Effective Cybersecurity in Mining Requires Tropicalization: TBSEK

Q: Why should the Mexican mining sector consider cybersecurity in company business plans? 
A: According to FBI data, if cybercrime were considered a country, it would be the sixth wealthiest in the world. Cybercrime has surpassed many other economic activities and has undergone a process of professionalization.

For instance, in Russia and India, call centers have emerged with hundreds of computers and operators hired by organized crime groups specializing in ransomware. These call centers offer assistance to ransomware victims to pay the ransom. Let's say I am a cybercriminal affecting 10,000 people with my ransomware and asking for payment through Bitcoin. The challenge for the cybercriminal arises when only 1% of those affected know how to buy bitcoins; even if they are willing to pay, they cannot. These cybercriminals provide a helpline where a person assists in buying bitcoins to facilitate the payment. 

Once paid, the same person guides the victim on how to retrieve the information, instilling confidence in the payment process. This reveals the high level of organizational structure; they establish call centers to handle their "customers." It emphasizes the misconception that cybercriminals are masked individuals in the night. In fact, they are part of well-assembled organizations with diverse roles like financial operators or lawyers.

These organizations are highly structured, and their structures can be intricate. Furthermore, cybercriminals are the best example of continuous improvement, because once they are detected, their malware becomes obsolete, pushing them to create new and improved versions.

Regarding the mining sector, cybercriminals prefer to attack industries where damage can be easily quantified. For example, if they attack any company, leaving it without email for a day, and you ask it how much money it lost, it may not be able to quantify it. It might not have incurred direct financial losses; rather, its processes were delayed. For a company that pays overtime, the actual damage could be measured in the extra hours spent recovering lost time. 

If you are a mining company, and cybercriminals disable your mill, every second it is stopped costs about US$5.97. Multiply that by 60 for an hour, and the financial impact can accumulate, even for days. Consequently, cybercriminals can precisely estimate the time and money a company would lose because a critical piece of equipment went offline. They make it clear: Pay US$1 million or suffer damage worth US$10 million. 

Q: What is the current level of adoption of cybersecurity measures in the sector?  
A: Of all the sectors we work in, the mining industry is among the most security-conscious, along with the industrial and financial sectors. However, among these, the mining sector's awareness is more mature. Unfortunately, the financial sector's awareness is primarily regulatory, with authorities dictating what institutions must do. Most efforts in the financial sector are directed at meeting regulatory requirements.

On the other hand, the mining sector does not have the same compliance-driven approach. Its awareness is pure, centered around the understanding that a security event can cause significant damage. Instead of striving to meet regulatory standards, mining companies focus on solving their problems. This has value because others are wearing themselves out, first by responding to authorities to avoid harm and then defending against attackers.

However, the sector’s challenge is different because technological obsolescence is distinct. In traditional companies, you change computers every three to four years and servers may be replaced every five years. However, in the industrial and mining sectors, it is different. Many components are designed to last 15, 20, or even 30 years, considering the time it takes for the business to become profitable. 

The obsolescence challenge is complex, it is not merely a lack of updates. While crime evolves quickly, the production line installed 10 or 15 years ago was not designed to anticipate the sophisticated techniques employed by contemporary cybercriminals. Discarding the production line is not a feasible solution, considering it still has 15 more years of operational life. Thus, everything must be approached through compensatory control.

In a bank, if a server exhibits vulnerability, the solution is to update and close the loophole. However, in a mine, a machine might be running a system that is incompatible with any new software version. Attempting to update it would render the system inoperable, compelling it to remain unchanged and defended without manipulation. The challenge is considerably more complex.

Q: What is TBSEK’s cybersecurity offer to the Mexican mining industry?
A: TBSEK is a relatively young company, with seven years in the market, but it was formed from two much older companies with 20 years in the market. Furthermore, I have 30 years of actively working in the market. When my partners and I designed TBSEK, we were thinking about how companies that had invested in security would suffer an attack, invest more in insecurity, and continue to suffer attacks. There was a process escalation where we were plugging the hole we had plugged before. So, we started thinking, “What is happening? Why do companies invest in cybersecurity and still struggle to defend themselves?” 

We had to distance ourselves a bit from the standard holistic, global approach and understand that each person is different. This makes each company different and each country different. So, customization became a key point for us. There are many regulations on how to implement security, such as ISO-27001, the cybersecurity framework from the National Institute of Standards and Technology in the United States. There are many reference frameworks, but most of these were not developed for Spanish speakers, let alone for Latinos, and even less for Mexicans.

When you start incorporating factors of cultural identity, the game changes. Thus, one of the key vectors for us is to ensure that security understands the cultural identity of an organization. We developed a concept called “cybersecurity at me,” which is essentially cybersecurity designed for you. 

In this sense, there are security solutions that require a certain maturity to adopt. An example of this is Network Access Control (NAC), a technology where every device connecting to the network needs to be known, validated, and, from that moment on, allowed to connect to the network if it meets specific requirements. If you implement NAC, you will prevent unrecognized devices from appearing on your network. However, not all companies adopt it, because they are not mature enough to adopt that technology.

NAC is a great tool, but it would be worthless to sell it to you if your organization has not yet achieved the maturity to handle it; therefore, customization and tropicalization are key. That is our differentiator, we think about who we are working for and align the required concepts.

Q: What is the role of your strategic alliances and how do those impact your clients? 
A: We have been bringing in brands that have empathy with the localization concept we aim to convey. For example, we conduct awareness talks or technology presentations for clients where we transmit the challenge of implementing our approach and technology: what they need to consider, how it works, what benefits it will provide, and also the challenges it will pose. We try to convey a bit of reality, and the companies we partner with have understood the concept of localization.

Q: How will TBSEK grow in the near term, particularly in the mining sector, and what new solutions is TBSEK planning to roll out? 
A: We are very committed to the mining sector. It is truly a sector where we have also had the opportunity to learn. It is also one of the sectors that has challenged us the most, allowing us to extend our knowledge to other sectors with highly strategic data. 

Companies from the sector have asked us for metrics to determine the savings they receive by using our solutions. We embraced the challenge and found a way to extrapolate data, estimating potential costs in various scenarios: best, intermediate, and worst-case. In response to the client's need for quantifiable data, we incorporated an actuarial analysis from insurance, further validating the calculated risk value. This unique approach not only met the client's request but also emphasized the critical importance of cultivating security awareness.

The inherent challenge in cybersecurity lies in convincing companies to invest in prevention, particularly if they have not yet experienced significant incidents. The process entails adapting to specific situations, recognizing shades of gray, and addressing the shortage of specialists, a challenge that is expected to persist for several years.


TBSEK is a cybersecurity company focused on providing comprehensive visibility in networks to enhance the effectiveness of security investments. With more than 25 years of experience, the company specializes in cybersecurity and information governance strategies.