work culture. In addition, it is critical to provide clear career progression paths, continuous learning opportunities and recognition for achievements. Ensuring work-life balance and providing mental health and wellness support are also important aspects of retaining talent. Effective retention strategies help reduce turnover, maintain organizational knowledge and build a stable and experienced workforce. Therefore, today more than ever; having a strategy and its implementation is significant in attracting talent by incorporating practices that help your organization identify and engage people who would not only fill a position but also stay with the organization. Strategic and sustainable Cyber Security talent development permeates a corporate culture that inspires and motivates people and must also create an environment where employees feel empowered and have the opportunity to foster a sense of purpose and belonging beyond productivity. Cyber Security How to achieve strategic management of Cyber Security investments January 15, 2024

The global economy's dynamics have evolved. The term “digital economy” refers to integrating information technologies into the life cycle of goods and services, including production, marketing, and consumption. It emphasizes how industries leverage technology's growth to innovate, creating or adapting products to stay competitive. In its Threat Landscape Report 2024 ENISA iidentifies seven main Cybersecurity threats led by ransomware, malware, social engineering, threat against data, threat against availability: denial of service (DDoS), information manipulation and interference, and supply chain attacks. All this by observing 11,079 incidents, 322 of them specifically targeting two or more EU member states. In addition, different types of motivations are attributed to the threat actors, such as financial gain, espionage, destruction and ideology. Cyber-threats to digital nomads In a world marked by geopolitical tensions, complexity, acceleration and uncertainty, how should organizations strategically position their digitally nomadic workforce to address potential Cyber Security challenges arising from diverse regulatory environments, nation-state sponsored threats and instability? More and more people are becoming users of Internet-connected devices, from cell phones and computers to smart watches and smart bracelets. This connectivity allows them to participate in a global environment without limitations of time and space. As a result, the digital economy becomes accessible to millions of people around the world, facilitating the exchange of goods and services for both suppliers and consumers. Did you know that every new destination and connection on public networks, such as hotels or coffee shops, poses cyberattack potential? ✅ According to the World Youth Student and Educational Travel Confederation (WYSETC) estimated the number of digital nomads to exceed 40 million by 2023, with a projected growth of approximately 60 million by 2030 around the world. Digital nomadism culture After seeing everything that is happening in the current dynamics with the 'digital nomads' it is necessary to move to know the cyberspace where it has its origin in the digital ecosystem and was introduced by the American writer William Gibson in 1984 in his novel “Neuromancer”. Cyberspace encompasses elements such as the Internet, telecommunications networks, computer systems and embedded processors found in critical industries or essential services. It represents a sophisticated environment shaped by the interaction of individuals, software and services using technological devices and connected networks. Unlike physical forms, cyberspace exists as a complex global domain. It is often referred to as the fifth domain, underscoring its strategic importance along with land, sea, air and space. Given the constantly evolving nature of cyber threats, how can organizations cultivate a culture of adaptability, resilience and continuous learning among digital nomads to effectively counter emerging threats from sophisticated cyber attack schemes. Photo: Windows, Unsplash. Now, digital nomad ended up coined in 1997 by Tsugio Makimoto and David Manners, where they argue that it is a person who takes advantage of the potential and possibilities of current, emerging and disruptive technologies for the sake of the future where it combines and integrates with its natural impulse to travel, managing to live, work and exist on the move. They usually telecommute and choose locations such as their homes, coworking, work cafes, countries, coffee shops or public libraries instead of a traditional fixed workspace, but what are the cyber risks they are exposed to, how can they protect themselves, and what impact does this lifestyle have on the dynamics of the cybersecurity culture of organizations? The digital nomad culture represents a modern lifestyle and professional trend marked by adaptability, resilience, and flexible hours. These individuals challenge traditional corporate structures and hierarchies. Digital nomads' Cyber-Security risks and threats In today's increasingly interconnected world, the concept of work has evolved and more and more professionals are adopting this lifestyle, working from anywhere in the world with an Internet connection. While this style offers tremendous freedom, well-being and flexibility, it also presents unique cybersecurity challenges. Nomads often rely on public or private Wi-Fi networks and may be using personal devices for work, making them susceptible to a range of cyber threats. How can organizations balance the autonomy granted to digital nomads with the imperative of maintaining a centralized cybersecurity framework? What innovative approaches can be employed to empower individuals while ensuring collective cybersecurity resilience? The cyber threat landscape is dynamic and multifaceted, reflecting the changing nature of cybersecurity challenges in the era of emerging and disruptive digital transformation. Beyond protecting professional data, their personal information remains at constant risk. For them, cybersecurity is not just an additional layer of protection, but an imperative, especially as they navigate the diverse digital terrains around the world. The surface of exposure and attacks of digital nomads can be very wide and variant since some variables affect. From my experience at the time of undertaking my destination as a nomad I consider aspects such as, among others: International positioning of the country with geopolitical perspective and tensions. Risk profile of the country. Cyber Security posture, target of cyberattacks, situations and developments. Legal framework for cybersecurity and data protection. Physical and environmental security. Airport security, software and technologies that are allowed to be used in that country and those that are not. Methods of confiscation and control by the country's authorities. Main media, law enforcement agencies and bodies. These are some of the risks to which we may be exposed: Public and insecure Wi-Fi networks. Political, legal and strategic aspects. Identity theft and social engineering. Interception or alteration of communications. Wiretapping and spying. Physical and environmental security. Device security. Cloud security. Downloading malicious files or software. Synchronization between devices. Weak authentication methods. Obsolete software. Geolocation. Strategies for securing a cyber-threat environment To navigate this landscape, there are shared responsibilities between digital nomads and organizations to adopt a proactive cybersecurity posture. This includes: Improving their practices and cyber hygiene by using secure and encrypted communication technologies. Implementing strong authentication methods. Adopting virtual private networks (VPNs). Stay informed about the latest cybersecurity threats, geopolitics and best practices. Ongoing and periodic monitoring of security controls. Protection of online activities are crucial to mitigate risks and keep this style safe and resilient. ✅ From my experience in this culture of digital nomadism and in digital native companies, it is very essential to be aware of the information we handle and its treatment: we do not know who is around us nor do we have control of the environment. It is necessary to prioritize and balance the efforts of security controls to safeguard confidential data and its properties, which invites to have comprehensive cybersecurity policy with clear guidelines for teleworking and mobility. Collaboration tools must be secure and approved by the organization to mitigate associated risks and their adverse effects. But this doesn't just stop at technology controls; a culture of cybersecurity awareness and training with a focus on risk needs to be fostered in the interest of ensuring that nomads can be vigilant and take responsibility for maintaining a secure digital environment in their ecosystem. Prevention is the catalyst for awareness. The dynamics of remote work, digital nomadism and digital native enterprises are underpinned by a cybersecurity conscious mindset, where a shared responsibility to fortify our digital environment, ensuring security, resilience and trust coexists. Remember that VPN is not everything, there are other things in security. ■ Access to EINSA Threat Landscape Report 2024 → ______ Cyber Security Tourism sector cyber-resilience: challenges and best practices October 21, 2024

Generative Artificial Intelligence (GenAI) is transforming the technological landscape, developing breakthroughs in creativity, innovation, efficiency and productivity. However, at a glance, it also poses ethical, regulatory, cyber and social challenges and challenges that require urgent solutions with a focus on governance. The World Economic Forum (WEF), in its report “Governance in the Age of Generative AI: A 360° Approach to Resilient Policy and Regulation”. At the scale and complexity of artificial intelligence challenges, GenAI systems such as linguistic modeling and deep learning technologies have the potential to rethink industries, but they also present unique risks. As I have seen from advanced spoofing to biases in decision-making algorithms, these technologies can be misused, causing widespread harm. WEF stresses that it recognizes these risks, emphasizing that legal and regulatory frameworks are lagging behind the rapid development of AI. It also stresses the importance of developing and articulating policies that can mitigate risks as well as adapt to future developments. Therefore, we must ask ourselves, Can the current speed of regulatory evolution can keep pace with the exponential growth of technologies? Regulatory and ethical challenges in the age of generative AI Generative AI has unique capabilities, where we see the creation of highly compelling text, audiovisual and media that are a significant departure from previous AI technologies focused on automation and pattern recognition. Where unlike previous advances, generative AI can produce entirely new content, complicating verification and validation of authorship and intellectual property issues. Considering that its results are less predictable, which increases the chances of misuse or unintended consequences, such as the dissemination of misinformation or the creation of harmful content. We are immersed in unprecedented risks due to the ability of GenAI systems to generate hyper-realistic content, deepfakes and synthetic media. It is here that we face unique challenges in verifying authenticity and appropriateness, which can significantly fuel disinformation, fake news and information, and manipulation of public opinion. With a focus on ethics, one must keep in mind that biases can be perpetuated, as models often reflect biases inherent in the data they are trained on. In addition, privacy, consent and monitoring cannot be left out, especially when artificial intelligence is used for impersonation or content generation; causing an aggravation of these risks by the opacity with which these models make decisions, limiting accountability. The GenAI capability adds new layers of complexity to governance, trust, ethics and privacy. This WEF publication has the mission to cover all the centralized aspects of AI governance through the participation of all stakeholders, from a multidimensional and sectoral approach. Its pillars are: Ethical development of AI. Transparency and accountability. Global coordination. Resilience and adaptability The efforts of these pillars are focused on comprehensiveness, but their success will depend on the collaboration of all stakeholders, which begs the question, can there be any doubt in the feasibility of achieving a global consensus on AI regulation? Development of ethical and regulatory standards However, while stakeholder inclusion in AI governance is essential to ensure inclusiveness, it does not automatically guarantee that underrepresented communities will be heard. Where we see power imbalances, unequal representation and lack of access to decision-making spaces that often marginalize these voices. Therefore, without deliberate efforts to center these communities through quotas, local participation, advocacy and visibility in forums, the risk persists that influential actors such as companies and governments will dominate the debates, thus perpetuating existing inequalities and gaps. The strength of this 360° model lies in its global approach, but there is a risk of overextending the framework. Considering that by trying to cover all aspects of IA governance ethical development, transparency, global coordination, etc., without a clear and coherent order of priorities, the model may have difficulties in its implementation. Whereas broad models can dilute its focus, making it difficult to establish accountabilities and achieve its tangible outcomes that impact directly and indirectly. To avoid these issues, the framework must delineate specific and enforceable policies and ensure that effective oversight mechanisms are in place to avoid bureaucratic