An ex-commissioner of the Mexican agency tasked with personal data protection recently warned that the Mexican government can’t just close its eyes to cyber crime and data breaches.
If anyone doubts this, she says, just check out the price of stolen records on the dark web. The cost of a single medical record can exceed USD $500. “This information helps facilitate insurance payouts, pension claims, medical claims and tax fraud,” she says. Since government can’t eliminate black markets – or combat many kinds of online fraud – the most effective way to respond is through better laws and better enforcement.”
In theory, the government agrees: it has set up cyber command centers, established specially-trained police divisions and signed international treaties to fight cyber crime.
Yet despite these efforts, incidents involving online fraud, identity theft, child pornography and phishing have all soared.
Is Mexico prepared ?
According to Juan Carlos Carrillo, director of Cyber Security & Privacy Solutions at PricewaterhouseCoopers (PwC), 87% of Mexico-based companies experienced a data breach or some other form of cyber intrusion in the past year, putting it 13 points above the global average. After drug trafficking, cyber crime is now the second most common criminal activity in Mexico.
“Mexico falls in the highest-risk category because of a disproportionate number of cyber crime incidents,” said Héctor Pérez, e-commerce manager for Symantec Latin America. Based on a recent Symantec study, Mexico now ranks 3rd worldwide for cyber crime, after China and South Africa.
Given Mexico’s late entrance to cyber security, it continues to lag behind most nations. “Mexican institutions and agencies simply don’t have the capacity to deal with the problem,” claims Mr Carrillo. A study by the National Risk Agenda recently confirmed this, warning that Mexico has “scarce capacity for prevention” and “almost no ability” to respond to potentially devastating cyber incidents.
The study also concluded that the nation’s legal framework and ability to measure, prevent, monitor and mitigate cyber attacks are grossly inadequate. “The Mexican government is incapable of protecting the nation’s critical infrastructure or sensitive information belonging to government and society.”
“In sum,” says Dr. Fernando Gutiérrez Cortés, professor at the Technological Institute and Superior Studies of Monterrey (ITESM) , “Mexico is ill prepared for a massive cyber attack.”
Prevention over enforcement
Although Mexican politicians publicly support increased enforcement, most realize that they’ll always be several steps behind cyber criminals. They question how Mexico can ever realistically pursue much less prosecute international bands of cyber hackers based in foreign (and often uncooperative) jurisdictions.
Despite the creation of the Mexican Cyber Security Incident Response Team (CERT-MX) and the Federal Police’s Scientific Division (Policia Científica), Mexico doesn’t have the “long-arm” of the law like the US, Russia or China. It lacks the technical sophistication to outsmart world-class hackers. And most of the digital platforms used by public and private entities are imported from elsewhere, making them even more vulnerable to attack.
In sum, Mexican lawmakers – reluctant to spend a fortune in a losing battle – argue that prevention is far more cost-effective. They cite studies that blame human error for nearly two-thirds of data breaches – far outstripping all other causes combined. With better security procedures, stronger passwords and better online collaboration, say many experts, most cyber crime can be prevented.
For this reason, the government has adopted a de facto “prevention first” policy, shifting most of the cyber security burden to the private sector. This approach is based on a simple premise: private organizations are better positioned and motivated to fight cyber crime than the government.
In their view, the public authority’s role is to: (a) secure mission-critical public infrastructure; (b) establish credible laws and regulations; and (c) raise public awareness about cyber security.
Cyber security itself, however, has been given far less priority.
Companies forge ahead
The leaders of most large Mexican organizations have gotten the message. Over 90% of large Mexican companies now rank cyber security as a top priority, above both robbery and corruption. Taken as a whole, Mexican enterprises invest more in cyber security than their counterparts in any other part of Latin America.
But what’s true for larger companies isn’t true for most SMEs, which still lack proper protective systems. Among these organizations, “there is a pretty low level of awareness of cyber crime,” said Brian Weihs, head of Kroll’s Mexico City office.
This divide between the corporate “haves” and “have-nots” is so significant that it drags down the nation’s overall security ranking well below the global average. According to the Global Cyber Security Index, Mexico scores 32.4 points out of 100, placing it below the global average of 44.6 points.
The problem is that only 19% of Mexican companies, most of which are small and medium size, have cyber security programs in place – compared to 40% globally.
Perception fuels reality
According to Ms Arzt, a government that ignores cyber security does so at its own peril.
Hackers are now better armed and often funded by organized crime or foreign governments. They have more know-how, better equipment and larger incentives to launch successful attacks.
As computers are embedded in everyday items and industrial machinery – and as the world becomes more dependent on digital networks – the need for action will only grow. Mexico has too much on the line – too much foreign investment and information-critical sectors (e.g., energy, autos, aviation, electronics and aerospace) – to stand by idly.
But just as the nation gained fame for lax enforcement of its IP laws – resulting in widespread piracy and trademark infringement – criminals are aware of the nation’s cyber weak spots. They know that Mexico’s regulations are outdated and that enforcement is a non-priority. They sense that Mexican leaders lack the commitment, energy and resources to properly protect the country’s assets from cyber attack.
In fairness, the government is already grappling with security issues related to kidnap, murder, corruption and drug violence – all of which have taken (and will continue to take) top priority.
This perception itself fuels cyber attacks – and is what Mexican leaders must now work to dispel.