A Mexican Association Dedicated to Cybersecurity

Q: How does an association like AMECI differ from private consultancies?

A: We have different schemes and scopes, serving the academic, government and corporate sectors. One of the advantages that we have as an association is that we can identify the needs of some sectors through the companies we audit. Once we identify the areas of opportunity, we send people we have trained to universities or companies with which we have alliances to generate synergies.

With companies, we work to identify vulnerabilities in cybersecurity and compliance. We have a group of professionals dedicated specifically to that. At AMECI, we consult on security analysis projects at a technical level. We are not only a service provider, we generate synergies between our partners and our clients to develop a virtuous cycle around cybersecurity.

Q: What challenges have you found among associates and private companies?

A: Earlier this year, we carried out a cybersecurity management analysis on 100 different companies ranging from 100 to 900 employees. The largest foreign companies that have great potential in Mexico have implemented an information security management system, which is associated with an international standard called ISO / IEC 27001. However, among Mexican SMEs there is still a lack of understanding regarding cybersecurity. Sometimes managers think that having perimeter protection such as firewalls or antivirus systems is enough.

We found that 80 percent of the audited companies do not have a security management system, although the law in Mexico requires companies or independent professionals to follow the Federal Law on Protection of Personal Data Held by Individuals. Unfortunately, many companies do not know about this and believe a privacy notice is sufficient. The vision that we have as an association is that very few companies are doing something about cybersecurity and therefore are not prepared to deal with a security incident.

Q: What does the Pentesting analysis that AMECI offers entail?

A: Pentesting is a vulnerability analysis. Normally we offer two types of services. The first is BlackBox, where we play the role of cybercriminals under a confidentiality agreement and review all the data that can be exposed from a cyberattack. For example, if a company hires us to do this test, we try to access their confidential information. Once the test ends, we deliver a report on the areas of opportunity and what should be reviewed immediately. In this way, we demonstrate how this security problem can impact their business.

The second service is called GreyBox, in which we do the same analysis but act as an internal team of the company. Even a guest who was given a Wi-Fi password by the company can compromise confidential information. At 90 percent of the companies where we have carried out these vulnerabilities analyses, we have been able to access their information. If their competition were to get that data, companies would be negatively impacted. During these tests, the greatest vulnerability has been in security controls, since they are very weak or nonexistent.