He speaks about “the bad guys” with familiarity. His extensive career in the world of cybersecurity has allowed him to build a profound understanding of how criminal organizations work; he’s aware that they have access to cutting-edge technologies, and that they are constantly on the watch to launch their attacks as soon as they detect a vulnerability. Digitization and telework have dramatically expanded the perimeter that needs to be protected at BBVA. This adds a new level of complexity to the work of this telecommunications engineer, who has previously worked in the Middle East, Asia and the Nordic countries. In this interview Garrido speaks confidently about BBVA’s strategy. A strategy that, according to him, sets the Group apart from its peers for its use of advanced data analytics and the commitment of the top tiers of the organization.
Raising awareness and training people to remain vigilant and prepared to prevent fraud and recognize digital threats is another key pillar of BBVA’s strategy. The company is celebrating ‘Cybertraining Week’ this week, with an agenda full of workshops and conferences for employees and their families. “I’m looking forward to the technical challenge of ‘Catch the flag’ and my kids will surely take part in a social media workshop to understand the risks and dangers that children and teens face when using these platforms,” says Garrido.
Question: Cybersecurity has become a critical issue during the COVID-19 crisis, following the spike in cyber-attacks and online fraud. Do you think that this demanding period has helped us become more aware of the threats we face when we go online?
Answer: More than a spike in the number of attacks, what happened during the confinement period is that we became much more dependent on technology, and this led people to become much more aware of the need to protect their personal and professional devices, and to pay more attention to their habits in the digital world.
According to the statistics we have access to, the level of materialization of these attacks has remained the same. The ratios are much the same as last year, if not a bit lower. But it is also true that the level of effort, focus and resources that we’re devoting to tackle this issue is higher.
What we’ve noticed is that criminals have started using new colors to package their attacks, they’ve adopted new approaches, intimately linked to the health crisis. What’s changing, clearly, is the type of bait, but now we’re starting to see that they’re going back to their former, pre-COVID-19, ways.
Q: Have learned any insights worth mentioning?
R: One of the things we’ve been discussing with other banks companies or regulatory authorities is the importance of raising awareness among users. At the BBVA Group level, we had already amassed a very relevant training and dissemination experience. For years, we’ve been carrying out all sorts of activities aimed at employees and their families. During lockdown, maybe because people had more time or were more interested in it, we trained over 14,230 people in two months. It’s been incredible. That’s why we decided to double down on our approach and celebrate this cybersecurity training week from July 6 to 10, full of workshops and conferrences by prominent industry experts.
Q: Some people have been talking even about the need to forge a great alliance between financial institutions to weave a common front against cybercrime. Would BBVA be willing to collaborate with its competitors to boost the effectiveness of fraud prevention measures?
R: This has already been done in other parts of Europe, such as the United Kingdom, the Nordic Countries… in Spain we already cooperate a lot on a regular basis, always within the boundaries outlined by existing regulations and the GDPR. We share information about threats and our temperature readings of what’s going on out there. But not only with other financial institutions. We participate in many forums, and try to reach out to the whole ecosystem, including law enforcement agencies, to come up with a comprehensive picture of what’s happening and where attacks are coming from.
We’re happy with our level of cooperation with other companies, but there’s always room for more. I think that right now we’re on track to expand this collaboration to move ahead and build up our strength to take on the bad guys.
“In Security we’ve fully embraced advanced analytics as a tool for tackling extremely complex issues”
Q: What do we know about these criminal organizations?
R: This has changed over time. In the early days of computers and the internet, hackers were just kids messing around for the sake of fun or recognition, but they soon realized they could reap huge profits.
Now, we’re in the midst of a second stage, dominated by organized criminal enterprises, extremely sophisticated, operated much like a regular company. Their investment capacity is astonishing. They’re very focused on their goal. That’s wherein, maybe, some of the asymmetry lies, because they’re very focused on specific attack vectors on which they deploy their full power, and we have to protect the whole geometry of the bank, against all types of attacks on a 24/7 basis. Also, these players have tremendously advanced organizational models and invest heavily on R&D and top technical talent. Their motivation is monetizing their investments, and their goal is to obtain money, a clear profit.
The third great wave, which is already being felt, has more to do with state agencies and geopolitics, an area that’s harder to act upon. But it is there and we need to respond. The impact is much more global in scale and pursues goals that include destabilization or industrial espionage, not just making a financial profit in the short-term.
Q: Technologically, are cibercriminals at the level of corporations?
R: Totally. Also, ‘crime as a service’ is quite a hot trend right now. Today, you can buy all sorts of tools to attack specific targets on “darknet” markets, at a very reasonable price. It is brutal. This type of technology that hackers have access to is, at least, the same that those of us that are on the defensive end have access to, and many times it’s much more lethal.
Q: How can you explain that they seem to be always ready to immpediately exploit vulnerabilities?
R: Businesses have to deal with attacks on a daily basis. Players are constantly scanning our perimeter, the perimeter of our supply chain, our employees’ accounts, automatically, to try to find weaknesses that they can exploit. That is why we need to move ahead of them and run attack drills against our own assets and put them to the tests to try to detect those vulnerabilities before cybercriminals do.
Also, the bank’s data-driven approach plays as a strength. In Security we’ve fully embraced advanced analytics as a tool for tackling extremely complex issues, such as the detection of anomalous patterns in our infrastructure or our transactions.