What is cybersecurity?

Key pillars of cybersecurity at Iberdrola

Internet Digital Cybersecurity

Today's society relies on the Internet for all the activities it undertakes during the day, from work to leisure, from finance to storing personal data or to communicating with others. The role of cybersecurity is growing in parallel with the concern for protecting our digital data. Find out about its importance, how we defend ourselves against cyber attacks at Iberdrola and our tips to prevent them.

Ciberseguridad
The importance of cybersecurity is growing in parallel to the number of digital users, devices and programmes and the volume of data exposed on the internet.

In a world increasingly reliant on the Internet, the need to prevent online scams and maintain cyber security is becoming more prominent. Any individual or company, regardless of size, is a potential target for cyber attack. Internet users leave a trail of digital information and businesses have key assets that criminals may seek to exploit. Sometimes it is money or financial information, sometimes it is personal data, and sometimes it is even infrastructure.

Knowing the importance of cybersecurity and the types of cyber attacks can help you better understand the risks and find ways to prevent and deal with them.

Definition and scope of cybersecurity

According to the computer company Kaspersky, cybersecurity is the "practice of defending computers, servers, mobile devices, electronic systems, networks and data from malicious attacks". In other words, it is the set of processes and tools used to protect with foresight or defend any electronic device or platform.

The set of capabilities, technologies, standards, processes and best practices designed to protect the cyberinfrastructure against attacks, damage or unauthorised access. Cybersecurity is the ability to prevent, identify, detect, respond to and mitigate or eliminate deficiencies, vulnerabilities, attacks and internal and external threats that may pose a risk to the Company's cyberinfrastructure, with the aim of eliminating or minimising damages of any kind that may be caused to the company.

Like a barrier, cybersecurity slows or minimises attacks. "A robust cybersecurity strategy can provide a good security posture against malicious attacks designed to access, alter, delete, destroy or extort an organisation's or user's systems and sensitive data," notes TechTarget. Cybersecurity is also critical to prevent attacks aimed at disabling or disrupting the operation of a system or device.

With an increasing number of users, devices, technologies and programmes, along with the growing deployment of data – much of which is sensitive or confidential – the importance of cybersecurity continues to grow. In addition, the growing volume and sophistication of digital scams further exacerbates the problem. While these attacks can affect different levels —for instance, governments, businesses or institutions— the key is to pay special attention to the role of humans. In fact, according to cybersecurity company Proofpoint, "more than 99 % of cyber attacks require human interaction".

Iberdrola's Prevention and Response Strategies

At Iberdrola, as a leading company in innovation and digitisation, we attach great strategic importance to cybersecurity, which is key to meeting the challenges associated with the energy transition. In a technologically complex environment such as the current one, our main objective is protecting critical infrastructures, which are essential for protecting the data of our customers and other stakeholders, as well as the Group’s reputation.

The Board of Directors approved in 2015 a Cybersecurity Risk Policy, which promotes a strong cybersecurity culture by strengthening our capabilities to protect, detect, prevent, defend and respond to potential online attacks or incidents.

Furthermore, we have established a global cybersecurity strategy to integrate this digital defence into business decisions and daily operations. This strategy is based on six pillars:

Pilares estratégicos ciberseguridad
Pilares estratégicos ciberseguridad

  • Governance. We assign clear roles and responsibilities in digital risk management:
    • Up-to-date standards, frameworks and criteria for protection adapted to the environment and its evolution. 
    • Coordination and decision-making bodies for the integration of cybersecurity into decision-making processes: 
      • Cybersecurity committees, global and local, chaired by the corresponding CISOs and in which all businesses and areas are represented, where cybersecurity standards, frameworks and models are shared, discussed and approved.
      • Quarterly committee made up of the Group's CEO, the global CEOs of the businesses and the CEOs of all the subholdings, in which specific cybersecurity initiatives and plans linked to the Group's strategic plans are discussed, decided and promoted.
         
  • Culture. We identify and develop cybersecurity skills and knowledge through awareness and training programmes in the different areas and roles of the company and promote a culture of cybersecurity at all levels of the organisation.
  • Risk management. We define and implement comprehensive risk management plans, prioritising critical infrastructures and essential services.
  • Resilience. We have global and local cybersecurity incident response technology and teams that are always operational to minimise the impact on business objectives and the continuity of essential services.
  • Assurance. We establish robust monitoring and enhanced assurance mechanisms for critical and high-risk cyberinfrastructures to proactively identify and mitigate relevant risks and vulnerabilities and ensure compliance with internal cybersecurity standards and applicable external regulations.
  • Collaboration. We liaise closely internally between businesses and cybersecurity managers, externally with law enforcement agencies, government agencies, product and service providers, companies, and think tanks to strengthen cyber defence.