inefficiency. It has become clear that current regulatory systems are not adapted to the rapidly evolving speed of AI, suggesting innovative approaches to testing and experimentation without compromising safety, such as regulatory sandboxes and adaptive policy frameworks. The notion of agile governance is compelling, ensuring that regulators are well equipped to manage the current and future risks of AI demands continued investment and international cooperation. Insulated regulatory environments Insulated regulatory environments offer a controlled space to test AI technologies without full regulatory constraints, making it an enabler for innovation to flourish while potential risks can be known and controlled. However, its effectiveness depends on clearly defined boundaries and monitoring mechanisms. Now, from well-structured and isolated spaces, a balance can be struck that allows experimentation while addressing concerns about ethics, transparency, privacy and cyber risks. But without rigorous monitoring, there is a risk of turning these spaces into indulgent ones where norms and practices are ignored in favor of unchecked progress. In addition, flexible governance frameworks are essential to manage and adapt to the rapid evolution of AI, considering that their adaptation allows policymakers to adjust regulation as new AI capabilities emerge, while promoting innovation and maintaining safety standards. The challenge is therefore to prevent these frameworks from becoming ineffective bureaucratic layers. Very importantly, to remain effective, these models must prioritize agility and responsiveness, with assurance that they do not slow down decision-making or create unnecessary regulatory complexity. Risk is real, it is present; but it can be mitigated with streamlined processes and transparent oversight. Ethics-based AI governance WEF strongly advocates basing AI governance on ethical principles, especially ethical principles, especially with a focus on safeguards and freedoms around human rights, data privacy and non-discrimination. In addition, it warns against the possible misuse of AI technologies, such as surveillance or manipulation. From my experience in the management and development of AI models for cybersecurity and risk the European Union (EU) is taking firm steps and one fact is the Artificial Intelligence Regulation (RIA). The report, highlights that transparency is essential, but a big challenge still very important to make the operation of sophisticated AI models understandable to non-experts. Therefore, demanding accountability when something goes wrong, either through jurisprudence or by ethical control and oversight bodies, remains a relevant obstacle. Assurances of transparency and accountability in AI systems, especially in complex models such as neural networks, is a striking challenge due to their black box nature and context. Regulators can require clearer documentation of AI decision-making processes, require that model results be explained, and insist that they use interpretable models where feasible. Here audits of AI systems play a starring role, along with mandatory reporting of AI failures, incidents and biases that can help enforce accountability. We have seen how open source models or external reviews can also foster transparency and allow experts to inspect or understand the inner workings of our AI systems. From my experience I have been able to see the high stakes sectors such as healthcare and law enforcement where robust mechanisms must be in place to ensure accountability of AI systems when they fail or not we go back to the EU with RIA where this legal framework establishes and requires AI developers, operators and other stakeholders to demonstrate that their systems meet the expected requirements where ethics, privacy, risk and fairness prevail. Our AI systems have to ensure that they behave as they are expected to behave as expected by regulation beyond our interests. Organizations should be implementing AI use and liability policies taking into account the harms that AI systems can cause in order to ensure that parties abide by the regulatory framework. Clear recourse mechanisms for effectors for AI errors, such as avenues of appeal or reviews by human oversight, are very essential. From a socio-economic dimension, the WEF raises the disruptive effects of AI, especially around job displacement and labor market restructuring. Although it should be kept in mind that AI promises new efficiencies and innovations, it also threatens traditional employment models, especially those sectors or areas vulnerable to automation. Moreover, there is a clear recognition that while AI can generate and impact economic growth, without proper management it could exacerbate inequalities. Therefore, policymakers must prioritize inclusive growth strategies by ensuring that the benefits of AI are shared equitably. Regulatory solutions for AI Let's take a look back where in previous industrial revolutions teach us that technological advances can bring about significant social change, translating into economic progress as well as large-scale disruption. The key lesson learned is the importance of proactive adaptation. Governments, businesses, educational institutions and players in the AI ecosystem must anticipate change and implement policies that minimize negative impacts such as inequality or unemployment while maximizing the benefits of innovation. Forward-thinking networks of collaboration and cooperation help manage transitions. Educational plans and qualifications will be essential, but they must be designed to keep pace with emerging and disruptive technological advances. To be effective education models and curricula must focus on fostering and developing adaptability, critical thinking, digital literacy and cybersecurity; developing skills that are not only technical, but also life skills such as how to collaborate with AI systems. The WEF highlights that AI is a global problem that requires collaboration, cooperation and global interoperability. So, they see that fragmented approaches to AI governance can lead to conflicts or competitive races, where one country's regulatory leniency incentivizes riskier AI deployment. I could see how closely international bodies such as the Organization for Economic Cooperation and Development (OECD) and the United Nations (UN) are playing an essential role, but achieving a global consensus is contingent on political and cultural tensions. The challenge remains to create norms capable of overcoming these divisions. Global coordination for AI governance Global coordination for AI governance is difficult due to the significant philosophical, cultural, political, and legal differences between countries. We can see that the EU is situated the strongest regulatory frameworks prioritizing ethics, privacy and transparency, while in the case of the United States of America (USA) it is more oriented to favor innovation and market-driven approaches. China, on the other hand, is focused on state control and the strategic use of AI for national goals. Seeing these competing priorities makes harmonization difficult, but some coordination is possible through shared principles such as safety, accountability and fairness. While existing rules foster collaboration and trust, they can stifle competitive advantages for nations that prioritize rapid AI development. There are countries that invest heavily in cutting-edge AI without strong ethical or regulatory constraints, may perceive global standards as barriers to their AI leadership. However, through well-designed frameworks, a level playing field can be created by encouraging responsible innovation while mitigating the risks of uncontrolled AI development. Balancing regulation with freedom of innovation is key to ensuring that rules do not stifle progress. WEF takes a position on developing solid foundations to address the complexities of GenAI governance, however, the big test will be the resilience and flexibility of frameworks as AI continues to evolve in ways that may not yet be fully understood. Conclusion The policies we are currently seeing on AI often lag behind the pace of technological development, making it insufficient to cope with the entire future trajectory of AI and here continuous improvement plays an essential role. While taking into account that existing frameworks address current risks such as bias, transparency, accountability, privacy and cybersecurity, they still lack the flexibility and foresight to manage unforeseen developments such as in more autonomous AI systems. Regulations cannot stagnate or become outdated or inadequate to address the complexities of future developments. Flexibility to maintain it in AI governance frameworks must be adaptable and continually updated, requiring periodic reviews and stakeholder involvement. Governments should encourage a modular regulatory approach, where as technologies change, rules can be modified. In addition, they must be integrated with the governance model and have clear enforcement mechanisms, such as audit trails, penalties, real-time monitoring systems, that ensure accountability without stifling progress. Global collaboration and cooperation is crucial to harmonize regulations and address cross-border AI challenges. World Economic Forum's 360° look gives us an important starting point for addressing governance challenges. ■ Download the full report Governance in the Age of Generative AI: A 360° Approach for Resilient Policy and Regulation → Image: Rawpixel.com / Freepik.

When it comes to communicating to steam without essence in substance and form of what is transmitted, to gain, views, engagement, positioning, communication becomes a risk that damages the reputation, uncertainty and encouragement of stakeholders. It is not about running and accelerating, the things that happen in cybersecurity are developing coverage that must be communicated. In this landscape where cyberattacks can cripple, undermine and transcend globally and in multiple ways, the role of the media in shaping public perception of incidents and cyberattacks has never been more critical. Whether addressing a ransomware attack on a hospital, a data breach at a large enterprise or the hacking of a government system, the form and substance of the media's coverage of these events can influence everything from public confidence to market stability. Bearing in mind that its purpose is to communicate with objectivity and independence, the media as an instrument and form of content through which the communication process is carried out is in permanent evolution through the years, technological advances have managed to increase its diffusion and immediacy. These media are a great source of power and social influence that transcends considered as the fourth power alluding to the legislative, executive and judicial powers for their capacity in the public opinion. The importance of effective media communication in Cyber Security As more and more organizations face the complex challenge of managing the consequences of a cyber-attack, an overlooked but equally critical aspect is communication: how is the incident reported, what messages are conveyed to the public, and how is media coverage developed across various platforms that can make the difference between a reputational blow and recovery? It has now been seen that the field is dominated by manipulation of information, stereotypes and stakeholders that condition the dissemination and transmission of the message. Theory of communication, as a field of the Theory of information, establishes the procedures through which a mind can influence the other. Communication in its essence, where language, semiotics and communication devices converge, its mission is to exchange information in order to transmit or receive information or different opinions. However, media coverage is when the media develop content produced by journalists, writers or agencies on a given topic or organization, which can influence reputation, perceptions, opinions and decisions. These media are the main channel for disseminating information about incidents and cyberattacks, and contribute to public awareness and understanding. When any cyber threat or cyber attack is reported, regardless of its category, the media provides essential updates on emerging threats and their impact on organizations, governments and society in general. This coverage dictates the speed with which information is disseminated, influencing the response time of both affected organizations and other stakeholders. Media acts as a watchdog, holding organizations accountable for their Cyber Security posture, transparency and response strategies. The content proposed in the media coverage converges with public relations because these strategic and sustainable communication actions can have the mission of strengthening links with different audiences, listening to them, informing and persuading them in order to achieve consensus, loyalty and support in present and future actions. The dynamic is that here methods, theories and techniques of advertising, marketing, design, psychology, politics, sociology and journalism are applied. ✅ By influencing the formation of public perception in determining the urgency and magnitude of threats, sensationalist media coverage amplifies fear and uncertainty by leading the public to believe that cyberattacks are more imminent and uncontrollable than they might be, even more so when organizations have not provided details and the information that is known first-hand is between the lines. Impact of communication on public perception of Cyber Security It is necessary, to have balance and accuracy of information as it can help demystify complex cyber incidents, empowering people and organizations to take the right precautions: it is not about running when giving information, it is about knowing how to communicate. In the digital ecosystem, public trust can be affected by the tone and accuracy of media coverage, affecting everything from the customer to their strategies and reputation. The