In terms of cybersecurity, 2019 was a very challenging year for all industries. Many corporations all over the world and especially in Mexico and Latin America, experienced cybersecurity issues and this circumstance pushes us to think about the areas of opportunity we need to work on effectively in order to avoid potential risks.
Budget cuts were made at any level, leaving aside investments to improve cybersecurity controls. The lack of management of information minimum security controls caused unexpected stoppages in critical business processes within organizations.
An inefficient management of administrative accounts drove an upward trend in digital fraud, also due to the lack of information about who accessed or modified the information in critical business systems in order to act effectively in case of risk.
From a regulatory point of view, many companies suffered the economic consequences of fines arising from deficiencies or non-compliance with mandatory controls. In fact, no adequate safekeeping or management of information in electronic transfer systems was duly ensured.
With respect to digital transformation actions, cybersecurity risks were not considered in the creation or interconnection of infrastructures to new collaborative platforms for the generation of more agile business relationships between suppliers and customers. And it cannot be forgotten the lack of communication between IT and OT people involved in such actions, which generated efforts with different or isolated purposes for the same project.
New year, new approach to Cybersecurity for Organizations.
2020 has started with a new dynamism, since Mexican and Latin America corporations are increasingly interested in cybersecurity due to 2019 incidents. It is now clear that nobody is totally safe from cybersecurity threats, which may affect the continuity of business.
Having a Cybersecurity strategy is extremely important; however, leaders and people responsible for cybersecurity actions within organizations must initiate their plans with a solid knowledge of critical business processes, and identify the risks of not having the required security controls to adequately quantify the impact, in order to be able to ground and develop said strategy with a business oriented approach.
Hereinbelow we mention some important aspects that every organization must take into consideration to develop an effective Cybersecurity strategy:
- Develop cybersecurity projects or actions based on investment criteria versus impact on the main processes or infrastructures, that support the business for proper justification.
- Have recovery plans to face contingencies, given the rise in the trends of advanced threats, as well as an execution plan to validate their effectiveness.
- Keep strong cybersecurity controls on information management within hybrid environments (on-premise/cloud) such as: asset inventory, information classification, account and access management, information confidentiality mechanisms through encryption, visibility of activities and events, to name just a few.
- Comply with regulations regarding corporations entering digital businesses, in order to transform and become more competitive. The following are some Mexican regulations on the matter: Annex 28 of SAT (“SAT” stands for “Servicio de Administración Tributaria” the Mexican Federal Tax Agency), the CNBV (the “Comisión Nacional Bancaria y de Valores”, the Mexican National Banking and Securities Commission, the Protection of Personal Data, GDRP, PCI DSS (which stands for “Payment Card Industry Data Security Standard”), Fintech Law.
- Create a convergence plan, divided into different stages of maturation of OT with IT environments, together with security managers in order to establish a secure digital transformation culture. As a first step, common processes could be identified that can be applied in OT as in IT such as, for example, Inventory Management, Change Management, Event Management, etc., in order to start with a natural synergy of the cybersecurity posture.
- Generate more effective security information awareness programs, with a well-defined scope of the program, that should have a correct geographical distribution and give messages according to the role played by people in the organizations.
- Establish technological and process controls for the purpose of improving cybersecurity, through models such as Zero Trust and CIS Controls. Similarly, processes based on NIST and / or MITRE Attacks type frames of reference should be implemented to provide better and faster responses to security incidents.
Ensure that the applications demanded by the business are built safely from the very initial design step, to minimize risks of vulnerabilities which may impact sensitive information of customers and the organization itself.
Furthermore, it is also of the utmost importance to consider that in order to face the new cybersecurity challenges in the short and medium term, it is required to start strengthening the cooperation and communication between private companies, government and educational institutions to make a common cybersecurity cause in this 2020, in order to create a solid ground of awareness to minimize risks in the industry.
That is why at IKUSI we are focusing on accompanying our clients to create an intelligent cybersecurity service experience suitable for their organizations, in order to face the challenges that will arise in the new business models during this 2020.