Companies classified at this vulnerability level are at risk of cyberattacks; they are easy targets for cybercriminals because they have not invested enough in their defenses, lack a security culture, and have virtually no ability to respond to an attack.

• Some of the topics covered in this guide include:

• Creating strong passwords

• Backups

• Handling information from customers, employees, and partners

• Secure digital wallets

• Antivirus software

A company is classified at this level when it has some security practices in place but also has significant vulnerabilities that are not being addressed comprehensively. It is not in a state of imminent high risk, but it is not completely secure either.

The following aspects should be considered and strengthened:

• Antivirus and firewalls that are not properly configured

• They have a password policy, but it is weak.

• They have given a security talk or workshop to employees at some point, but they do not do so regularly nor do they assess whether employees have retained the information.

• Critical accounts, such as those of system administrators, directors, or managers, are not protected with MFA. This leaves the company extremely vulnerable to phishing attacks or credential theft.

• They lack a formal process for applying security patches in a timely manner.

• Guest network access may not be properly segmented, or employees may use public Wi-Fi networks without a VPN.

• The company does not have a documented plan for what to do in the event of an attack.

• They may back up their data, but they do not test the backups regularly to verify that they can be successfully restored.

• They lack monitoring systems to detect suspicious activity on their network. They will only know they have been attacked once the impact is already evident (for example, when data has been encrypted).

A company is classified at this level because it demonstrates a high degree of maturity and strength in its cybersecurity practices. This level indicates that the company has not only implemented basic protective measures but also has a robust, proactive, and well-managed security framework in place to mitigate complex and emerging risks.

Such companies must continue to follow best practices; it is worth noting that their rating, among other factors, is due to:

• Strategic and Proactive Approach: The company does not merely react to incidents but has a well-defined cybersecurity strategy.

• Robust Technical and Operational Security Controls: The company has implemented a range of effective controls to protect its assets.

• Staff Awareness and Training: The human factor, which is often the weakest link, is well protected.

• In summary, a SENIOR rating does not mean that the company is invulnerable, but it does mean that it has achieved a higher level of preparedness, governance, and risk management compared to other companies in its sector. It is a highly desirable rating that indicates a serious commitment to cybersecurity.

Our three guides focus on preventing cyberbullying and gender-based violence in digital environments

To prevent, detect, and respond effectively to cyberbullying in digital environments, promoting safe and respectful use of technology and protecting people’s psychological well-being and reputation.