flow of sensationalism and accuracy is very delicate, and many media prioritize the former to capture attention; evidence of this see sensational headlines, designed to attract audience, which sometimes exaggerate and exacerbate the scope or impact of an incident fueled public fear or misunderstanding and is even greater when participation increases which can distort the facts and confuse. Media must be committed to integrity and ethics focused on accuracy, providing detailed and contrasted information that allows the public to understand the nuances of cyber risks. Balance is essential as excessive sensationalism generates distrust in both the media and those affected and their stakeholders. ✅ Media should be clear that just because an employee works in an entity that has been affected by an incident be it from the cybersecurity department or any other, is not obliged to give statements to the press no matter how minimal they may be. Let's take a look back and travel to 2017 when the Equifax data breach and the WannaCry ransomware attack, it was very evident how media coverage influences public discourse. The Equifax case, not only highlighted the magnitude of the breach, but also exposed the company's delayed response and inadequate security measures. The coverage dealt a significant reputational blow and increased scrutiny from regulators. With WannaCry its worldwide media coverage highlighted its spread to critical infrastructure such as healthcare systems, amplifying concerns about the vulnerabilities of critical services to cyber threats. ✅ Due to the high incidence of coverage and connotation of these attacks they prompted regulatory changes and conditioned public expectations around cybersecurity preparedness. We are in a time when a cyberattack should not surprise us. A strategic communication, based on research, planning and evaluation with key to corporate identity management. The role of the media in the management of cyberattacks The media has an ethical responsibility to ensure accuracy, avoid unnecessary panic and respect the privacy of affected parties. This field of cybersecurity because of its technical and complex nature, journalists and other media actors must verify facts and avoid attributing culprits prematurely or identifying threat actors without concrete evidence. Obviously, it is essential to communicate about the scope of an attack, but the media should refrain from sensationalizing details and making value judgments that could damage reputations or fuel chaos, uncertainty and alarmism. They should also respect due process and confidentiality of sensitive information that, if released prematurely, could exacerbate the impact of the attack or hinder investigative efforts and processes. Communicate with the media in a clear, transparent and timely manner In times of cybercrisis, clear, transparent and timely communication with the media is critical to manage perception and mitigate damage. It is increasingly imperative that areas or teams dedicated to crisis communication and management as their work and collaborative ties with the cybersecurity area ensure the accuracy of the messages. This includes:, Regular updates, acknowledging the scope of the attack, outlining the measures being taken to mitigate the damage demonstrates accountability and builds trust. Be very careful with overly technical language and maintaining transparency about what happened, without speculating about unresolved or ongoing issues, can help reduce misinformation and panic. Work to foster accurate reporting by maintaining proactive relationships with the media and Cyber Security and crisis journalists. Offering rigorous and expert opinion, briefings and maintaining lines of communication with technology and Cyber Security media. These accomplishments, established before a crisis occurs, help organizations ensure that media coverage during incidents is based on facts and context rather than communications. ✅ Spokespersons should be trained with the media as they can ensure effective and professional communication when interacting with the press during an incident. The media must take into account that there are moments of investigation and also regulatory frameworks, it is not possible to give all the detail they are looking for to bring the information to the public. The impact of cyber-attacks on communications During a cyber-attack, the corporate communication strategy must be focused on timeliness, consistency and transparency; organizations must acknowledge the incident, its nature, impact, taking into account not to reveal too sensitive details that may hinder the investigation processes. There is also a parallel task of regular updates, ensuring that the media and stakeholders are aware of the efforts being made. The communication armor must emphasize commitment to resolution and prevention, so a clear, consistent, tested and pre-established incident response plan that includes protocols for action and interaction with the media ensures control of information and avoids spirals of misinformation that can be articulated. ✅ When approaching the press, it is necessary to take into account active and attentive listening when giving statements without compromising the investigation according to the types of questions, especially when looking between the lines of objectivity and subjectivity of the search for information. We must understand that sensationalism, tabloidism, morbidity, in addition to other factors condition media coverage of cyberattacks due to the intrinsically dramatic nature of cyberattacks. Cyberattacks are easy to sensationalize because they play on the public's best interests or the loss of data, financial, legal, reputational damage and technological vulnerability. What's more, the complexity of cyberattacks can lead to oversimplified reporting, which eliminates nuance in favor of alarmist headlines. In the digital ecosystem the race for clicks and attention in the modern media landscape severely exacerbates this trend, as media outlets strive to capture and pique audience interest with exaggerated narratives. Mismanaged communication with the media during a cyber-attack can have high consequences on a cross-border or global scale. Considering that major misinformation, either due to lack of transparency or inaccurate reporting, can spread and transcend quickly, generating panic in international markets and damaging global confidence in the organizations affected, resulting in economic losses as has been the case for organizations that depend on consumer confidence and their stability in financial and stock markets. ✅ Imagine if an incident affects a multinational or critical infrastructure: inadequate communication can make it difficult to coordinate responses between different countries and regulators, exacerbating the impact on cross-border supply chains and services. Conclusion From my experience I see that as cyber threats evolve, it is likely that future trends in media coverage will consider a more nuanced understanding of these issues, with an emphasis on analysis and context by qualified experts, as the growing complexity of the cyber attack surface requires specialized journalism that can decipher what has happened without oversimplifying. On the other hand, the rise of cyberwarfare and nation-state sponsored cyberattacks are receiving more attention, driving discourse and narratives in the media. There is the potential for coverage to shift towards greater accountability, analyzing not only the immediate impact of an incident, but also the long-term responsiveness of organizations and governments. The stream of disinformation driven by emerging and disruptive technologies such as artificial intelligence and the manipulation of media narratives will bring new challenges, making media literacy and fact-checking critical for both journalists and the public. Cyber Security OSINT: an underused weapon for journalism to combat fake news November 8, 2023 Photo: Nijwam Swargiary / Unsplash.

In a world where technology and digitalization are critical, robust Cyber Security is imperative. Nations are facing increasing threats and sophisticated tactics from cybercriminals aiming to disrupt economies, compromise national security, and erode public trust. The challenge lies not only in combating cybercrime but also in enhancing cybersecurity capabilities. What are the primary drivers of these capabilities across different countries? The International Telecommunication Union (ITU) in its 5th edition of the Global Cybersecurity Index (GCI), recently published, examines countries' digital preparedness. We are faced with a complex and uncertain landscape in a hyperconnected world, making it essential to understand global efforts to protect cyberspace and identify the challenges ahead. Cyber Security is a strategic imperative for governments and both critical and non-critical sectors of society. The current cyber landscape highlights the ongoing need to improve and adapt Cybersecurity measures. Governments must evaluate cybersecurity efforts to foster development in this field. ✅ According to the ITU's index, while a perfect score reflects a strong commitment, there is always a need for further work on appropriate measures and responses. The GCI highlights many countries' efforts across five fundamental pillars: legal, technical, organizational, capacity development, and cooperation. In this global scenario, nations are expanding digital services and connecting people but still have work to do to integrate Cybersecurity into their connectivity goals. Significant gaps exist in cyber capacity and challenges such as staffing, equipment, and funding. Some countries are advancing in cybersecurity despite limited ICT development. According to the ICT Development Index (IDI), countries with high ICT levels face risks of insecure cyberspace due to lack of resources, affecting resilience and reliability. Legal frameworks Many countries have implemented legal measures that clarify cybersecurity concerns, encompassing privacy, data protection, and even online illegal activities. They emphasize the need for greater harmonization between laws and regulations, such as alignment with the General Data Protection Regulation (GDPR) and international cybercrime treaties. This has led to the adoption or updating of measures with technologically neutral language, providing more flexibility in interpreting and aligning online and offline crimes or obligations. However, some countries show ambiguities in breach notification requirements and their applications (such as the EU Cyber Resilience Regulation), necessitating further efforts to ensure specificity and enforcement of legal and regulatory compliance. ✅ It should be noted that GDPR and similar laws have driven an increase in the number of countries with privacy laws and breach notification requirements. However, the trend has stabilized, and many still need to clarify their legal and regulatory frameworks regarding privacy, data protection, and notification. These efforts can be complemented by capacity development to ensure that relevant stakeholders are well-trained and aware of current cybersecurity threats. Technical measures A solid Cyber Security foundation requires a combination of competent people, well-documented processes and procedures, and technologies. There is still a disparity in the implementation of technical measures to support cybersecurity efforts. Computer Security Incident Response Teams (CSIRTs) are essential for detecting, preventing, responding to, and mitigating cyber threats. They function as national and international focal points, promoting a culture of disclosure, awareness, and training. While less common, sectoral CSIRTs play a critical role, particularly at the regional level, allowing for shared resources and joint efforts to address common issues. Each sector faces specific threats and needs, especially those part of critical infrastructure and their supply chains. People, processes, technologies, information, and environments enable nations to prepare for, protect against, and respond effectively to cyber incidents. However, implementing sectoral CSIRTs faces challenges due to lack of resources and capabilities in several countries. Low-income countries and small island states focus on developing national CSIRTs. With the advancement of ICT infrastructure, sectoral needs can be addressed at the national level or through regional CSIRTs. Additionally, conducting cybersecurity drills and exercises with the participation of all stakeholders is essential. Organizational measures Greater coordination and alignment are needed to shape more inclusive, data-driven national cybersecurity initiatives. A country's Cyber Security posture requires the implementation of strong organizational measures to guide it effectively. Countries are showing significant progress with clear strategic objectives, action plans, execution, and measurement. The GCI highlights that without a well-defined network of partners working collaboratively with industry, civil society, and academia, efforts across different sectors and industries become fragmented and uncoordinated, hindering national harmonization in cybersecurity development. National Cybersecurity Strategies (NCS) have become an increasingly common fundamental tool for governments to organize around cybersecurity, as they work to develop clear metrics and measures to track cybersecurity outcomes at the national level. This includes in-depth tracking of cybersecurity inputs, such as audits. Translating these parameters into policy and enforcement requires clear roles and responsibilities, as well as responsive organizational frameworks. Additionally, existing strategies need reviewing and updating. The breadth and depth of NCS vary considerably, but in some countries, they at least stipulate: Cybersecurity of critical infrastructures. Lifecycle management principles. Stakeholder engagement. An action plan. "Having an action plan does not guarantee that all best practices are prioritized or incorporated." The