An ex-commissioner of the Mexican agency tasked with personal data protection recently warned that the Mexican government can’t just close its eyes to cyber crime and data breaches.
If anyone doubts this, she says, just check out the price of stolen records on the dark web. The cost of a single medical record can exceed USD $500. “This information helps facilitate insurance payouts, pension claims, medical claims and tax fraud,” she says. Since government can’t eliminate black markets – or combat many kinds of online fraud – the most effective way to respond is through better laws and better enforcement.”
In theory, the government agrees: it has set up cyber command centers, established specially-trained police divisions and signed international treaties to fight cyber crime.
Yet despite these efforts, online fraud, identity theft, child pornography and phishing have all soared.
Is Mexico prepared ?
According to Juan Carlos Carrillo, director of Cyber Security & Privacy Solutions at PricewaterhouseCoopers (PwC), 87% of Mexico-based companies experienced a data breach or some other form of cyber intrusion in the past year, putting it 13 points above the global average. After drug trafficking, cyber crime is now the second most common criminal activity in Mexico.
“Mexico falls in the highest-risk category because of a disproportionate number of cyber crime incidents,” said Héctor Pérez, e-commerce manager for Symantec Latin America. Based on a recent Symantec study, Mexico now ranks 3rd worldwide for cyber crime, after China and South Africa.
Given Mexico’s late entrance to cyber security, it continues to lag. “Mexican institutions and agencies simply don’t have the capacity to deal with the problem,” claims Mr Carrillo. A study by the National Risk Agenda recently confirmed this, warning that Mexico has “scarce capacity for prevention” and “almost no ability” to respond to potentially devastating cyber incidents.
The study also concluded that the nation’s legal framework and ability to measure, prevent, monitor and mitigate cyber attacks are “grossly inadequate”. “The Mexican government is simply incapable of protecting the nation’s critical infrastructure and sensitive information.”
Dr. Fernando Gutiérrez Cortés, professor at the Technological Institute and Superior Studies of Monterrey (ITESM), agrees. “Mexico is ill prepared for a massive cyber attack.”
Prevention over enforcement
Although Mexican politicians advocate increased enforcement, most realize that they’ll always be several steps behind cyber criminals. They question how Mexico can ever realistically pursue – much less prosecute – cyber cartels based in foreign (and often uncooperative) jurisdictions.
Even the nation’s leading cyber crime agencies – the Mexican Cyber Security Incident Response Team (CERT-MX) and the Federal Police’s Scientific Division – lack the “long-arm” of the law like the US, Russia and China. Mexican digital forensic experts lack the sophistication to outsmart world-class hackers. And most of the digital platforms used by public and private entities are imported from elsewhere, making them even more vulnerable to attack.
In sum, Mexican lawmakers – reluctant to spend treasure in a losing battle – argue that prevention is not only more cost-effective but also more realistic. They cite studies that blame human error for nearly two-thirds of data breaches – far outstripping all other causes combined. With better security procedures, stronger passwords and better online collaboration, say many experts, most cyber crime can be prevented.
For this reason, the government has adopted a de facto “prevention first” policy, shifting most of the cyber security burden to the private sector. This approach is based on a simple premise: private organizations are better positioned and motivated to fight cyber crime than the government.
In their view, the government’s role is to: (a) secure mission-critical public infrastructure; (b) establish credible laws and regulations; and (c) raise public awareness about cyber security.
Shielding private organizations or even the general public from harm is beyond their scope.
Companies forge ahead
The leaders of the majority of large Mexico-based organizations have gotten the message. Over 90% of large Mexican companies now rank cyber security as a top priority, above both robbery and corruption. Taken as a whole, Mexican enterprises invest more in cyber security than their counterparts in any other part of Latin America.
But what’s true for larger companies isn’t true for most SMEs, which still lack proper controls. Among these organizations, “there’s a pretty low level of awareness of cyber crime,” said Brian Weihs, head of Kroll’s Mexico City office.
This divide between the corporate “haves” and “have-nots” is so significant that it drags down the nation’s overall security ranking well below the global average. According to the Global Cyber Security Index, Mexico scores 32.4 points out of 100, placing it below the global average of 44.6 points.
The problem is that only 19% of Mexican companies, most of which are small and medium size, have cyber security controls in place – compared to 40% globally.
Perception fuels reality
According to Ms Arzt, a government that ignores cyber security does so at its own peril.
Hackers are now better armed and often funded by organized crime or foreign governments. They have more know-how, better equipment and larger incentives to launch successful attacks.
As computers are embedded in everyday items and industrial machinery – and as the world becomes more dependent on digital networks – the need for action will only grow. Mexico has too much on the line – too much foreign investment and information-critical sectors (e.g., energy, autos, aviation, electronics and aerospace) – to stand by idly.
But just as the nation gained fame for lax enforcement of its IP laws – resulting in widespread piracy and trademark infringement – criminals are aware of the nation’s cyber weak spots. They know that Mexico’s regulations are outdated and that enforcement is non-critical. They sense that Mexican politicians lack the commitment and resources to properly protect the country’s assets from cyber attack.
In fairness, the government is already grappling with major security issues involving kidnapping, murder, corruption and drug violence – all of which have taken (and will continue to take) top priority.
This perception itself fuels cyber attacks – and is what Mexican leaders must now work to dispel.