Security · Enterprise|11 min read|

Cybersecurity for Enterprises in the Dominican Republic: A Practical Guide

Cybersecurity is no longer a concern exclusive to banks and multinationals. Dominican companies of every size now operate on connected systems — cloud, email, ERP, payment gateways — and each of those points is an attack surface. Most incidents we see don't come from sophisticated attackers: they come from absent basic controls, default configurations, and the lack of a response plan. This guide documents the real threats for companies in the DR, what Law 172-13 requires, and the concrete controls that deliver the most protection at the lowest cost — without selling fear and without generic checklists copied from another market.

The threat landscape for Dominican companies

The average attacker isn't interested in your company specifically — they're running automated attacks at scale looking for the easiest target. The relevant question isn't 'why would they attack me?' but 'how easy is it to compromise my operation?'. These are the vectors behind most real incidents in the region:

  • Business email compromise (BEC): an attacker gains access to an email account — typically through a reused password or phishing — and from there intercepts invoices, changes account numbers, and requests transfers. It's the highest-impact financial fraud and requires no malware.
  • Ransomware: encryption of company systems with a ransom demand. It enters through a malicious attachment, an internet-exposed RDP, or a leaked credential. Without offline backups, the company is left choosing between paying or losing the operation.
  • Leaked and reused credentials: passwords exposed in third-party breaches that employees reuse on company systems. An attacker tests those combinations automatically (credential stuffing).
  • Exposed databases and services: a server, storage bucket, or database accessible from the internet without authentication. Most are discovered by automated scans within hours, not days.
  • Targeted phishing: emails impersonating a vendor, a bank, or management to capture credentials or authorize payments. The most exploited link is still the human one, not the technical one.

Law 172-13: what data protection requires in the DR

Law 172-13 on the Protection of Personal Data is the Dominican framework that regulates how companies collect, store, and process personal data of clients, employees, and third parties. It isn't optional, and non-compliance carries legal and reputational consequences. The essentials for a company:

  • Consent and purpose: personal data is collected with consent and for a specific, legitimate purpose. You can't use data collected for one thing for a different purpose without a legal basis.
  • Duty of security: a company that processes personal data is obligated to adopt technical and organizational measures that ensure its security and prevent alteration, loss, or unauthorized access.
  • Data subject rights: individuals have the right to access, rectify, and delete their data. The company must have a mechanism to handle those requests.
  • Chain of responsibility with vendors: if you use a third party (cloud, SaaS, payment processor) to process data, responsibility for that data remains yours. Due diligence on your vendors is part of compliance.
If your company processes card payments, PCI-DSS applies in addition to Law 172-13, required by the card brands and acquirers. And if you handle data of European Union residents, GDPR applies regardless of operating from the DR. Compliance isn't a single checkbox: it depends on what data you handle and where its subjects are from.

The controls that deliver 80% of the protection

Perfect security doesn't exist, but most incidents are prevented with a small set of well-implemented fundamental controls. Prioritize them in this order:

  1. 1Multi-factor authentication (MFA) everywhere: email, VPN, administrative access, online banking, and cloud consoles. MFA alone neutralizes the vast majority of stolen-credential attacks. It's the highest-impact, lowest-cost control.
  2. 2Backups with the 3-2-1 rule: three copies, on two different media, one of them offline or immutable. A network-connected backup that ransomware also encrypts is not a backup. Test restoration periodically — a backup never restored is an assumption, not a guarantee.
  3. 3Updates and patching: most intrusions exploit known vulnerabilities that already have a patch. A minimal process to update operating systems, applications, and dependencies closes the most-used door.
  4. 4Least privilege: each user and system has only the permissions it needs. When an account is compromised, the damage is limited to what that account could touch. Remove admin access no one uses.
  5. 5Email protection: anti-phishing filtering, SPF/DKIM/DMARC configured, and alerts for suspicious forwarding rules. Email is the number-one entry point.
  6. 6Logging and monitoring: without logs there's no way to know what happened during an incident. Centralize logs from access and critical systems and define alerts for anomalous events.

Cloud security: the shared responsibility model

Moving the operation to AWS, GCP, or Azure doesn't delegate security to the provider. There's a shared responsibility model: the provider secures the physical infrastructure and platform; you're responsible for configuration, access, and data. The number-one cause of cloud breaches isn't a provider failure — it's customer misconfiguration.