For its proper deployment, we have appointed a global head of cybersecurity (CISO) who, in coordination with the global head of security, reports periodically to the Audit and Risk Supervision Committee of the Board of Directors. In addition, we have cybersecurity officers (BISOs) within each business and corporate area.

On the other hand, we pay special attention to the privacy of our Stakeholders' information. For this reason, we have a Personal Data Protection Policy. In addition, we have a data protection management system in place to ensure compliance. Responsibility for the protection of personal data lies with the business and corporate functions, under the coordination and supervision of the Group's Data Protection Officer and with the support of the Legal Services.

How to report cyber attacks

At Iberdrola, we have developed the vulnerabilities mailbox, a contact platform for reporting possible security incidents on our websites. Through this form, we can receive comments from a security researchers community that contribute to securing the products and services for all of the Group's companies. Once we have been alerted, we will investigate and resolve any vulnerabilities detected on our platforms. 

The information required for alerting about attacks or incidents are the affected web page or site, a brief description of the vulnerability, steps to reproduce it and documentation that can illustrate the problem.

Phishing

Phishing

Find out how to avoid being scammed via email, SMS or instant messaging.

Vishing

Vishing

 Find out what telephone scams involve and what types exist.

Smishing

Smishing

Find out how text message scams happen.

Innovation and the future of cybersecurity in the energy industry

Cybersecurity is crucial in the energy industry due to the increasing interconnectedness of systems and dependence on technology. Smart grids, industrial control systems and other internet-enabled devices are already an essential part of the industry, bringing efficiency and control. However, these developments require closer security scrutiny to avoid exposure to vulnerabilities exploited by attackers or hackers. 

Some expected innovations or trends in cybersecurity in the energy industry are the following: 

  • Integration of emerging technologies. The adoption of technologies such as the internet of things (IoT), artificial intelligence (AI) and machine learning can help early detection of security breaches and optimise responses.
  • Blockchain. This technology is being explored to improve transaction security and data management in the energy supply chain. It provides an immutable record that helps prevent fraud and attacks. At Iberdrola, we have become the first company to use blockchain to certify participation in the General Shareholders' Meeting.
  • Cloud security. With the proliferation of cloud services, robust security measures and encryption techniques are expected to be implemented to protect stored and transmitted data, as well as agreements with strong vendors that provide secure technologies and services. 
  • Response automation. The goal would be to achieve threat response automation. Systems capable of identifying, analysing and responding on the spot could help minimise the impact of attacks and reaction time.
  • Training and awareness. To cope with the increasing sophistication of attacks, continuous training of staff at all levels of the company in cybersecurity and awareness of best practices will be critical.
  • Collaboration. Training and technical support between energy industry entities, government agencies and cybersecurity companies will be key to sharing knowledge in the face of cyber-attacks.
  • Legislation. Es probable que las regulaciones y normativas relacionadas con la ciberseguridad en la industria energética aumenten para garantizar la protección de los activos críticos de las infraestructuras.

Tips for users to avoid data harvesting

Cybersecurity starts with our own online activity. Here are some tips to keep your data safe:

Keep your passwords secure and up to date

Passwords are the first line of defence in protecting your online accounts. It is important to use unique and complex passwords, avoid including personal information or common words in them and change them regularly. Of course, never share them.

Update your devices and their software

Keeping your devices and software up to date is essential to ensure the security of your data. Updates often include crucial security patches to prevent or eliminate known vulnerabilities.

Beware of emails, unsolicited messages and suspicious links

Phishing is one of the main ways in which cybercriminals try to breach our personal data. It is essential to be cautious, refrain from opening emails from unknown senders and avoid clicking on links or downloading attachments from suspicious messages, as they may contain malware. Always check their legitimacy.

Use a secure network

Utiliza solo las conexiones y redes fiables (como una Red Privada Virtual (VPN)) —que cifra tu tráfico en Internet— especialmente cuando realices transacciones o introduzcas datos confidenciales. Evita las redes Wi-Fi públicas o no seguras.

Privacy settings on social networks

Review and adjust the privacy settings on your social media accounts to control who can see your personal information. Make sure it is only visible to people you trust. Avoid posting sensitive information such as your address, family details, phone number or financial details.
Anti-virus and anti-malware installation 

Install and regularly update antivirus and anti-malware software on your devices to detect and remove potential threats.

Data backup
Make regular backups of your important data. In the event of an attack or loss of information, you will be able to restore it.