Luis Mtnez. del Pino: “The level of security achieved is really good, but complete security does not exist”

Luis Martínez del Pino has been the director of the Information Systems Security Department at Fraternidad-Muprespa since October. Catalan by birth and Murcian by adoption, he is a father of two children, a music lover, and passionate about the electric guitar.

After completing his Computer Science studies at the University of Murcia, he moved to Madrid where he has developed his professional career in the information technology sector for 25 years, always focused on the digital transformation of the healthcare sector in general, and computer security in particular.

Good knowledge of the Social Security Collaborating Mutual Insurance sector, he has been a manager in multinationals such as everis (NTT Data), Indra or NEORIS. Its endeavor is to establish in the minds of companies, consultancies, workers and self-employed workers the idea that

What are the areas of work in the immediate future of the department?

2024 is going to be an intense year in carrying out new projects. The most immediate future involves renewing the certification of the National Security Scheme (ENS) associated with our Digital Office.

Additionally, we are preparing a package of measures and projects aimed at improving the Mutual Fund's situation in terms of cybersecurity.

We plan to deploy a Security Operations Center that will work 24x7x365 and will supervise the entire ICT infrastructure of the Mutua.

On the other hand, we are preparing to contract some cutting-edge software products that will reduce our exhibition surface and strengthen our protection.

Regarding data protection, I consider that we have reached a very high level of maturity, so 2024 will be focused on the consolidation, optimization and continuous improvement of processes.

And we will continue working to raise awareness and train our employees in cybersecurity, reinforcing this most vulnerable link.

What is the key to working and developing the activity of a mutual company with an optimal level of security?

No one can guarantee full security in the field of information technologies. What we can and should do is work to mitigate known risks.  Of course, securing data in general and sensitive data in particular is essential in any organization, even more so in a mission-critical one, like Fraternidad-Muprespa. This involves the design and deployment of encryption, protection, backup, availability and access policies to information, depending on its nature.

Technological debt and software obsolescence are great enemies of cybersecurity.That is why we work daily to eliminate any infrastructure whose base software is obsolete, as well as to maintain our hardware and software infrastructures with an optimal level of patching, which helps eliminate known vulnerabilities resolved by manufacturers.

From the point of view of software and hardware infrastructures, we have deployed and are maintaining a set of state-of-the-art tools, which contribute to the protection and monitoring of infrastructures at different levels.

Regarding the custom software that we develop internally, we follow the recommendations of the OWASP (Open Web Application Security Project) community, in addition to subjecting all developed software to strict security controls. quality.

I have left for last what seems most important to me: the implementation of a cybersecurity culture throughout the organization, to protect ourselves from avoidable security incidents.

What importance do we give to data protection in general, and health data in particular?

It is one of the strengths of Fraternidad-Muprespa today. Until now we have never been sanctioned by the Spanish Data Protection Agency.

Data protection is one of the strengths of

Our function of Data Protection Officer, DPD, is tremendously professionalized and is responsible, among many other things, for independently controlling whether we adequately comply with the regulations, in addition to advising us in situations complex.

The certifications related to information security that we have (ISO 27001 AND ENS), are subject to periodic external audits, and establish very solid foundations to guarantee a very high level of information protection throughout its value chain, applying special protection measures when it is of responsive.

On the other hand, we have made a special effort to design policies and instructions that regulate the use that our employees make of the information they have, aimed at relevant issues such as the exchange of information with third parties, use of information inside and outside the work environment, use of shared storage resources, etc.

We have paid special attention to data protection within the framework of our Digital Office, since it is the main digital communication channel between the Mutual Fund and associated companies, consultancies, protected workers and self-employed workers.

And during the period of welcoming new employees we specifically work on all the measures to be adopted from the point of view of data protection.

Are there situations in which we provide data without it being really necessary?

At Fraternidad-Muprespa we necessarily work with personal data and sensitive information, but when we collect, generate or consult that information, we always do so within the framework of our legitimate purpose.

However, like any other organization, we are periodically subject to attempted attacks through identity theft by cybercriminals, what we call phishing, many of them, with the aim of collecting confidential and sensitive information. For this reason, employee training and awareness is so relevant.

What does the implementation of teleworking mean when it comes to working with maximum security?

Due to the pandemic, suddenly, more than 2,000 people were working from home, with the resulting impact of exposure to attacks and the emergence of new vulnerabilities. Fortunately, we had already regulated teleworking through specific security policies and technologies. We rely on both the recommendations for teleworking contemplated in the ENS, through the National Cryptology Center (CCN-CERT), and the best practice guidelines offered in the ISO/IEC-27000 series standards.

We regulate, for example, the exclusive use of professional devices and corporate software, virtual meetings and video calls, software updates, the use of networks, password management and the encryption of units against theft or losses.

On the other hand, we have cutting-edge technologies in virtual private networks, new generation antivirus, two-step authentication, network access control, access privilege management and endpoint security, among others. The difficulty lies in finding the balance between a safe environment and not complicating the employee's work.

What is the difference between vulnerability and security breach?

A vulnerability is a weakness in a software or hardware element that, exploited by a cyber attacker, can compromise the organization's computer security. The most common are the result of programming errors, lack of security patches or incorrect product configurations, and are hidden until they are discovered.

On the other hand, a security breach is the actual circumstance in which the security of the data has been compromised and occurs when a cyber attacker manages to successfully exploit a vulnerability, compromising the confidentiality, integrity or availability of the organization's data.The consequences of a security breach can range from unauthorized access, loss of data, theft of information, reputational damage, or economic loss, among other negative consequences.

Surely, if I asked you now what the most important vulnerability is in an organization, you would tell me that it is people. And you would be right.

Are we prepared for possible attacks such as those recently experienced in large companies?

I think that the level of security that Fraternidad-Muprespa has achieved is really good, and meets the market standard that large business organizations have achieved. However, and as I said at the beginning, full security does not exist.

We are all aware of the tremendous hype around generative artificial intelligence. How does this technology affect cybersecurity?

They are two increasingly related worlds. On the one hand, the technology applied to cybersecurity uses artificial intelligence algorithms to improve protection levels.

Cybercriminals use generative artificial intelligence to create new attacks and make attacks more effective. known.

HTMLTAG355___I am referring to identity theft, creating artificial identities, media manipulation, creating deepfakes, such as imitating the appearance or voice of a person to impersonate them, automating social engineering, or performing phishing selective. It is very important to be aware of this new reality to try to anticipate this type of cyberattacks, which are increasingly complex and difficult to detect.

On the other hand, and in relation to data protection, the inappropriate use of generative artificial intelligence platforms by employees can lead to leaks of sensitive information. To prevent this, we are already defining policies that will regulate the use of this technology in the professional field.