report notes that the implementation of practices such as "stakeholder engagement" and "lifecycle management" tends to occur at the beginning or end of the NCS, prompting recommendations to integrate these aspects throughout the strategy's lifecycle. As a result, valuable information and added value from the strategy with stakeholders is lost in aligning on key priorities and adaptation opportunities that help make the strategy relevant, sustainable, and effective. The GCI highlights that audits are a common practice for assessing Cybersecurity and cyber risks. However, many countries do not include them in their action plans. Additionally, efforts in critical infrastructure often lack legal backing. It also underscores that Cybersecurity professionals are well-trained to manage risks and respond to incidents. Many countries have national systems and responsible bodies that provide specific training in this field. Online child protection strategies and initiatives remain limited. Child protection in the digital environment is a fundamental aspect of public policies and requires collaboration across society. Although many laws already include measures against cybercrime and sexual exploitation, only a few countries have comprehensive child protection strategies that include awareness campaigns for educators, law enforcement, and reporting channels, supporting children and young people in their digital journeys and helping them understand online risks. As children access the internet, it is necessary to protect and empower them to become active participants in creating a safe and trustworthy cyberspace. Capacity development Training and awareness efforts are crucial to building a strong Cyber Security ecosystem. Countries risk eroding progress in improving full and universal connectivity if they do not support capacity building and awareness in this area. Most countries engage in capacity development activities, mostly through awareness campaigns. Furthermore, countries are moving towards developing and enhancing qualified talent in the industry. Private and public sectors, educational cycles, and research and development (R&D) spaces are part of efforts to promote national training. Countries increasingly target specific demographic groups as part of their awareness campaigns. Building a Cyber Security culture is a constant challenge for all countries. Awareness campaigns are developed or supported to inform users and change their behaviors. ✅ The GCI emphasizes that targeted campaigns are essential to identify and educate about Cybersecurity threats. However, their effectiveness depends on the metrics used to measure their impact, especially on social media. Superficial metrics such as "likes" and shares do not accurately reflect true reach. It is necessary to adopt human-centered approaches that address people's specific concerns and challenges to navigate a safe cyberspace. This includes tailoring campaigns to diverse audiences, considering cultural and socioeconomic factors. Prioritizing meaningful engagement and behavioral outcomes over superficial metrics can ensure campaigns that truly empower people and contribute to a safer online environment for all. There is still a lack of Cyber Security skills development programs at all educational levels, which poses a challenge. Collaboration and public-private cooperation Given that Cybersecurity is transnational, an effective response requires cooperation and collaboration between public, private, and governmental sectors. Furthermore, efforts have increased in the context of international, regional, and sectoral Cybersecurity agreements. However, many countries are not part of these agreements due to conflicts, lack of human resources, or unclear benefits. "Operationalization and impact of agreements and frameworks remain a challenge." It is worth noting that collaboration with the private sector offers governments the opportunity to leverage its knowledge and expertise to enhance Cybersecurity. Nearly half of countries have interagency cybersecurity processes within their governments. However, collaboration with the private sector is less common: fewer than half of countries are involved in public-private partnerships with national or foreign companies. Cyber Security efforts should not be fragmented, disconnected, and frustrating; it is a complex and interconnected problem that demands a holistic, comprehensive, and cross-cutting approach. "The success of agreements, alliances, and processes depends on whether they go beyond paper and into action." Promoting information sharing, capacity building, and joint threat assessments allows the international community to more effectively address the evolving cyber landscape, including the growing intersection of cybersecurity and AI. Building national collaboration remains an area for improvement. Cybersecurity is more than a matter of hardware or software; coordination among competent national actors is essential for achieving coherent commitments. There are encouraging advances, as responsible agencies can help drive more cohesive and collaborative cybersecurity approaches. ◾ Download the full report: Global Cybersecurity Index 2024 → ____ Cyber Security IA & Data CIA publishes report on Deepfakes and how to deal with this threat October 18, 2023 Imagen: Wirestock / Freepik.

Situational context of fourth risk The business ecosystem is converging to a latent and complex reality, due to today's hyper-connectivity, where risk management extends to third, fourth and nth parties; being the cornerstone of corporate resilience. Considering that many organizations focus their efforts on protecting their own systems, infrastructure and technology and cyber architecture. But the reality is that the real risk often resides in our attack surface environments and cyber exposure that is invisible and unmonitored; but, also, in many occasions even if you have visibility you do not have full control to apply actions that minimize exposure. A single vulnerability in one supplier can expose your entire organization to catastrophic consequences. Risk management in the supply chain Are you aware of the extent to which your suppliers are integrated into your operations, have you considered the cascading effects of a cyber disruption to one of your suppliers' systems, did you know that the effects can be equal or opposite in proportion? As we delve deeper into the complexities of risk management, it becomes clear that safeguarding your organization requires a holistic approach, rigorously assessing and mitigating risks throughout the supply chain. You have taken into account that your suppliers are likely to be taking critical activities to other suppliers. It's all part of cross-functional operations, so as we want to drive cost efficiencies and improve our management, so do suppliers. However, your suppliers' contracts with third parties introduce additional operational, legal, strategic, financial, cybersecurity and compliance risks for your company. A breach can trigger a cascade of regulatory fines, damage customer confidence and cause significant financial losses. Before learning some of the details, it is worth noting that it encompasses both our suppliers' suppliers and those that subcontract services without our control and visibility. This vast, intricate and complex web of interrelated business relationships represents a major threat. Lack of awareness of the risks that exist within this network leaves your organization vulnerable. What is Fourth Party Risk Management (FPRM)? Fourth Party Risk Management (FPRM) is the process that involves identifying, assessing and reducing cybersecurity risks presented by your third-party vendors' suppliers. As digital transformation blurs the lines between IT ecosystems, any of your suppliers could become hotspots of vulnerability and potential systemic cybersecurity risk. Despite awareness of third-party risks, fourth-party risks are often overlooked. This negligence creates vulnerabilities because organizations may not be fully aware of or manage the security practices of their third-party vendors. This risk management is essential because it addresses the often overlooked vulnerabilities that can arise from an organization's extensive network of third-party vendors. Moreover, when an organization partners with a third party, it implicitly relies on that entity's security measures. However, the third party may rely on other “fourth-party” providers for its operations. ⚠️ If these fourth parties have inadequate security practices, they can introduce significant risks into the parent organization's network. This extended chain of trust can become a pathway for cyber threats, data breaches and other security incidents. ✅ So it is essential to manage and mitigate risks from direct suppliers and also from their vendors. Data protection and compliance In addition, regulatory compliance and data privacy laws are becoming increasingly stringent, requiring organizations to ensure robust security throughout their supply chain. Failure to manage third-party risks can result in regulatory penalties, legal liabilities and reputational damage. By implementing a comprehensive fourth-party risk management program, organizations can gain better visibility into their entire supply chain, identify potential vulnerabilities and enforce strict security standards at all levels of their supplier network. This proactive approach not only strengthens the organization's overall security posture, but also helps maintain compliance and build trust with customers and stakeholders. ✅ We must keep in mind that the difference between third-party risk management and fourth- and nth-party risk management lies in the scope and focus of the entities being managed and assessed for security risks. Third- and fourth-party risk management Third Party Risk Management (TPRM) focuses on identifying, assessing and mitigating the risks associated with third party vendors, suppliers or service providers with whom a company has a direct relationship. The main objective is to ensure that these external entities comply with regulatory requirements, respect contractual obligations and do not introduce vulnerabilities into the company's operations. From this perspective, TRPM involves activities such as due diligence, regular monitoring, audits and implementation of controls to manage risks related to data security, financial stability and operational performance of third parties. In contrast, Forth Risk Management (FPRM) extends this oversight to the third parties' own subcontractors or service providers, effectively managing the risks introduced by the extended supply chain. These fourth parties, although not directly contracted by the parent company, can significantly affect its operations and risk profile. ✅ Managing the risk of the fourth parties requires visibility into the risk management practices of the third parties and often involves obtaining assurances that these downstream entities also adhere to strict standards. This level of risk management ensures a more comprehensive approach to securing the supply chain and mitigating potential disruptions or compliance issues arising from indirect relationships. Geopolitics and cyberdiplomacy influence the management of fourth-party risks Geopolitics and cyber diplomacy are integral to cross-border and transnational risk management of quarters as they shape regulatory environments, influence international cybersecurity cooperation, and affect the activities of cyber threat actors. By navigating geopolitical complexities, engaging in cyber diplomacy efforts and staying informed about the global cyber threat landscape, organizations can improve their resilience in the face of transnational cyber risks. This global approach is essential to safeguard the security and integrity of their extended supply chains in an interconnected and dynamic global environment. Fourth-party risks are especially insidious because they are often several levels away from your direct control. These risks originate from your suppliers' suppliers, entities with which you may have no direct communication or oversight. This complexity creates a scenario in which the security measures of a seemingly distant supplier can directly affect your organization's security posture. ✅ Consider the scenario in which a fourth-party supplier handles critical data or services. If this entity suffers a breach, the impact reverberates through the supply chain, potentially disrupting operations and exposing sensitive information. This interconnected network means your security is only as strong as the weakest link in your extended network. Fourth-party risk mitigation To mitigate fourth-party risks, organizations must implement both proactive and reactive measures. Proactively, this involves rigorous vetting processes for third-party suppliers, requiring them to disclose their own supply chain security practices and measures. Ongoing monitoring and periodic audits of these practices ensure that your suppliers maintain the highest safety standards. Reactive measures are equally important. It is essential to develop a robust incident response plan that includes protocols for third-party and fourth-party breaches. This plan should outline clear communication channels, steps to mitigate damage, and procedures for notifying stakeholders and regulatory agencies. A robust incident response plan should include protocols for breaches by third- and fourth-parties. Conclusion As the cyber threat landscape evolves, so must risk management practices. Future trends indicate a growing emphasis on collaborative defense strategies, where industries work together to share threat intelligence and best practices. In addition, regulatory requirements are becoming increasingly stringent, demanding greater transparency and accountability from organizations regarding their supply chain security measures. Cyber Security How DRP (Digital Risk Protection) solutions protect your business from cyberthreats November 6, 2023 Image: Drazen Zigic / Freepik.

