The Pandemic Transformed Cyberattacks

You can watch the video of this panel here.

“If cybercrime were a country, it would be the third largest economy in the world just behind the US and China, with a US$6 trillion in value,” says Mario de la Cruz Sarabia, President of Innovation & ICTs Committee at American Chamber of Commerce Mexico and Senior Director of Public Policy and Government Affairs Latin America at CISCO Mexico. To address this scenario, experts from CISCO, Kaspersky, DHL, Huawei and Scotiabank met at Mexico Business Forum 2021 Virtual Edition, held on May 27, to discuss key developments in the cybersecurity ecosystem in Mexico and Latin America, as well as some strategies to prevent cybercrimes and respond to them.

How the Pandemic Shifted Cybersecurity

Not attacks are the same, said the experts, and not all industries are similarly targeted. While financial companies were often targets, the focus has shifted. “The number of attacks and new threats grew during the pandemic and the approach is different. Criminals are primarily interested in getting money; 90.2 percent of them are moved by money,” said Claudio Martinelli, Managing Director LatAm of Kaspersky.

“Over the last two years cyber-attacks have migrated from the financial sectors to the health sector,” agreed Felipe García, CISO of Scotiabank Mexico. Beyond targeting new sectors, threats have also evolved and spread due to new trends such as home office. “Cybersecurity is important as companies were forced to work remotely but domestic networks did not comply with cybersecurity standards,” said Elvira Sanchez, VP CIO of DHL Express Mexico. “This created additional challenges and forced us to get creative on how we approached it.”

Cybersecurity breaches not only have a financial or operational impact, they also hurt the reputation of the victim. “As a corporate mandate, our cybersecurity schemes and cybersecurity strategies are strongly linked to other business strategies. We call it a matter of trust. Our recommendation is to evaluate how damaged the industry or the company can be when our end-customer loses trust in us. The most important element is reputation and those who placed their trust in us,” said Martin Portillo, CISO of Huawei Technologies Mexico.

A Cyberattack can also deeply hurt a company’s operations, and financial loses can be steep. “It can take between 24 and 48 hours for a cybercriminal to take full control of a company's files which can interrupt operations or cipher certain files. An effective attack undermines your organization due to the financial, operational and reputational impact,” said Sánchez. Losing their credibility is one of the greatest risks companies can face, no matter their size, explained Martinelli. By compromising their credibility “companies are putting at risk their very existence,” he said.

Despite the risk of cyber-attacks, experts agree there is not a perfect solution. “There is no infallible strategy, there is always a risk. The average cost of a cybersecurity breach of US$4 million,” said Martinelli. For that reason, companies must be better prepared to remain out of the headlines.

First Steps Toward a Cybersecurity Strategy

To build a robust cybersecurity strategy, first companies need to understand their vulnerable points, explained Sánchez. “Preparing emergency response protocols is essential. Moreover, although we are aware immunity does not exist, we need to raise awareness among our employees, customers and suppliers.” Over the last few months, attacks to logistic companies have increased considerably, explained Sánchez, adding that the sector might by the third of fourth sector to concentrate most attacks.

However, companies must consider that there is no one-size-fits-all solution. It all depends on the sector and the company’s business model. “A security solution cannot be bought in retail and installed,” said Martinelli. He urges companies to develop a complete strategy after fully understanding the assets that need to be protected by looking at similar attacks or at the strategies followed by other companies in the same sector. Companies also need consistent training. “A yearly training is not enough; little nuggets of cybersecurity intelligence should be given to employees every day. Common targets are secretaries, the HR manger, marketing and purchasing departments.” Finally, Martinelli urges companies to invest in well-tested, comprehensive cybersecurity solutions. He also warns that no one, and no company, is fully safe. “Criminals can be pretty democratic, as they attack people regardless of their background. The currency of the 21st century is data,” he said. According to CISCO, for every dollar invested in cybersecurity ROI can be 2.4, up to 2.7 for large organizations.