Andorra Turisme boosts cybersecurity with monitoring, training and zero‑trust

"Our strategy is clear: alongside a continuous improvement cycle for systems, communications and employee training, we work on detection through constant monitoring so we can respond to incidents as they arise," says Albert Rulló, head of IT and Organisation at Andorra Turisme.

The organisation runs scenarios for each potential incident, ranging from partial responses that can be executed without disrupting daily activity to severe measures that would entail full lockdown of systems and communications. Periodic digital risk assessments are performed through monitoring graphs and random validation and recovery of backups. Controlled attack tests are carried out regularly, both internally and externally.

Email is identified as the primary risk vector because of its intensive use across teams and the volume of projects handled via that channel. To address human risk factors, Andorra Turisme has mandatory cybersecurity training in partnership with Win2Win, scheduled in accordance with the Data Protection Agency. Training uses graphical examples to sensitise staff to everyday behaviours that can create vulnerabilities.

Critical digital assets are identified as a prior step to building the security plan, an essential phase that determines the plan’s scope and resource impact. Servers, workstations and communications are actively monitored, while more consumer-type devices found within the organisation are isolated in a physically and logically segregated zone. The organisation follows prevention measures and applies zero-trust principles where beneficial.

Andorra Turisme maintains a crisis cabinet to coordinate responses to impersonation attempts, data hijacking or leaks. Once an incident is identified, the cabinet decides corrective measures, communication content and the coordination between management and departments, aiming for a proportionate response.

On specific technologies such as firewalls, antivirus and monitoring tools, Rulló declined to provide details to avoid revealing potential vulnerabilities, but confirmed the use of recognised, market-leading solutions. Security audits are regular: external specialists conduct Black Box and White Box pentests to simulate attacks with and without prior information, allowing the organisation to evaluate and strengthen its defences.

Rulló stresses the necessity of an ongoing review cycle for policies, processes and tools. "You cannot assume that designing a cybersecurity plan is enough — you must continuously evaluate and apply updates as they appear," he says. Obsolete equipment, even if still functional, can be dangerously vulnerable once it no longer receives official updates from the manufacturer.

Finally, Rulló notes that the cybersecurity landscape is changing rapidly — including the influence of artificial intelligence, which has transformed the field both positively and negatively — and that staying current is one of the organisation’s principal ongoing concerns.