Situational context of systemic cybernetic risk In the cybersecurity landscape, navigating systemic risks requires a delicate balance between foresight and preparedness, a balance that can define survival or catastrophe for industries across the board. In the digital age, information and communication technologies (ICTs) support complex systems used in everyday activities. They keep our economies running in key sectors and industries (agriculture, manufacturing, automotive, energy, hospitality, finance, health, education, maritime, air, space and land transportation), which are improving the functioning of the global marketplace day by day. Increased digitization and interconnectedness also amplifies ICT-related risk, and makes society as a whole, and in sectors and industries, more vulnerable to cyber threats or ICT disruptions. While the widespread use of ICT systems and high digitization and connectivity are nowadays key features of the global socio-economic dynamics activities, there is still a need to better address and integrate their digital resilience into their operations. Systemic cyber risk: what is it? Taking into account this whole scenario the G10 in 2001 defines systemic cyber risk as the risk that a cyber event (attack(s) or other adverse event(s) on an individual component of a critical infrastructure ecosystem will cause significant delays, denials, failures, disruptions or losses, such that services are affected not only in the originating component, but the consequences also cascade to related (logically and/or geographically) components of the ecosystem, resulting in significant adverse effects on public health or safety, economic security, or national security. The cascading effect refers to a process in which an initial failure or disruption in a system triggers an "equal or opposite" chain reaction of subsequent failures. In systems where a small problem can propagate through interconnected components, cascading effect may cause widespread and often unpredictable consequences. This concept is particularly relevant in highly interdependent environments where the malfunction of one element can compromise the entire system. A successful strategy for cybercriminals Cyberattacks often have a cascading effect on cybersecurity due to the intricate and interconnected nature of modern digital systems. These systems rely on a network of interdependent components, including hardware, software, networks and data storage, meaning that a breach or failure in one component can quickly affect the others. This interconnectedness creates multiple points of vulnerability, allowing a single attack to propagate through the system and cause widespread disruption. If we take a look back, there have been cyber attacks with cascading effect and one of them is the paradigmatic WannaCry ransomware in May 2017 that exploited a vulnerability (CVE-2017-0144) in the Server Message Block (SMB) protocol of the Microsoft Windows operating system using a tool called EternalBlue, once the ransomware infected a single machine, it used this vulnerability to spread to other vulnerable systems within the same network automatically. Within hours this attack affected more than 360,000 electronic devices in more than 180 countries around the world amplifying its global impact. Systemic cyber risks loom as the interconnectedness of our digital ecosystems poses not only a threat, but a fundamental challenge to the resilience of global infrastructures. According to the World Economic Forum (WEF), it is crucial to understand that systemic risk is fundamentally different from non-systemic risk because of its broader and more complex consequences. Systemic risk involves failures that affect entire systems and not just individual parts or components. These failures arise from the intricate web of connections, dependencies and interdependencies within a system, causing cascading and often unforeseen consequences. In addition, WannaCry exposed systemic problems in cybersecurity practices, such as inadequate patch management, poor network segmentation, and insufficient incident response strategies. These systemic weaknesses contributed to the rapid and widespread spread of ransomware. The attack's ability to exploit these common weaknesses reveals how systemic cyber risks can exploit structural vulnerabilities in interconnected systems. ✅ Addressing these risks requires a holistic approach to cybersecurity, including robust management from prevention, proactive threat detection and comprehensive incident response. The foundations of trust are challenged by systemic cyber risks Systemic risks can occur suddenly and unexpectedly, or they can accumulate over time if there are no adequate technological or management policies in place to deal with them. In the latter case, even minor inflection points can combine to cause significant failures. For example, risks that materialize through threat vectors common to multiple enterprises and ecosystems can cause substantial aggregate effects, especially when the vulnerability is inherent in operations shared by all enterprises. In essence, the interconnected nature of modern systems means that risks affecting one party can spread rapidly, amplifying the overall impact. This interconnectedness requires global strategies to mitigate systemic risks, as their repercussions can be far-reaching and complex, affecting numerous entities simultaneously. In my day-to-day work managing this type of risk, I see that today's most significant risks are neither abstract nor remote, but immediate and impactful. The real economic and security impacts of materialized systemic risks typically arise from significant disruptions to confidence or certainty in critical services and data integrity. These impacts manifest themselves through disruptions to operations and can lead to the incapacitation or destruction of physical assets. Systemic risks challenge the very foundation of trust that underpins economic and operational stability. When stakeholders lose confidence in the reliability of critical services or data integrity, it can trigger widespread panic leading to significant economic repercussions and destabilization of security frameworks. Amid the complexities of modern cyberwarfare, dealing with systemic risks is not just about defending data, but safeguarding the very fabric of our interconnected economies and societies. These disruptions can cause a domino effect, where the initial loss of confidence or operational failure cascades through interconnected systems, exacerbating the overall impact. The incapacitation of physical assets further exacerbates the problem, as it not only disrupts ongoing operations, but also undermines future recovery efforts. This interconnected fragility underscores the importance of robust risk management and resilience strategies to prevent small problems from becoming large-scale failures. In addition, the destruction or rendering unusable of critical physical assets can have long-term detrimental effects, as rebuilding and restoring these assets requires considerable time and resources. This, in turn, affects supply chains, service delivery and overall economic stability. ✅ Addressing systemic risks therefore requires a holistic approach that takes into account the interdependencies of services, data integrity and physical assets to protect against pervasive and complex threats. Beyond mere risk minimization, it is essential to adopt proactive strategies that anticipate, adapt and respond effectively to systemic risks. This requires a robust framework focused on generating and sharing high-quality data and analytics. By leveraging comprehensive data insights, organizations can better understand interconnected risks and vulnerabilities, enabling them to implement preventative measures and improve resilience. In addition, investing in “just-in-case” supply chains and “friend shoring” strategies, where critical supplies and resources are diversified across reliable partners and regions, can mitigate reliance on single sources and reduce the likelihood of cascading disruptions. This approach not only strengthens operational continuity, but also fortifies the overall ecosystem against unforeseen disruptions. ✅ In addition, it is paramount to integrate resilience into all facets of planning and decision-making processes. This involves integrating resilience considerations into strategic initiatives, operational frameworks and technology investments. By design, resilient systems are adaptable and can withstand shocks, enabling organizations to maintain essential services and operations amidst changing threats. Emphasizing scalability ensures that resilience measures can effectively adapt to growth and changing risk scenarios, safeguarding long-term stability and sustainability. Ultimately, an anticipatory and adaptive approach enables organizations to navigate the complexities and uncertainties inherent in systemic risks, fostering agility and resilience in an increasingly interconnected global environment. ✅ The European Union (EU) has put in place several strategies and regulations to address systemic risk in organizations, focusing on improving cybersecurity, data protection and cyber resilience of critical infrastructure, we have seen them in various regulations but now there is a major focus on DORA and NIS2. By implementing these measures, the EU aims to create a resilient digital ecosystem that can effectively mitigate systemic risks. These initiatives improve the cybersecurity posture of organizations, ensure the protection of critical infrastructure and encourage a collaborative approach to addressing emerging threats, thereby reducing the potential for widespread disruption. Cyber Security Connectivity & IoT Mission Critical SOC: The key to resilience of cyber-physical systems April 18, 2024 Image: rawpixel.com / Freepik.

Transforming the cyber investment model As organizations navigate the complexities of cyber threats, the right balance between investment and risk mitigation emerges as a key determinant of cyber security resilience. Your organization has experienced an increase in cyber threats and recognizes the need to strengthen its cyber security measures. The management team is concerned about potential financial losses, reputational damage, and regulatory penalties in the event of a security breach. Where it has been found to be deficient is in network security equipment due to obsolescence, as three years ago the manufacturer indicated that this equipment in six months would be out of support. There are therefore no longer any security measures to compensate for their continuity in the infrastructure and technological architecture. Due to this, the corporate government is requesting an evaluation of the investments to be made and how the use of resources will be managed. What are the criteria to be considered and established in the acquisition process? Imagine that you have received six proposals from various suppliers and of these there are two offers that have caught your attention where the costs are 45,000 and 57,000 euros. Do you consider that those criteria are enough to evaluate your decision making before the report that you have to present? If you considered it, I would tell you that it is not the right way to go. Your action should have been more comprehensive and not only focused on the cost but go beyond. That is why I will here help you to evaluate an investment with a sustainable and adaptive approach in Cyber Security. An organization's cyber security posture is only as strong as its weakest link; therefore, strategic resource management extends beyond finances to include personnel, training, and technology infrastructure. Investment in cyber security should be a priority for organizations. Despite the difficulty in calculating its exact financial return (as in any investment in security, whatever its type), given the increasing frequency of cyberattacks and the great impact they have both on the service provided and on safeguarding the information and reputation of the organization itself, there should be no doubt in carrying it out. As Gartner defines Total Cost of Ownership (TCO) as a comprehensive assessment of information technology (IT) or other costs across company boundaries over time. For IT, TCO includes hardware and software acquisition, management and support, communications, end-user expenses, and the opportunity cost of downtime, training, and other productivity losses. The dynamic nature of cyberthreats requires continuous reflection on the adequacy and adaptability of cyber security measures, pushing organizations to regularly reassess their investment strategies. This is a framework designed to help evaluate the overall costs associated with the acquisition of any IT asset. Rather than focusing solely on the initial purchase price, as when purchasing a firewall, this model encourages a comprehensive evaluation. This includes considering not only the cost of the computer, but also other elements such as moving expenses, space requirements, power consumption, implementation costs, maintenance costs and personnel-related costs. The model facilitates more informed investment decisions by weighing and aggregating these various costs, providing a holistic view of the true costs associated with an IT asset over its entire lifecycle. Beyond the traditional metrics of monetary costs, the true value of cyber security investments lies in mitigating reputational damage, preserving customer confidence, and avoiding regulatory sanctions. During my day to day to help organizations I work with financial indicators that have perspective on Cyber Security as an investment where I seek to evaluate its positive or negative profitability and how security can be viewed. Some of these indicators are: Return on investment (ROI): Measure of benefits plus cost savings as a proportion of expenditure. Return on security investment (ROSI): Measure of (security) benefits plus cost savings (reduced incident losses) as a proportion of security expenditure. Internal rate of return (IRR): Calculated over several years, e.g., 5 years. It is used to determine whether it would be better to have put the money in a remunerated financial asset. Net present value (NPV): This is calculated over a few years, e.g., 5. It is used to estimate the value of the investment after correcting for the depreciation of the expenditure. For example, it corrects for the effect of inflation. In practice the calculation of Cyber Security investments involves a structured approach to assessing the costs associated with implementing and maintaining various cyber security measures. While the specific calculations may vary depending on the size of the organization, the industry and the risk profile, the following are general steps to guide the process: 1. Conduct a risk assessment Identify and assess potential Cyber Security risks to the organization. Quantify the potential impact and likelihood of various threats and vulnerabilities. 2. Define security objectives Clearly outline the organization's security objectives based on the identified risks. Determine the level of security required for the different assets and information systems. 3. Determine the required security controls Identify and prioritize the security controls and technologies needed to mitigate the identified risks. Consider industry best practices, regulatory requirements, and the specific needs of the organization. 4. Estimate implementation costs Estimate the initial costs associated with implementing the selected security controls. Include costs for hardware, software, licenses, training, and any external consulting services. 5. Consider operational costs Consider ongoing operational costs, such as maintenance, upgrades, monitoring, and personnel. Calculate the cost of periodic security audits, assessments, and training programs. 6. Assess potential cost savings Evaluate the potential cost savings from improved security, such as reduced incidents, downtime, and legal consequences. Consider the impact on organizational reputation and customer confidence. 7. Calculate return on investment (ROI) Compare estimated costs with potential benefits and savings. Calculate ROI by dividing the net gain (benefits minus costs) by the initial investment and multiplying by 100 to obtain a percentage. ROI = (Savings on investment - Cost of investment) / Cost of investment * 100%. 8. Consider the value of information assets Assess the value of the information assets to be protected. Prioritize investments according to the criticality and sensitivity of these assets. 9. Alignment with business objectives Ensure that Cyber Security investments are aligned with overall business objectives. Prioritize investments that directly contribute to achieving strategic objectives. 10. Regular review and adjustment Regularly review and adjust Cyber Security investments based on changes in the threat landscape, technology, and business environment. Take into account the results of security audits, incidents and the effectiveness of existing measures. Conclusion The intricate landscape of Cyber Security investment and resource management requires an astute understanding of the dynamic interplay between financial considerations, risk mitigation and strategic resilience. The analysis underscores that effective Cyber Security measures transcend mere economic investments; they require judicious allocation of financial and non-financial resources. Organizations must reflect on the holistic nature of cyber security, recognizing it as a continuous and evolving process that requires strategic foresight, adaptability, and collaboration across all facets of the enterprise. In the ever-evolving digital realm, thinking about cyber security investment and resource management serves as a compass that guides organizations toward a balanced and sustainable security posture. The effectiveness of these measures does not lie solely in the monetary numbers, but in the strategic alignment of investments with organizational goals, the ability to adapt to emerging threats, and the cultivation of a resilient cyber security culture. As we look ahead, organizations that take a holistic approach to Cyber Security, integrating it seamlessly into their business strategy, will be better positioned to navigate the complexities of an evolving digital landscape with confidence and foresight. Measuring cyber risk enables organizations to systematically assess and address emerging threats in a structured way. Cyber Security How to achieve strategic management of Cyber Security investments January 15, 2024

