A Cultural Shift on Cybersecurity

Q: What role does AMECI play in strengthening the cybersecurity infrastructure within Mexico’s business sector?

A:  AMECI could help companies bolster their cybersecurity infrastructure by helping them strengthen or establish the three foundational pillars of cybersecurity: awareness and training, analysis and management. A culture of awareness should be cultivated among individuals that are in charge of maintaining the security of the organization. It is essential that they understand what data and technology they have so they know how to protect it, which should be done in conjunction with other collaborators within the organization. Moreover, this practice should be continually reinforced with digestible monthly updates about how to identify risks, which are continually evolving, and how to mitigate them.

Before instilling this culture, companies should first conduct a comprehensive system vulnerability test, which, again, should be done periodically. Only after scanning everything connected to the company network can companies identify areas of exposure and build them up properly to thwart, or at least undermine, ransomware attacks. It can also help draw out inefficient or malicious software that should not be embedded within the organization’s infrastructure in the first place. Finally, a continual flow of internal data is crucial to the development and actualization of offensive strategies that can be deployed at any given moment.

AMECI found that a number of companies were purchasing cybersecurity “solutions” and technologies without fully understanding how they functioned. Often, these solutions had little to no effect in protecting their business models. Cybersecurity is not a technology issue that can be solved with the purchase of software. Cybersecurity is a cyclical process consisting of people, documents, physical infrastructure and procedural policies. Moreover, while AMECI encourages businesses to act as internal sponsors, they should also delegate security to a third party that is aligned with the business.

Q: What is the importance of delegating cybersecurity to a third party and how should companies assess potential collaborators?

A: While cybersecurity does not necessarily need to be delegated, it allows companies to get an unbiased opinion about the company’s security infrastructure, specialized technology and supporting software programs. Before charging this service to an outside provider, however, businesses should thoroughly evaluate their candidates.

Qualifying criteria should include knowledge of the technology and software that they will be charged with protecting, qualified and experienced personnel, a robust confidentiality agreement and client references. These indicators will help businesses verify that the third party will be able to meet performance expectations, confirm that they have not allowed any security incidents and that they too are in compliance with security standards. Overall, establishing the legitimacy of a third-party provider is more straightforward than hiring independent contractors, which should entail a more rigorous process.

Human resource departments should receive specialized training to properly vet independent talent, given that this requires the verification of certifications, the screening of social media profiles and a thorough assessment of their digital footprint. Following these guidelines will allow businesses to weed out unqualified talent, potentially harmful agents and evade legal problems downstream. Vetting independent talent is immeasurably important because a security manager will need to access everything in the business, including its records. This is not just another job profile; it should be treated as a director-level position given that these people will handle, transfer and store sensitive information.

Q: Now that cybersecurity is recognized as a fundamental business need in Mexico, how has this changed AMECI’s consulting process with clients?

A: AMECI is developing a free tool that will give all interested organizations a free evaluation based on their size and technology composition. According to their inputs, businesses will be categorized in one of three possible ratings, which will then be reinforced by an additional 22 follow-up questions meant to assess their security maturity and identify security gaps. At the end of the evaluation, companies will be provided with an analysis that will detail practical steps to achieve a greater security profile.

Before the COVID-19 pandemic, our clients were mainly concerned with penetration-testing of their websites. This concern has shifted to security assessment, which stems from compliance requirements established by business partners. In other words, there is significant external pressure on internationally-oriented companies to meet compliance standards, such as the EU’s General Data Protection Regulation, or GDPR. Thankfully, this has prompted company directors to get involved with their security infrastructure, which is often the first step to generating operational awareness.