Talking Cybercrime in Mexico: Part 2

On Wednesday, Oct. 7, Mexico Business News organized a webinar, together with sponsor Fortinet, on the topic “Business Under Attack: The Threat of Cybercrime.” The event was moderated by MBN Tech Journalist and Industry Analyst Andrea Villar, with Eduardo Zamora, General Country Manager of Fortinet, as the introductory speaker and panel participant. The other members of the panel were Frédéric Costé, CEO of cybersecurity company Kippeo Technologies; Victor Mendivil, CIO & CSCO of eye-care group Ópticas Devlyn and Fernando Padilla, President of the association for loan and credit providers ASOFOM and the lending fintech platform Pretmex.

How Do We Create the Urgency Among Companies to Improve Their Cybersecurity?

“In LATAM, especially Mexico, we think this will not happen to me,” Zamora said. He compares cybersecurity to insurance. When do Mexicans buy their first insurance policy? After they have had their first accident. Another problem is a lack of openness. In Europe, when a company is attacked, they inform the media. Here in Mexico, he points out, companies deny it. This is a cultural issue. The only way to create the urgency, he said, is to first raise awareness, then ensure that the whole company is involved, then acquire the right technology needs and keep an open environment that fosters collaboration.  

Padilla agrees with the fact that we have a culture of underestimating threats. An effective way to raise awareness, he points out, is to force companies through regulation to make themselves secure. To help companies understand the threat, they can do attack simulations. Many tech companies can offer this. “If your CEO is saying no to investing in cybersecurity, organize a simulated attack. Show him what the impact of an attack could be,” he stated. Padilla recommended that both individuals and companies regularly check their financial accounts. “Check in to see your information, to see if they are robbing your money or asking for information,” he states. Very little people actually do this. You can do it through a credit bureau, a bank or for fiscal matters through SAT.  

Costé pointed out that the CISO is responsible for evaluating the risks, in terms of damage to reputation, loss of clients and financial losses. He points to the example of Equifax, a company that lost more than 20 percent of its stock exchange value after it was attacked due to its failure to purchase an Apache server and protect its clients’ data. Training employees is crucial, as well. This should also include being aware of the threat from the inside, he stated. Employees can easily be accomplices in cybersecurity attacks, including directors. Referring to simulated cyberattacks, he describes a solution that can simulate attacks in a virtual environment.

The second point he makes, is that Mexico should have a national agency for security of information systems. In France, the Agence Nationale de la Sécurité des Systèmes d'Information (ANSSI), reports directly to the office of the prime minister. Costé explained that an equivalent agency for Mexico would be able to create a regulatory mandate to push companies to meet certain levels of cybersecurity and also be able to classify critical infrastructure. The state could respond to cyberattacks in the case of an attack that threatens national security. Lastly, it could push companies to share information when they have been attacked. “Ultimately, we should be open to each other in our sectors, to prevent attacks from happening to others,” he said.

Mendivil agreed it would help if the government established a legal framework for companies to comply with cybersecurity standards, similar to the Federal Data Protection Law. Another example, he states, is the NIST cybersecurity framework in the United States. This would push companies to feel concerned, take action and be open. In his personal experience as CIO, he states that he often presents past attack cases in other companies to his CEO to demonstrate the potential impact. Particularly the potential impact on the company’s wallet, he says, makes an impression when the directors hear it.

Questions

During the webinar, participants were asked a range of questions. These were their responses:

Q: Do you think only large companies are the victim of cyberattacks?

Yes: 5 percent

No: 96 percent

Q: Are you aware of any cyberattacks your company has suffered?

Yes: 52 percent

No: 48 Percent

Q: How would you describe your company’s preparedness for an attack?

Very high: 14 percent

High: 49 percent

Low: 26 percent

Very low: 8 percent

Does not know: 3 percent

Q: Has your company developed a cybersecurity strategy?

Yes: 66 percent

No: 18 percent

Considering it: 15 percent

Q: Do you plan to increase your investment in cybersecurity this year?

Yes, a lot: 18 percent

Yes, a little: 43 percent

Not this year: 25 percent

Does not know: 14 percent

Q: What is the first step you plan to take?

Buy software: 3 percent

Educate employees: 69 percent

Hire expert: 12 percent

Other: 15 percent

Q: In your opinion, what is the biggest obstacle to fight cybercrime in Mexico?

Lack of budget: 12 percent

Lack of knowledge: 68 percent

Lack of experts: 5 percent

Lack of interest: 5 percent

Conclusions

Zamora points out that education in cybersecurity does not just take place in companies but also universities and high schools. Fortinet is involved in several programs with universities to generate talent, motivating students to become experts in cybersecurity. Programs also focus on students of all disciplines understanding that cybersecurity touches every field, every business and every organization.

Mendivil said the biggest challenge is raising consciousness and changing the culture. In the US, he points out, November is cybersecurity month. He also points to a cycle of events. “It is important to raise awareness in a company, to ensure a budget is allocated so companies can then hire young trainees in cybersecurity,” he said. Otherwise, young people will not pursue a diploma in the field and companies will end up with a limited pool of available security professionals.  

Costé said it is important for CISOs to show, through an evaluation of the risks, what impact a cyberattack can have on a company’s financial health. This will wake up the board of directors and move them to take action. Regarding awareness, he suggested communication campaigns where employees are exposed to concepts such as confidentiality and integrity, as well as the hard data on cyberattacks. This can be projected daily on an office screen. Lastly, he calls for a national agency, which would not only create regulations and respond to attacks but also publish information about new topics in the field.

Padilla pointed to the need to understand that cybersecurity is not a tech but a business issue. “Everyone is vulnerable and everyone should have it on their agenda,” he said. “Ultimately, nobody is going to protect you, only you can do it yourself.” He also agrees that a regulatory framework, already existent in the financial sector, has pushed companies to develop their cybersecurity faster.

For part 1, click here.