Investing more money can improve your protection, while saving money can make you less secure. However, investing money in the problem does not guarantee a perfect defense. Numerous organizations have tried this approach and, despite increased spending, have not achieved foolproof protection. In fact, some are experiencing negative consequences that hinder their operational effectiveness. How can organizations find the right balance between investment and effectiveness in improving their cyber security posture? In my constant interaction with corporate governance boards of organizations, companies and countries around the world, managers and decision makers bring their concerns to me: How to improve our budget? How to transform our cyber security posture? How do we allocate a budget for cyber security? How do we make sustainable and adaptive investments for our business-aligned cyber security strategy? As well as the phrase: "We already have a cyber security program, but we don't know what to do”. There are many converging biases and mythologies in the communicative dynamics of cyber security leaders in the face of this, as this has shifted from a technical problem to a business challenge. To which one wonders: how can boards of directors better understand Cyber Security management as a business problem, and how can executives effectively guide cyber investment decisions within the framework of business considerations? Cyber Security officers and technology solutions are not a magic wand or a beacon of fleeting wishful thinking, it's a big reality about poor management of cybersecurity investments. CISOs must be agnostic to vendors and technology solutions and stop selling the discourse that compliance is Cyber Security when they are realities that require getting into the nitty-gritty of day-to-day practices, as many organizations have gone through the bitter pill of poor investment decisions. Sometimes a big question is: Why organizations do not adopt cyber exercises and Table Top Exercises (TTX)? Also, Why do they resort to this practice when they are already embarking on a cyber disruption? What they don't know is that adopting these practices directly impacts their cyber security posture and how and where to focus their resources and efforts. From the corporate governance boards in the dynamics of organizational culture, Cyber Security decision making involves an imperative of great relevance on daily issues where it requires a balance between costs and opportunities on proper management that at the moment a human curtain is assembled because there are not very clear issues and certain questions come to light: Where do we focus resources? What are the prioritized needs? To what extent is the organization's current investment in Cyber Security aligned with its overall business strategy and objectives? How does the organization strike a balance between investment in preventative measures and detection and response capabilities? In what ways can the organization improve its ability to detect and respond to advanced and persistent threats? In the realm of cyber dynamics, the expense incurred is not limited to monetary costs alone. In this intricate environment, the toll extends beyond the financial implications, encompassing a broader spectrum of resources. Even in scenarios where resources are limited and scarce, the investment required transcends the monetary dimension. The complexities of cyber security demand a nuanced understanding that goes beyond financial considerations, recognizing the multi-faceted nature of costs and the need for strategic allocation of finite resources. Strategic cyber security to maintain a resilient and enduring security posture Increasingly the data on the rise of cybercrime and cyberattacks is overwhelming and calling into question the trust upon which the digital world and economy must be built. So, organizations must rethink their efforts and approach where investments converge on a sustainable cyber environment which is the establishment and maintenance of a resilient and enduring security posture that can adapt to evolving threats, technological changes and organizational dynamics over the long term. It goes beyond the traditional approach of merely reacting to immediate threats and focuses on building a robust and durable security framework. ✅ Sustainable Cyber Security involves a holistic strategy that takes into account environmental, social, economic and technological factors to ensure the long-term viability of an organization's security efforts. This is where strategic Cybersecurity, being a proactive and comprehensive approach adopted by organizations to protect their information systems, networks, and data against cyberthreats, becomes important and has a significant impact. It involves the development and implementation of a long-term plan that aligns with the organization's overall business strategy and objectives. The goal of strategic Cyber Security is not only to prevent and respond to immediate threats, but also to build a cyber resilient and secure digital ecosystem that can adapt to evolving cyber risks. How does the organization ensure that its cyber security plan is strategically aligned with the overall business objectives, and how can this alignment contribute to the organization's resilience in the face of cyber threats? ◾According to the National Cybersecurity Institute (Incibe) the Cyber Security program or master plan is a comprehensive and structured set of activities, initiatives and measures designed to protect an organization's information systems, networks, data, and digital assets in general against cyber threats. It involves the strategic planning, implementation, and management of various Cyber Security measures to ensure the confidentiality, integrity and availability of information. It is essential to emphasize that its design must be aligned with the strategic objectives of the organization, taking into account the environment, processes, technologies, people and information, since it outlines actions based on a retrospective, prospective and panoramic situational analysis that help to improve the organization's cyber security posture and profile, but it must be taken into account that for this to be a reality, since its actions are short, medium, and long term, it requires a commitment from the entire organization. The program or plan must not be allowed to die, it must be kept alive, dynamic, adaptive and sustainable. Unified and resilient defense against cyber threats The Cyber Security program is not a one-time effort, but an ongoing and evolving initiative that adapts to changes in the threat landscape, technology, and the organization itself. It requires collaboration across multiple departments and levels of the organization to create a unified and resilient defense against cyber threats. The ultimate goal of a Cyber Security program is to reduce the organization's risk exposure, protect sensitive information and ensure continuity of business operations in the face of cyber security challenges. If you have in mind to rethink and consolidate the investment and management efforts of your cybersecurity strategy, don't think twice and get on board. But first keep in mind that each organization's Cyber Security program is unique and varies depending on: The type and size of organization. Its complexity. Its systemic importance. Its risk profile. Its governance model. Its technological and cyber maturity capability. The legal and regulatory context. The nature and typology of information managed. Other organizational aspects. At a business level, Cybersecurity transcends mere technical considerations; it is a strategic business decision. The primary objective of a security program is not the unattainable goal of absolute prevention of cyberattacks. Its essence lies instead in striking a delicate balance between safeguarding assets and ensuring seamless cyber-resilient business operations. The optimal level of security is one that can be justified and defended to key stakeholders, whether they are citizens, customers, shareholders, or regulators. The ultimate goal is to align security measures with the intricate needs of the business, recognizing that a pragmatic balance is key to navigating the complexities of a digital landscape. Results-oriented investment Today's discussion should be results-oriented investment, not investment in tools and capabilities. It should be kept in mind that cyber maturity is a sized issue across strategic, operational and tactical Cyber Security capabilities. In conclusion, the cyber security investment landscape calls for a nuanced and strategic approach that goes beyond financial considerations. The analysis reveals that the effectiveness of cyber security measures is not determined solely by the amount of money invested, but rather by a holistic and well-thought-out strategy. Organizations need to reflect on the dynamic nature of cyber threats, the evolving technology landscape, and the need for continuous adaptation. In the area of resource management, the reflection underlines the importance of optimizing the allocation of financial and non-financial resources. Cyber security is not a mere expense; it is an essential investment to safeguard the integrity of the organization, its reputation and trust among its stakeholders. Striking a balance between fiscal responsibility and strategic resource allocation is paramount. In this ever-evolving digital age, organizations that approach cyber security investment with foresight, adaptability, and a thorough understanding of risks will be better positioned to navigate the complexities of the cyber landscape. Telefónica Tech Cyber Security IA & Data Report: on the intersection of AI and Cyber Security December 7, 2023

As we learned in the previous article of this series, impact of the metaverse on disinformation, child security, its evolution and its potential to spread discrimination and inequalities will depend on how the technology is developed, regulated and used by individuals and organisations. Many uncertainties remain: Will the metaverse produce misinformation, will children be safe from inappropriate content, will games and pornography drive its evolution, and will it increase discrimination and inequalities? We don't know, but it is important to address some issues proactively to ensure that the metaverse is a safe, inclusive and beneficial space for all: Disinformation can create new opportunities for the spread of information and fake news, especially in virtual social environments where people can interact and share information. However, it is also possible that the metaverse offers new tools and techniques for verifying information, checking facts, and combating disinformation. Child security presents new risks and challenges, especially in terms of inappropriate content, cyber-bullying, and online grooming. However, the metaverse is also likely to offer new tools and techniques to ensure children's security, such as virtual security filters, parental controls, and moderation tools. As for the evolution of the metaverse, it is likely that gaming and pornography will continue to drive its development, given the popularity of these industries and their current presence in virtual environments. However, other industries and applications, such as education, healthcare and business, are also likely to emerge and could shape the metaverse in different ways. Discrimination and inequality may further exacerbate existing problems, especially if technology is not designed with diversity, equity and inclusion in mind. Nevertheless, it is also possible that the metaverse offers new opportunities for people to connect, collaborate and learn from each other, regardless of their background or identity. AI of Things The metaverse will be a means, not an end, for companies June 20, 2022 Most significant potential impacts of the metaverse The impact of technological and cyber risks in the metaverse can be significant and far-reaching. Here are some of the potential impacts: Loss of privacy and data security: If personal data is compromised, it could lead to identity theft, financial fraud, and other malicious activities. This could have serious consequences for both individuals and businesses. Financial losses: Cyber-attacks that result in the theft of assets or virtual currencies could lead to significant financial losses for individuals and businesses operating in the metaverse. Reputational damage: If a company's or individual's virtual presence is hacked or compromised, it could lead to reputational damage and loss of trust among its followers and customers. Health problems: Addiction to the metaverse and overuse of virtual reality technology could lead to physical and mental health problems, such as eyestrain, headaches, and social isolation. Limiting innovation and creativity: If the metaverse becomes centralised and controlled by a few powerful entities, it could limit innovation and creativity, stifling the potential of the virtual world. The impacts of technological and cyber risks in the metaverse could be significant and require proactive measures to address and prevent these risks. As the metaverse becomes more pervasive, it will be essential to implement robust security protocols and regulations to ensure a safe and positive experience for all users. AI of Things Main challenges for the adoption of the metaverse July 4, 2022 Mitigating risks and minimising their impact As experts highlight, these risks can affect not only individuals, but also businesses, governments, and society as a whole. Among the potential impacts of technological and cyber risks in the metaverse are, in addition to those already mentioned, also identity theft, cyberbullying and exposure to harmful content. These risks can also lead to a lack of trust in the metaverse and hinder its adoption and growth. Photo: Billetto Editorial / Unsplash The interconnected nature of the metaverse can also amplify the impact of cyber-attacks, potentially affecting multiple users and platforms simultaneously. Also, the complexity of the technological infrastructure of the metaverse and the rapid pace of innovation and development may pose significant new challenges for Cyber Security. Conclusion Hence, to mitigate these risks and minimise their potential impact, organisations and individuals must take proactive steps to ensure the security and privacy of their data and interactions in the metaverse. This includes implementing robust cyber security measures, promoting digital literacy and awareness, and adopting ethical and responsible practices. The impact of technological and cyber risks in the metaverse therefore highlights the importance of prioritising Cyber Security and privacy in the development and use of virtual environments. Cyber Security AI of Things Metaverse (I): threats in an immersive, multi-sensory environment April 11, 2023 Featured photo: Stem. T4L / Unsplash.

