The threat landscape for Dominican companies
The average attacker isn't interested in your company specifically — they're running automated attacks at scale looking for the easiest target. The relevant question isn't 'why would they attack me?' but 'how easy is it to compromise my operation?'. These are the vectors behind most real incidents in the region:
- Business email compromise (BEC): an attacker gains access to an email account — typically through a reused password or phishing — and from there intercepts invoices, changes account numbers, and requests transfers. It's the highest-impact financial fraud and requires no malware.
- Ransomware: encryption of company systems with a ransom demand. It enters through a malicious attachment, an internet-exposed RDP, or a leaked credential. Without offline backups, the company is left choosing between paying or losing the operation.
- Leaked and reused credentials: passwords exposed in third-party breaches that employees reuse on company systems. An attacker tests those combinations automatically (credential stuffing).
- Exposed databases and services: a server, storage bucket, or database accessible from the internet without authentication. Most are discovered by automated scans within hours, not days.
- Targeted phishing: emails impersonating a vendor, a bank, or management to capture credentials or authorize payments. The most exploited link is still the human one, not the technical one.
Law 172-13: what data protection requires in the DR
Law 172-13 on the Protection of Personal Data is the Dominican framework that regulates how companies collect, store, and process personal data of clients, employees, and third parties. It isn't optional, and non-compliance carries legal and reputational consequences. The essentials for a company:
- Consent and purpose: personal data is collected with consent and for a specific, legitimate purpose. You can't use data collected for one thing for a different purpose without a legal basis.
- Duty of security: a company that processes personal data is obligated to adopt technical and organizational measures that ensure its security and prevent alteration, loss, or unauthorized access.
- Data subject rights: individuals have the right to access, rectify, and delete their data. The company must have a mechanism to handle those requests.
- Chain of responsibility with vendors: if you use a third party (cloud, SaaS, payment processor) to process data, responsibility for that data remains yours. Due diligence on your vendors is part of compliance.
The controls that deliver 80% of the protection
Perfect security doesn't exist, but most incidents are prevented with a small set of well-implemented fundamental controls. Prioritize them in this order:
- 1Multi-factor authentication (MFA) everywhere: email, VPN, administrative access, online banking, and cloud consoles. MFA alone neutralizes the vast majority of stolen-credential attacks. It's the highest-impact, lowest-cost control.
- 2Backups with the 3-2-1 rule: three copies, on two different media, one of them offline or immutable. A network-connected backup that ransomware also encrypts is not a backup. Test restoration periodically — a backup never restored is an assumption, not a guarantee.
- 3Updates and patching: most intrusions exploit known vulnerabilities that already have a patch. A minimal process to update operating systems, applications, and dependencies closes the most-used door.
- 4Least privilege: each user and system has only the permissions it needs. When an account is compromised, the damage is limited to what that account could touch. Remove admin access no one uses.
- 5Email protection: anti-phishing filtering, SPF/DKIM/DMARC configured, and alerts for suspicious forwarding rules. Email is the number-one entry point.
- 6Logging and monitoring: without logs there's no way to know what happened during an incident. Centralize logs from access and critical systems and define alerts for anomalous events.
Cloud security: the shared responsibility model
Moving the operation to AWS, GCP, or Azure doesn't delegate security to the provider. There's a shared responsibility model: the provider secures the physical infrastructure and platform; you're responsible for configuration, access, and data. The number-one cause of cloud breaches isn't a provider failure — it's customer misconfiguration.
- Exposed storage: buckets or disks with public permissions that expose sensitive data. Verify nothing is accessible without explicit authentication.
- Overly broad identities and permissions (IAM): service accounts with admin permissions that should have minimal access. Well-designed IAM is the foundation of cloud security.
- Secrets in code: API keys, passwords, and tokens hardcoded in repositories. They must live in a secrets manager, never in code or unencrypted variables.
- Lack of encryption and MFA on the root account: encryption at rest and in transit should be the standard, and the highest-privilege account must have mandatory MFA.
Incident response: it's not if it happens, it's when
Companies that handle an incident well aren't the ones that never have one — they're the ones that had a plan before they needed it. A minimal response plan defines, in advance, who does what when something happens:
- 1Detection and containment: how the incident is identified and what immediate actions limit the damage (isolate systems, revoke access, cut connections).
- 2Roles and contacts: who leads the response, who decides, which external vendor is called, and how to reach each one after hours. A printed emergency directory, because the systems may be down.
- 3Communication: what is communicated, to whom, and when — clients, employees, authorities. Law 172-13 and other frameworks may require notification in certain cases.
- 4Recovery: how systems are restored from verified backups and how you confirm the attacker no longer has access before returning to production.
- 5Lessons learned: after the incident, which control was missing and what changes so it doesn't repeat. An incident without a post-mortem is an incident that will happen again.
How to prioritize security investment
It's not about buying every tool on the market, but about investing where the real risk is greatest. A practical and honest approach for a company starting to take security seriously:
- Start with the fundamental controls (MFA, backups, patches, least privilege): they deliver the greatest risk reduction and many cost close to zero beyond implementation time.
- Inventory what data you have and where: you can't protect what you don't know exists. A data and systems inventory is the starting point of any serious strategy.
- Assess your critical vendors: your security is only as strong as the weakest link in your chain, including the SaaS and cloud you use.
- Consider cyber insurance once basic controls are in place: insurance covers residual impact, it doesn't replace controls — most policies require MFA and backups to pay out.
- Team training: most successful attacks exploit a person, not a system. Brief, periodic training on phishing and credential handling has an extremely high return.
Frequently Asked Questions
How much should a mid-size company invest in cybersecurity?
Do I have to comply with Law 172-13 if I'm a small company?
Is having a good antivirus enough?
What's most urgent if we've never done any security?
Is cyber insurance worth it?
Want to know how exposed your operation really is? We run an honest security assessment — no fear-selling — that identifies your real risks and gives you a plan prioritized by impact.
Talk to our team