Fernando Thompson
Director General
View from the Top

TBSEK: COVID-19 Expedites Digital Opportunities and Risks

By Alejandro Ehrenberg | Wed, 09/02/2020 - 11:52

Q: How has COVID-19 changed the use of digital technology in Mexico and what are the implications?

A: The pandemic has accelerated the adoption of digital technology in Mexico immensely. The digital services industry has advanced three years in just a few months of lockdown. Previous to the pandemic, companies’ IT departments focused mainly on supply chain, administrative and financial management. They also worked on a company’s online presence, including social media. However, almost nobody in Mexico had a plan in place for continuing with their activities in the case of a disaster like an earthquake or a hurricane — or a pandemic.

When COVID-19 broke out in Mexico, offices just sent their employees home without much thought. However, employees often work at home with their private computers and on home internet connections, lacking proper security conditions. This even applies to government offices. As Mexico was not prepared for the switch to home office, security gaps abounded. Hackers took full advantage of the situation. The pandemic has been a banquet for them.

Even before the pandemic, Mexico already was among the Top 10 most-hacked countries. The market volume in Mexico is huge and there is no digital security culture. Prominent banks have been hacked. PEMEX has been hacked. Untold numbers of SMEs have been hacked. No industry is immune to cyberattacks.

It will take a long time for normality to settle in again once the pandemic lets up. For example, top executives tend to be in vulnerable age groups, so they will be kept at home until it is 100 percent safe for them to go back to the office. Other workers in less vulnerable groups will return to the office sooner. Thus, the usual office network will look different, as it will have to incorporate people in different locations. Security will have to adapt. A hybrid work model will need a hybrid security strategy.

Q: What are the most common cyberattacks in Mexico and how can businesses protect themselves?

A:  During the pandemic, the most common attacks have been phishing and spoofing. In the former, hackers contact their targets by email, telephone or text message posing as a legitimate institution to lure them into providing sensitive data, such as personally identifiable information, banking and credit card details and passwords. On the other hand, spoofing is when criminals disguise a communication from an unknown source as being from a known, trusted source. Spoofing can apply to emails, phone calls and websites, or can be more technical, such as a computer spoofing an IP address. The common denominator between phishing and spoofing is that they look for inside people in the company and trick them to gain valuable information. To fight these attacks, everyone in the company must be educated about them. You can invest in a sophisticated security system but if your workers are not trained, then they become easy targets. About 80 percent of security breaches come from within the company.

Q: What are the main cyber risks the mining industry faces?

A: Mines today are very digitalized but, in most cases, they are not well-protected. One reason for this is that cybersecurity tends to be divided into two large groups: IT and OT. The first has to do with preventing unauthorized access to organizational assets such as computers, networks and data. OT deals with operational devices that involve digital technology. It involves hardware and software that detects or causes a change through the direct monitoring and control of physical devices, processes and events in the mining project’s operation.

Normally, there is no communication between the IT and OT departments. While IT assets are reasonably well-protected, OT assets tend not to be and are easy to hack. For example, hackers may highjack an electric rope shovel. They might also take over the control system for an explosives network. Anything that is computerized and is part of a network can fall prey to cybercriminals. Attacks where hackers paralyze a piece of equipment and demand a ransom in exchange for freeing them, called ransomware, are rather common in the mining industry. 

The first line of defense in mining operations is related to all the personnel that works with a computer connected to a network. Users need to be trained and installing security services is not enough. Personnel need to be educated on simple things, like not using the same password for everything, for example. This includes everyone from the CEO to the rank and file employees.

The second line of defense refers to every device that is connected to the internet but is not a computer. This is commonly known as the Internet of Things. There has to be a strategy that guarantees that operating systems are updated. Regular scanning must be done to guarantee that no device is compromised. Also, and very importantly, communication channels need to be shielded, which is called encryption. Furthermore, attacks have reached such a level of complexity that businesses should secure AI solutions to prevent them.

Q: Why should companies take cybersecurity seriously?

A: Cybercrime is more profitable than traditional physical crime, and organized criminals know this. The dark web is four times larger than the internet and most cybercriminals operate there. There is a world out there that is mostly unknown to regular businesspeople, yet it is full of dangers that need to be addressed. In Mexico, the authorities have not made this a priority. While there is a cybercrime unit — staffed with good people — its resources are simply not enough. Therefore, businesses have to take the matter largely into their own hands. 

As a consultant, I look out for red flags in companies that point to lagoons in their cybersecurity. If a given company has not directed a considerable portion of its OPEX to fighting this — at least more than 10 percent — that is a red flag. If the company lacks a specialist in cybersecurity at the executive level, then that is another red flag. These are examples of indicators we look at.

At the board level, cybersecurity needs to be a top priority. It should be a constant topic of conversation among board members. Potential consequences of not taking it seriously include reputational damage. If an attack paralyzes the company, then its value on the stock market will plunge, as a major risk will be exposed. If payroll systems are highjacked, then that could even result in a strike. Also, strategic information can be illegally published.

TBSEK specializes in the development of cybersecurity and information governance strategies that maintain the continuity of businesses, using services that provide the necessary visibility to predict, detect and immediately respond to possible incidents.

Alejandro Ehrenberg Alejandro Ehrenberg Journalist and Industry Analyst