While the discussion and excitement around the metaverse is growing, there are also feelings of doubt, fear, concern and uncertainty about the potential risks in an environment where the boundaries between the physical and virtual worlds will become increasingly blurred. The metaverse, to put it simply, can be thought of as the next iteration of the internet, which began as a set of independent and isolated online destinations that, over time, have evolved into a shared virtual space, similar to how a metaverse will evolve. Metaverse is a shared virtual collective space created by the convergence of physical and enhanced digital reality" —Gartner. Is the metaverse betting on Cyber Security? The WEF (World Economic Forum) argues that the metaverse is a persistent and interconnected virtual environment in which social and economic elements mirror reality. Users can interact with it and with each other through immersive devices and technologies, while also interacting with digital assets and properties. The metaverse is neither device-independent nor owned by a single provider. It is an independent virtual economy, enabled by digital currencies and non-fungible tokens (NFT). As a combinatorial innovation, for a metaverse to work, multiple technologies and trends need to be applied. These include virtual reality (VR), augmented reality (AR), flexible work styles, HMD viewers, Cloud, IoT (Internet of Things), 5G connectivity and programmable networks, Artificial Intelligence (AI)...and, of course, Cyber Security. Challenges of the metaverse for organisations The Cyber Security challenges that organisations face when operating in the metaverse can have significant implications for the security and privacy of their assets and users. These challenges include: The theft of virtual assets can lead to significant financial losses for organisations. Identity theft can compromise sensitive information and resources. Malware attacks can infect entire virtual environments, causing widespread damage, Social engineering attempts to trick users into revealing confidential information or performing unauthorised actions. The lack of standardisation in the metaverse can make it difficult for organisations to develop consistent security protocols and ensure interoperability between different virtual environments. The novelty of the metaverse and the low security awareness of users can lead to poor security practices, making them more vulnerable to cyber-attacks. The Metaverse Alliance suggests that, in traditional internet use, users do not have a complete digital identity that belongs to them. Instead, they provide their personal information to websites and applications that can use it for a variety of purposes, including making money from it. In the metaverse, however, users will need a single, complete digital identity that they control and can use across platforms. This will require new systems and rules to ensure users' privacy and security. In the metaverse, users will need a unique and comprehensive digital identity that they control and can use across different platforms. In short, users need to own and control their digital identity in the metaverse, rather than leaving it to third-party websites and applications. It is very worrying that most internet users do not have a digital identity of their own. AI of Things The metaverse will be a means, not an end, for companies June 20, 2022 Understanding the new virtual environment and its risks Statista expects the metaverse market to grow significantly in the coming years. It expects revenues generated by the metaverse market to grow at a compound annual growth rate (CAGR) of more than 40% between 2021 and 2025. It also expects growth to be driven by the increasing adoption of virtual and augmented reality (VR and AR) technologies, with gaming and eSports industries dominating, and growing interest in virtual social experiences. In the aftermath of the Covid-19 pandemic, the shift towards digital and virtual experiences has accelerated, further driving growth in the metaverse market. These forecasts present significant opportunities for companies and investors, particularly in the entertainment and social networking sectors. However, the market also poses several challenges in terms of regulation, Cyber Security and standardisation that need to be addressed to ensure its sustainable growth. The metaverse is not immune to cyberthreats The metaverse, like any technology, is not immune to risks and vulnerabilities. Here are some of the technological and cyber risks associated with the metaverse: In the metaverse, users will create and share large amounts of personal data. This includes information such as biometric data, personal preferences and behavioural patterns. Ensuring the security and privacy of this data will be critical to prevent leaks and unauthorised access to sensitive information. As the metaverse becomes more popular, it will attract the attention of cybercriminals. Cybercrimes such as distributed denial of service (DDoS) attacks, malware and phishing scams could compromise the security of the virtual world and its users. The metaverse is likely to involve the exchange of virtual currencies and assets. If these assets are not adequately protected, they could be vulnerable to theft, fraud, and hacking. With the immersive nature of the metaverse, users may become addicted and spend excessive time in the virtual world. This could lead to physical and mental health problems, as well as social isolation. The metaverse could become dominated by a few powerful companies or individuals, resulting in a centralised and controlled virtual world. This could limit users' freedom and innovation. As we will see in the next article within this series, it is essential to develop robust security protocols and regulations to prevent these risks and ensure that the metaverse remains a safe environment for all users. Featured photo: Julien Tromeur / Unsplash

In recent years, conflict and stability in cyberspace have become a growing concern for many countries and organisations that consider cyberspace as a strategic domain and have strengthened their cyber defence, cyber intelligence and offensive capabilities. The National Institute of Standards and Technology (NIST) defines cyberspace as a global domain within the information environment consisting of the interdependent network of information systems infrastructures.. The term "cyberspace" comes from the American writer William Gibson, who used it in his 1984 novel 'Neuromancer' This includes the internet, telecommunications networks, computer systems and embedded processors and controllers in critical industries characterised as a complex environment resulting from the interaction of people, software and services on the internet through technological devices and networks connected to it, which does not exist in any physical form. Cyberspace, the fifth domain Cyberspace has been called the ''fifth domain'', of equal strategic importance to land, sea, air and space. This has intensified international competition in this field with major powers competing to dominate cyberspace. Concerned about how to prioritise so many security activities amidst such a changing landscape? Are we joining forces to rethink cybersecurity? What is the impact of cyberspace on economic growth and development? Do we accurately understand the connotation, characteristics and essence of cyberspace? The dynamic nature of cyberspace can introduce challenges in decision-making. Leaders routinely face difficult decisions in managing cyber risk, as exposure to cyber risk can threaten reputation, customer trust and competitive positioning, and possibly result in fines and lawsuits. Cyber Security Understanding The Dynamics of Ransomware Security Incidents January 5, 2023 New Cybersecurity Challenges In this context, leaders must simultaneously address changing organisational priorities, shifts in budgets, technologies and employee headcounts, as well as evolving adversarial tactics and emerging security events, among other things. Cyberspace has faced many security challenges such as identity tracking, identity theft, terrorism, espionage and warfare. The continued exponential growth of cyber-attacks puts more pressure on executive decision-makers to stay ahead of the curve. Cyberspace connects everything and everyone with applications, data, purchases, services and communications... Securing it is essential to protect organisations, the environment and society. Reacting after the fact can be very costly and increase the need for ex post regulatory assessment and sanction. We see and understand that cyber risk is dynamic in nature, and we must now act accordingly. Recent developments and changes in cyberspace, such as the increase in cyber threats, the shift to hybrid working and the ability to bring your own device into the work environment, have increased discussions about the need to improve the overall cybersecurity posture across organisations. Challenges for the management of cyber crises Zero trust has emerged as a potential solution and a challenge that creates confusion in cybersecurity circles about its effectiveness. What policies, practices and partnerships are needed to prevent a cyber pandemic? Are our organisations prepared for a confrontation in cyberspace? It also reveals where the greatest challenges lie in managing cyber crises, which are induced in cyberspace and have characteristics that make them difficult to deal with, such as the fact that they can be induced remotely and instantaneously in multiple locations. As the dangers transform, so must our responses; digital threats demand vigilance, determination and resolve to react with precision to an ever-growing risk. Cyber crises are also not always easily traceable, and it is sometimes difficult to see that the cause of a particular crisis in the offline world is an act in cyberspace. Finally, the borderless nature of cyberspace leads to a potential large-scale geographical spread of cyber crises and cyber resilience. Security system complexity, created by disparate technologies and lack of in-house expertise, can amplify these costs. However, organisations with a comprehensive cybersecurity strategy, governed by best practices and automated using advanced analytics, Artificial Intelligence (AI) and machine learning, can fight cyber threats more effectively and reduce the lifecycle and impact of breaches when they do occur. Cyber Security Where is your company on the cybersecurity journey? April 20, 2022 An expanding risk surface Indeed, the risk surface is still expanding, with thousands of new vulnerabilities being reported in old and new applications and devices. And opportunities for human error, specifically by negligent employees or contractors inadvertently causing a data breach, continue to increase. While cybersecurity professionals work hard to close security breaches, attackers are always looking for new ways to escape IT's notice, evade defence measures and exploit emerging weaknesses. Digitalisation has led to increased exposure of our technology assets in cyberspace, requiring a worldview of risk, resilience and trust. The latest cybersecurity threats are putting a new spin on "known" threats, taking advantage of work-from-home environments, remote access tools and new cloud services. Today's organisations are connected like never before. Their systems, users and data live and operate in different environments. Perimeter-based security is no longer adequate, but implementing security controls within each environment creates complexity. The result in both cases is degraded protection for your most important assets. A strategy focused on zero trust to the cyberspace and environment makes the commitment and establishes controls to validate every user, device and connection in the business for authenticity and purpose. To successfully execute a zero trust strategy, organisations need a way to combine security information to generate the context (device security, location, etc.) that informs and enforces validation controls. Cyberspace is increasingly exploding. It