International Influence Is Driving Cybersecurity Compliance

Q: How would you assess the legal infrastructure for cybersecurity in Mexico?

A: Although Mexico’s legal infrastructure related to cybersecurity has improved by leaps and bounds since 2017, it still lacks maturity. Using the Global Cybersecurity Index (GCI) as a benchmark, Mexico ranked 28th out of 182 countries in 2017. Three years later, the nation has tumbled to 52nd, indicating a backslide in the country’s progress as others advance in the development of their own frameworks.

The federal government and the private sector have pushed for the development of a comprehensive cybersecurity legal framework and supporting programs but it has not been achieved. Mexico is still very much in the initial phase of strategy development, which also requires a cultural shift. Cybersecurity in Mexico is still largely considered an IT need instead of the foundational business need it is. Business leaders are still being influenced to disregard cybersecurity, much to the detriment of the company’s future. 

Going forward, the country needs to build on global strategies, drawing up specific programs and strategies that should be informed by structural limitations. 

Q: How has Mexico’s business sector fared in cybersecurity compliance over these two years of rapid digitalization?

A: International companies have played an important role in driving cybersecurity compliance in Mexico’s private sector, specifically through contractual agreements. Domestic companies found themselves obligated to conform to international cybersecurity standards and regulations not because they are concerned about risk but because it is often a contractual requirement.

Consequently, domestic companies will build security policies, procedures and systems only around their client’s contractual requirements and not as a company. Effectively, Mexican companies are viewing contractual standards as a checklist to meet their legal obligations but they are not implementing these policies across the board in their own business practices. This contrasts with the public sphere that, although slow, has a better grasp on strategy building and implementation of an all-encompassing infrastructure.

Q: Last year, Mexico experienced one of the highest rates of malware attacks. Has Brier & Thorn Mexico identified any patterns and what has it learned from successful breaches?

A: In Mexico, the user remains the weakest link as most ransomware incidents we have seen have been user-driven. Beyond creating a culture of awareness at a user level, which is a must, companies should aim to promote an equal sense of vigilance among their infrastructure and IT departments. Extortionists are increasingly targeting administrators who normally have access to RDP connections and ports that are open to the world, meaning there are no dedicated personnel in charge of conducting regular vulnerability scans or asset inventory, which require distinct protocols. This disparity represents an unnecessary gap in internal cybersecurity infrastructure, especially in an increasingly hostile digital space.

Ransomware attacks in Mexico have skyrocketed over the past two years, at a rate that I have not witnessed in the eight years that I have worked in cybersecurity. During this onslaught, many companies had no idea what had happened to them.

Globally, there has been a strong emphasis on data exfiltration and coordinated group attacks. Previously, most attacks were localized and most attackers were not known to be affiliated with any known cybersecurity groups. This development has been especially pronounced in targeted attacks against critical infrastructure like energy generation, telecommunications and financial services. Interestingly, media platforms and social media have introduced another element to these attacks, seemingly spurring ransomware groups to initiate assaults following the appreciation of cryptocurrencies, acquisitions, or environmental incidents such as those related to fracking.