  • Exposed storage: buckets or disks with public permissions that expose sensitive data. Verify nothing is accessible without explicit authentication.
  • Overly broad identities and permissions (IAM): service accounts with admin permissions that should have minimal access. Well-designed IAM is the foundation of cloud security.
  • Secrets in code: API keys, passwords, and tokens hardcoded in repositories. They must live in a secrets manager, never in code or unencrypted variables.
  • Lack of encryption and MFA on the root account: encryption at rest and in transit should be the standard, and the highest-privilege account must have mandatory MFA.
The most expensive mistake is assuming 'we're in the cloud, so we're secure.' The cloud gives you better security tools than an on-premise server, but only if you configure them. A cloud migration without a security configuration review transfers the risk, it doesn't eliminate it.

Incident response: it's not if it happens, it's when

Companies that handle an incident well aren't the ones that never have one — they're the ones that had a plan before they needed it. A minimal response plan defines, in advance, who does what when something happens:

  1. 1Detection and containment: how the incident is identified and what immediate actions limit the damage (isolate systems, revoke access, cut connections).
  2. 2Roles and contacts: who leads the response, who decides, which external vendor is called, and how to reach each one after hours. A printed emergency directory, because the systems may be down.
  3. 3Communication: what is communicated, to whom, and when — clients, employees, authorities. Law 172-13 and other frameworks may require notification in certain cases.
  4. 4Recovery: how systems are restored from verified backups and how you confirm the attacker no longer has access before returning to production.
  5. 5Lessons learned: after the incident, which control was missing and what changes so it doesn't repeat. An incident without a post-mortem is an incident that will happen again.
Run a one-hour drill once a year: 'ransomware encrypted the main server, what do we do?'. The gaps you discover in a calm drill are infinitely cheaper than the ones you discover during a real incident at 3 a.m.

How to prioritize security investment

It's not about buying every tool on the market, but about investing where the real risk is greatest. A practical and honest approach for a company starting to take security seriously:

  • Start with the fundamental controls (MFA, backups, patches, least privilege): they deliver the greatest risk reduction and many cost close to zero beyond implementation time.
  • Inventory what data you have and where: you can't protect what you don't know exists. A data and systems inventory is the starting point of any serious strategy.
  • Assess your critical vendors: your security is only as strong as the weakest link in your chain, including the SaaS and cloud you use.
  • Consider cyber insurance once basic controls are in place: insurance covers residual impact, it doesn't replace controls — most policies require MFA and backups to pay out.
  • Team training: most successful attacks exploit a person, not a system. Brief, periodic training on phishing and credential handling has an extremely high return.

Frequently Asked Questions

How much should a mid-size company invest in cybersecurity?
There's no universal number, but a reasonable starting point is 5-10% of the IT budget for a mid-size company. More important than the amount is the allocation: fundamental controls (MFA, backups, patches, training) deliver the greatest risk reduction and many cost close to zero. Investment should grow with the criticality of the data you handle, not with company size alone.
Do I have to comply with Law 172-13 if I'm a small company?
Yes. Law 172-13 applies to any individual or legal entity that processes personal data in the DR, with no company-size threshold. If you store data of clients, employees, or vendors, you're bound by the duty of security and to respect data subject rights. The level of formalization can be proportional to your operation, but the obligation exists from the first personal data point you handle.
Is having a good antivirus enough?
No. Antivirus is a necessary control but covers only part of the risk. It doesn't stop an email compromise via stolen credentials, an exposed cloud configuration, a BEC transfer fraud, or an employee authorizing a fraudulent payment. Effective security is a combination of layered controls — antivirus is one of those layers, not the whole strategy.
What's most urgent if we've never done any security?
In this order: enable MFA on email and administrative access, verify you have offline and tested backups, and confirm there are no services or databases exposed to the internet without authentication. These three controls alone close the highest-impact vectors and can be implemented in days, not months.
Is cyber insurance worth it?
It's useful as coverage for residual risk once basic controls are in place, not as a substitute for them. Most policies require minimum requirements (MFA, backups, patch management) for coverage to be valid, and a company without those controls can see a claim denied. Controls first, insurance second.

Want to know how exposed your operation really is? We run an honest security assessment — no fear-selling — that identifies your real risks and gives you a plan prioritized by impact.

Talk to our team

Related articles

Camilo José María Castillo
Camilo José María Castillo

Co-Founder & Technical Lead

Jairo Gabriel Melo Jiménez
Jairo Gabriel Melo Jiménez

Co-Founder — Cloud, DevOps & Infrastructure Lead

IQS | Cybersecurity for Enterprises in the DR: Practical Guide | IQS