requires greater coordination among all of us. It requires the development of standards to provide a stable and secure environment. A cyber resilient organisation in the face of disruptions from cyberspace is one that can identify, prevent, detect, contain and recover from a myriad of serious threats to data, applications, and information technology (IT) and technology operations (TO) infrastructure. We should remember that a defence-in-depth strategy, also known as a defence-in-depth strategy, helps us to address a cybersecurity approach that uses multiple layers of security for holistic protection. CYBER SECURITY The impact of cybersecurity attacks on SMEs and corporates December 2, 2021 The importance of a layered defence A layered defence helps security organisations reduce vulnerabilities, contain threats and mitigate risk. Simply put, with a defence-in-depth approach, if a bad actor breaches one layer of defence, it could be contained in the next layer of defence. Traditional perimeter-based IT security models, designed to control access to trusted enterprise networks, are not suited to the digital world. Organizations today are developing and deploying applications in corporate data centres, private clouds and public clouds, as well as leveraging SaaS solutions. Most enterprises are evolving their defence-in-depth strategies to protect cloud workloads and defend against the new attack vectors that accompany digital transformation. The digital world has transformed the way we live, work and play. However, it is a digital world that is constantly open to attack, and because there are so many potential attackers, we need to ensure we have the right security in place to prevent systems and networks from being compromised. There are plenty of risks, but so are the solutions, including those based on Artificial Intelligence and the "Zero Trust" model" There is unfortunately no single method that can successfully protect against every type of attack. This is where a defence-in-depth architecture comes in. Rethinking and refocusing Cybersecurity Although cyberspace has become a central element of all vital processes in the global economy and in people's social lives, it also carries a wide variety of risks. Framing these risks is no easy task: some cause damage in cyberspace itself, while others cause damage in the offline world as well. Moreover, sometimes the damage is intentional, while other times it may be the result of accidents. The "cyber damage model" brings together these challenges and offers the opportunity to gain a comprehensive overview of different types of cyberspace-related incidents. Cyber crises also bring with them a number of specific challenges for leadership, especially in terms of sense-making, decision-making, termination and learning. Leading without a cyber strategy is like playing a game of whack-a-mole: as soon as one incident is squashed, another one pops up. Cybersecurity strategies aimed at meeting the grand challenges are characterised by a holistic, cross-cutting and comprehensive approach as a catalyst for added value from governance, risk and compliance frameworks. Including the establishment of axes, principles, structures and practices necessary for their design, construction, implementation, monitoring and improvement, from the strategic to the tactical and operational level, resulting in emerging and disruptive innovation. It is important to rethink and refocus cybersecurity when establishing a cyber strategy, giving scope in its spectrum to cover preparations and precautions taken against cyber crimes, cyber wars, cyber attacks, cyber incidents and cyber threats from the cyber surface. More than ever, there are many positives. We have come a long way in a short time and we are doing a good job, but the key is not to settle, it is to reaffirm the commitment to do better, as our adversary comes with new skills.

Fear, panic and uncertainty are some of the feelings constantly experienced in corporate leadership. In management committees, the big question is frequently asked: is our cyber security working? As well as, What are the new behavioural patterns of adversaries? How do we understand cyberspace in order to define the design, construction and implementation of a cyber security strategy? How do we perceive the cyber threat landscape? Or are we considering retrospective, prospective and panoramic aspects to define a cross-cutting and comprehensive cyber security strategy? The National Institute of Standards and Technology (NIST) defines resilience as "the ability of an organisation to transcend (anticipate, resist, recover from, and adapt to) any stress, failure, hazard, and threat to its cyber resources" within the organisation and its ecosystem, so that the organisation can confidently pursue its mission, enable its culture, and maintain its desired way of operating. Comprehensively understanding the impact of cyber risks on an organisation is a complex but critical factor in strengthening cyber resilience. Therefore, frameworks and tools are needed to equip human talent to understand and communicate the prevailing cyber risks and their impact. Cyber resilience must be seen as a strategic imperative. Cyber resilience and its benefits must be clear to corporate leadership. Therefore, it is important to translate the impact of the state of cyber resilience into operations, strategy and business continuity. It is a commitment to position cyber resilience as a strategic imperative. However, current divs and developments indicate that much work is needed to close the cyber resilience capability and performance gap between industry ecosystems and within organisations. Cyber Security Where is your company on the cybersecurity journey? April 20, 2022 The World Economic Forum's (WEF) Global Cybersecurity Outlook 2022 ound that only 19% of respondents feel confident that their organisations are cyber resilient, indicating that a large majority know that their organisations lack the cyber resilience they need to be commensurate with the risks they are exposed to. In addition, the report found that 58% of respondents believe their partners and suppliers are less resilient than their own organisation, and 88% are concerned about the cyber resilience of the small and medium-sized businesses that are part of their ecosystem. In another Accenture report, 81% of respondents said that "staying ahead of attackers is a constant battle and the cost is unsustainable", compared to 69% in 2020. No matter the size, sector or risk profile of your organisation, all of them are exposed to increasingly sophisticated cyber-attacks. This indicates that as organisations, ecosystems, supply chains and supplier relationships become more interconnected and interdependent - and the pace of change and transformation processes accelerates - not only is resilience lagging, but a cohesive approach to how resilience is designed. It is increasingly clear that, despite this interconnectedness, there is no alignment to jointly overcome disruptive cyber events. Is your organisation prepared for what is to come, and can you measure your organisation's capability in the face of various attacks, threats or incidents? It should be emphasised that no matter the size, economic sector, risk profile of your organisation, all organisations are exposed to increasingly sophisticated, evolving and innovative cyber attacks. There is a reality that many organisations are ill-equipped to demonstrate their capabilities to withstand sophisticated cyber-attack behaviour. What do we need? Where are we joining forces to move forward? Do we have the operational, technical and strategic capabilities? How can we draw a roadmap? What are we doing and how can we improve? Many organisations are poorly prepared to withstand sophisticated cyber-attacks. Cyber resilience is not about creating a contingency plan and continuity of operations, it is something that goes beyond ensuring availability and focuses on resilience in the aftermath of a technology infrastructure. How prepared is our organisation and strengthening its capabilities to identify, detect, prevent, cancel, recover, cooperate and continuously improve against cyber threats? According to The Cyber Resilience Index: Advancing Organizational Cyber Resilience 2022 report (WEF) found that the top four reasons why cyber resilience is limited in today's ecosystems are that many organisations: They have a narrow perspective on cyber resilience, focusing primarily on security response and recovery. They lack a common understanding of what a comprehensive cyber resilience capability should include They find it difficult to accurately measure the organisation's cyber resilience performance or communicate its true value to senior management They struggle to be transparent within their organisation and with ecosystem partners about the shortcomings of their cyber resilience posture and their experiences with disruptive events. CYBER SECURITY The impact of cybersecurity attacks on SMEs and corporates December 2, 2021 Characteristics of a cyber-resilient organisation The approach to cyber resilience must also be free of the fear-driven constraints caused by mere preservation of the status quo that are so often followed by attempts to return to a demonstrably fragile state when disruption predictably occurs. The reward of making cyber resilience part of the ethos is a greater opportunity to take healthy risks, innovate and responsibly capture the value of tomorrow's digital economy. Some resilience techniques that you can implement to mature your security programmes and improve your ability to provide services to customers during a cyber incident: Adaptive response: Optimise the ability to respond in a timely and appropriate manner to adverse conditions. Analytical monitoring: Maximise the ability to detect potential adverse conditions and reveal the extent of adverse conditions. Coordinated protection: Requires an adversary to overcome multiple safeguards. Deception: Deceive or confuse the adversary or conceal critical adversary assets. Diversity: Limit the loss of critical functions due to the failure of common replicated components. Dynamic positioning: Impeding an adversary's ability to locate, eliminate, or corrupt mission or business assets. Dynamic representation: Support situational awareness, reveal patterns or trends in adversary behaviour. Non-persistence: Provide a means to reduce an adversary's intrusion. Privilege restriction: Restrict privileges based on user attributes and system elements. Reordering: Reducing the attack surface of the defending organisation. Redundancy: Reducing the consequences of loss of information or services. Segmentation: Limit the set of potential targets to which malware can easily be spread. Integrity checked: Detect attempts by an adversary to deliver compromised data, software or hardware, as well as successful modifications or fabrication. Zero trust: Implies questioning the organisation's security practices and policies right to ask for and expect clear answers. Unpredictability: Increasing an adversary's uncertainty regarding the system protections they may encounter. Cyber resilience must be part not only of the technical systems, but also of the teams, the organisational culture and the way we work on a daily basis. It is imperative for the success of a cyber resilient organisation to design, build and manage cyber resilience and then get the fundamentals right. Cyber resilience must be part not only of the technical systems, but also of the teams, the organisational culture and the day-to-day way of working. Cyber resilience must be a pervasive mindset underpinned by a holistic approach within organisations and across their ecosystems. For decades, cyber resilience management has been underrepresented and confused with other principles in cyber security programmes. Today, more than ever, there are many positives. We have come a long way in a short time. But the key is not to become complacent and complacent, to reaffirm our commitment to improvement and to recognise that the attacker will come back with new capabilities and skills.