Knowing Your Company Is the First Step Toward Cybersecurity

Q: What is the ideal strategy to ensure the protection of end-user information?

A: The best way to protect an end-user’s information is through awareness programs that provide users with knowledge and training. Users should also know all the security policies that the organization has implemented and receive reinforcement on each one. At the end of the day, a user who does not know how to comply with a security policy will heighten vulnerabilities. 

Q: How is AMSI supporting cybersecurity companies that offer protection solutions?

A: At AMSI, our first goal is to address information security in a professional manner. In the past few years, some companies have sprouted with the sole goal of reaping financial benefits instead of trying to help people. To minimize companies competing on price, we run a risk management process to understand the basic and specific needs of a client regarding information security at that moment. Using that information, we select specific security controls, the idea is that organizations learn how to use a risk-based approach.

Q: What are the main problems that SMEs face when it comes to cybersecurity? What are some of their most common mistakes and how can AMSI help them to avoid those mistakes?

A: Both big and small companies should go about implementing risk management programs in the same way. The security program and the related information security controls need to be in place based on the risk management process. There is a sequence to this process and if companies do not follow the steps of the risk management process and the security program, they will run into problems. First, the objectives of the company must be identified, followed by all the critical processes that support those objectives. From there, a risk assessment of each one of those processes is necessary. If you understand the vulnerabilities of that company, its size does not matter. It is the same process for all of them. 

Q: How are AMSI’s members supporting the generation of policy and legislation concerning cybersecurity in Mexico? 

A: AMSI as part of Monterrey-based COSEJOSI, which focuses on information security practices, aims to support the government in the creation of legislation and policies regarding cybersecurity in Mexico. AMSI & CONSEJOSI also aims to support the generation of more professionals who can review the government’s legislations and policies. We are also planning to send a comprehensive document to the government that will provide it with our expertise in information security.

Q: How does cybersecurity work in elections to ensure their legality and transparency? What are the challenges? 

A: Candidates in elections often talk about transparency and integrity, which require controls to legitimatize the election. That is important but there are two problems. The first is that the candidate might not be aware of information security issues. The second is that they might not know how to handle cybersecurity changes. We can help with that. Mexico’s National Electoral Institute (INE) made a great effort to ensure that the systems in place before the June 6 elections were secure. These systems were updated and validated by some of AMSI’s collaborators. We reviewed all code and systems related to the preparation process and we validated all of the procedures and steps to ensure no vulnerabilities were on site. 

Q: What are some of the myths about cybersecurity that still exist and how can these present a danger to people and companies?

A: The first myth comes when vendors tell companies they will be 95 percent protected if they buy their app. This is a myth. First, companies need to understand their specific needs by following a risk management process. From there, they should select the kind of security they need to put in place and not blindly accept the one offered by the vendor. Companies often fail to understand their security processes or the kinds of operations they have in place if they do not run risk management processes. Some people believe that if they download general security practices from the internet, their information will be secure. That is not right because the best practices and information security policies found on the internet focus a general view and approach. They were not created to fulfill the needs of individual companies.

Q: Is it a good idea to have a great diversity of security methods within a company? How can companies decide on the best approach for their business? 

A: There are many methodologies to run a security program but the most important aspect to consider before selecting a solution is to understand what a company hopes to gain from it. The decision-making process is entirely different if the company is focusing on IT versus the entire company. It should also consider what kind of company it is and which division within the organization is to be protected. Once all of these questions have been answered, companies can select the best methodology for themselves. 

The Mexican Association of Cybersecurity (AMSI) is a nonprofit association of professionals who want to share their experiences and knowledge with other professionals and students around the world.