Talking Cybercrime in Mexico: Part 1

On Wednesday, Oct. 7, Mexico Business News organized a webinar, together with sponsor Fortinet, on the topic “Business Under Attack: The Threat of Cybercrime.” The event was moderated by MBN Tech Journalist and Industry Analyst Andrea Villar, with Eduardo Zamora, General Country Manager of Fortinet, as the introductory speaker and panel participant. The other members of the panel were Frédéric Costé, CEO of cybersecurity company Kippeo Technologies; Victor Mendivil, CIO & CSCO of eye-care group Ópticas Devlyn and Fernando Padilla, President of the association for loan and credit providers ASOFOM and the lending fintech platform Pretmex.

Why Is Now the Moment to Act Against Cybercrime?

Eduardo Zamora opened the event with a crude eye-opener. “The World Economic Forum has identified cybercrime as the biggest global threat after climate change and natural disasters.” In response to the first panel question, which asked why now is the time to invest and act to increase cybersecurity, Zamora pointed out that this has always been a very urgent matter. However, the pandemic has made the threat even more present. He pointed to the fact that working from home had forced employees into new connection modes which were not necessarily secure. This applies to any device including mobile phones. In addition, many applications are moving to the cloud and servers in a very short time frame, equally exposing them to potential security faults.

Costé, the second person to address this question, concurred that the pandemic has steeply raised the rate of cyberattacks in Mexico. “(Kippeo Technologies) has seen more signs in the dark web of groups planning attacks.” Equally, he agreed with the fact that because people ‘stumbled’ into home office, many doors to cyberattacks were opened. Costé is adamant that companies, small or large, no longer ignore cybersecurity in their business strategy. “Nevertheless, there must be greater awareness about the parties that exist behind cybercriminal groups, often foreign states that use these attacks to advance themselves economically at the cost of other countries,” he said.

Returning to the topic of Mexican businesses, Mendivil pointed to the fact that many family businesses, which make up a significant part of the country’s SMEs, did not have appropriate ‘schemes’ in place for remote work. The switch to home office did not just require a change in systems but also processes. For many companies, he lamented, cybersecurity has and remains a secondary priority. Inequality also exists between different industries, he pointed out. Financial service companies already have a compliance culture, as do retail companies due to their concern for client data protection. Other sectors, such as manufacturing, however, are further behind.  

Padilla delved into the threat to financial institutions. He mentioned that a whopping 40 percent of all financial institution in the country had been attacked last year. In other industries, this number averages 17 percent. He also pointed out that at least 35 percent of users of financial services in Mexico have been affected by cybercrime. Because financial payments and services are used across industries, the issue affects business across the economy. “Traditionally, many SMEs have considered cybersecurity investment something for large companies. They tend to believe that they are too small to be an interesting target,” Padilla said. “However, partly due to this lack of attention, 43 percent of detected cyberattacks now go via middle to small businesses. Moreover, the majority of cybersecurity attacks are still not detected.” This situation, he warned, puts the resources and identity of millions of Mexicans at risk.  

Which Cybersecurity Areas Are Neglected by Businesses?

Zamora started by pointing out that all areas of a company need to be covered by cybersecurity. Networks are key, because they touch every area. The cloud too, especially with the vast amount of information being passed through dynamic clouds nowadays. Then there are devices. Especially in home-office mode, any device that is connected to the internet can be a point of entry for cybercriminals targeting people first and then the company. These create a massive attack surface area. He pointed out that a big problem is that many companies have cybersecurity tools but not the latest versions. “Cybercrime, unfortunately, advances at the same pace as the latest technology,” said Zamora. Nine out of 10 banks in LATAM have been attacked, he says, while more than 50 percent of banks do not have up to date technology, including the latest version of firewalls. For this reason, 33 to 35 percent of the attacks have been successful and managed to extract something from these banks. Advanced solutions, he says, do not necessarily mean more investment, they just need to cover all points of the attack surface.

Mendivil stated that in his meetings with other CIOs and CISOs, he has observed that lack of awareness of the threat is the biggest issue. This can be resolved by educating and training people. “In the end, the people are the most vulnerable point,” he says. Oddly enough, employees seem to act with disgruntlement when they are forced periodically to change their password. If they understood the threat, they would not resist.

Padilla states that while digitalization has brought many benefits, it has also made it far easier to access another’s personal information. The biggest challenge, he says, is how individuals behave in a non-secure manner. 95 percent of cyberattacks start with a human error, he points out, either by clicking on a link or downloading something. “Unfortunately, for many companies, cybersecurity still remains part of the systems and technology area, as opposed to a part of the business strategy,” says Padilla. Instead, the manager of each division should be on top of cybersecurity. It is easier to change the culture, yet, he does not see it reflected in the budget or strategy of the vast majority of companies.

For Costé, cybersecurity is about organization first. This means knowing in which events you can be attacked, what defense posture you must have and what is your capacity to react. It starts with naming a CISO, that is not part of the IT area. This person must be at the same level as the CIO and report directly to the CEO. His role is to know and teach others in the company how they can be attacked and when they need to take action. But it does not stop at the level of the CISO. “Campaigns of awareness can convert every employee into a cyber soldier, that can detect anomalies and report them,” he said. One of the problems, he points out, is that often people in the security area already have too much work in their hands and are busy putting out fires of attacks. Costé advises companies to use tech to scan outside of their company perimeter. In the dark web, one can find indications that companies are going to attack you. Not doing so, he stated, is like “going into a boxing ring without knowing your opposing fighter.”

For part 2, click here.