Hace unos días me entrevistó El daily post, un medio que se propone explicar México a una amplia audiencia internacional. La entrevista que me hicieron, junto con otros especialistas en seguridad, trató sobre las amenazas informáticas más peligrosas en México.
La entrevista fue publicada el pasado 7 de marzo con el título Cyber attacks: In Mexico, it’s a question of when, not if (Ataques cibernéticos: en México es una cuestión de cuándo, no de si).
Les comparto la entrevista completa debajo de estas líneas.
Cyber attacks: In Mexico, it’s a question of when, not if
Mexican companies are facing a new era in cyber security where increased connectivity, a constantly evolving threat landscape and insufficient preparedness mean one thing: It’s not a question of if, but when, a company will be attacked.
Mexican companies are facing a new era in cyber security
Hackers tend to target smaller businesses because they usually don’t have sophisticated security systems. State-sponsored hackers typically go after critical infrastructure systems or key industries such as oil and gas. Photos: Associated Press
Cyber crime cost the world some $400 billion dollars in 2015, or 0.8 percent of GDP, according to security software company McAfee. In Mexico, cyber attacks cost $3 billion dollars in 2013 and are on the rise, up 40 percent in 2015 alone. However, the real number of attacks is likely far higher as fear of reputational damage causes heavy underreporting.
While many of the medium to large companies operating in Mexico are conscious of cyber crime, “When we ask about what protective systems and processes they have in place, there is a pretty low level of awareness,” Brian Weihs, head of Kroll’s Mexico City office told El Daily Post.
This isn’t just a Mexican problem.
Just 12 percent of companies worldwide surveyed by professional services firm EY currently believe that their information security function fully meets the organizations’ needs. Some 37 percent do not have a data protection program and just under half count a security operations center.
Which companies are at risk?
The financial sector has traditionally been the target of cyber attacks but it is also the best protected sector in Mexico and so criminals are turning their sights to retail chains and family-owned businesses, particularly in the manufacturing sector, according to Weihs.
Last year’s cyber attack on retailer Liverpool, reported to have cost the company 100 million pesos, bears out this trend.
The size of a company is also irrelevant. “If you think that being a small business is going to protect you from being attacked you are terribly deluded,” Alan Brill, Kroll’s senior managing director of cyber security told El Daily Post.
In 2015, 60 percent of attacks worldwide were targeted at small- and medium-sized organizations, according to a report by technology company Symantec.
Hackers routinely target small and medium businesses, as they are likely to have less-sophisticated security systems, said Brill. The reasoning goes that while the rewards are smaller, they can keep doing it as they are unlikely to be spotted.
So what exactly are the hackers after?
While there is a public perception that criminals are just out for credit card data, the reality is much more complex and also depends on who is doing the hacking.
Criminal organizations target anything that has commercial value, said Brill. This could include corporate information to be used for insider securities trading, marketing plans to get ahead of the competition, a rival company’s bid in a tendering process or sensitive pricing information.
State-sponsored hackers or foreign governments are more likely to target critical infrastructure systems or key industries such as oil and gas and so companies in other sectors are at a lower risk.
The third and least common type of hacker is the cyber activist. While Anonymous has hacked the Defense Secretariat website and threatened to out members of the Zetas drug cartel, hactivist attacks against private companies in Mexico have been less common.
“Although fairly limited in its current form in Mexico, cyber activism is a highly volatile threat, with some campaigns able to rapidly gather momentum in the case of widespread public uproar,” according to Control Risks.
An evolving threat
Traditional threats such as phishing and viruses are still common but the use of ransomware (a form of malware that encrypts a user’s data and then demands a payment to unlock it) rocketed 113 percent in 2014 and is expected to keep increasing in 2016.
There is however, something more sinister going on. The days of smash and grab data thefts are dwindling as hackers are now infiltrating systems and staying inside.
The average cyber attacker is now on a network for over 200 days and given that most companies do not have real time monitoring systems, it is impossible to know what the hacker is doing within the network.
“When you can no longer trust the integrity of your data because someone is controlling your network, you have a problem,” Emily Orton, head of marketing for cyber defense company Darktrace told El Daily Post.
Darktrace technology learns what’s normal for each organization through real time monitoring, allowing it to detect threats as soon as they manifest in a company’s network.
“The challenge is no longer keeping threats out; that battle has been lost. The threats are already inside the network,” said Orton.
The company’s Antigena technology uses machine learning to allow a network to automatically self-defend, to catch a threat and mitigate it before it turns into a full-blown cyber attack.
Darktrace’s technology represents a shift away from the traditional perimeter defense theory of building a wall around your network and keeping out pre-defined threats. Understanding that security departments simply can’t keep up with the pace at which threats are evolving is also driving the shift.
The explosion in connectivity is making the system administrator’s job even harder.
“There are more users, more connections, more data and more devices connected to the network than ever and this makes companies more vulnerable to cyber attacks, Edgar Vázquez, head of government sales for Intel Security told El Daily Post.
The average executive now connects to a company’s network on the move through a smart phone, a tablet and a laptop. The majority of these mobile devices don’t even have anti-virus software and so the likelihood of contaminating the company’s network through an ill-advised download is rising, said Vázquez.
The increasing use of cloud storage, such as Dropbox, is also putting companies at risk as the security of the stored files cannot be guaranteed.
While investment in security systems is key, Vázquez argues that companies need to foster awareness about information security among their employees and develop policies that deal with mobile device usage.
Cyber security represents a real growth area for Mexico and an opportunity for talented systems administrators. All the experts agree that Mexico’s pool of cyber security experts is currently too small.
Some 86 percent of IT professionals surveyed in Latin America believe that there is a shortage of skilled cyber security professionals and 64 percent thought it was difficult to identify which new graduates had the adequate skills for the job, according to industry body ISACA.
“We have a huge challenge in finding the right expertise in Mexico as it’s a new area and it’s complex,” Roberto Hernández, president of Mexico City’s ISACA chapter told El Daily Post.
In order to address that talent shortage, ISACA provides a cyber security certification and resources for people looking to get into the sector.
The Mexico City chapter is also running a series of seminars for IT students in two of the capital’s major universities; UNAM and the Universidad Iberoamericana.
The growth in connectivity, increasing GDP and a lack of cyber security maturity is making Mexican companies of all sectors and sizes an increasingly attractive target for cyber attackers.
Cyber crime is at heart a global business without borders and so companies in Mexico are now as close to the hackers as is a hedge fund in New York or an investment bank in London. “The hackers have now become your next door neighbors,” warned Brill.