In February 2021, Brazil and most of Latin America was going through another round of rising Covid-19 infections. At that time, the South American nation had surpassed 250,000 Covid-19 deaths and had the world’s second-highest death toll after the United States. While most of the country’s resources and attention were occupied with the response to the pandemic, a ransomware attack hit Brazil’s major utility company, the state-controlled Centrais Elétricas Brasileiras (Eletrobras).
Ransomware is a type of software malware that encrypts the victim’s files and demands a ransom to decrypt them. In this case the attack on Eletrobras had a chilling message: critical infrastructure in the region is increasingly exposed and even the largest power utility company in Latin America and the Caribbean couldn’t resist falling victim.
“Ransomware is moving faster than critical infrastructure operators and private companies can protect themselves. Some are still resistant to making this issue a priority, despite all the examples we’ve seen lately,” said Steph Shample, a cybersecurity specialist and Middle East Institute fellow.
The scene with Eletrobras in Brazil isn’t unique. Other major Latin American economies have also experienced ransomware attacks against their critical infrastructure. Private companies operating in the region aren’t immune and recent attacks show how vulnerable business operations can be.
“I see a sense of inertia among some business and public sector leaders. Part of my work is making sure people don’t put their heads in the sand and pretend this issue doesn’t exist or won’t happen to them,” — John Clayton
BancoEstado, one of Chile’s three biggest banks, was hit in 2020, forcing the firm to shut down all its branches. The electronics manufacturer Foxconn in Mexico and Telecom Argentina, one of that country’s largest internet service providers also recently suffered costly ransomware attacks.
“Companies avoid talking about these experiences because basically they have to acknowledge the most vulnerable part of their operations,” said John Clayton, Mexico Country Manager at Arista Technologies Limited.
“One of the biggest challenges we face is helping organizations become more conscientious of the possibility of ransomware attacks. I see a sense of inertia among some business and public sector leaders. Part of my work is making sure people don’t put their heads in the sand and pretend this issue doesn’t exist or won’t happen to them,” Clayton added.
Greater Risk and the Political Component
Latin America has become fertile ground for cybercriminals. One in every three ransomware attacks in the world targets a Latin American country. In 2020, Kaspersky registered an average of 5,000 ransomware attacks per day against targets in Latin America.
For Nearshore BPO and technology services industries, which manage significant amounts of cross-border third party data, the risk is substantial.
A 2021 AdvIntel report states that “targeting specific sectors is also a new trend in the ransomware attacks phenomenon. This represents a new challenge to essential industries and public agencies, since data breach may signify not only negative impact in service delivery (and potential subsequent crises) and financial losses; but these actors may also face judicial challenges due to data exposure and consequential infringement of data protection laws.”
For itel’s Chief Technology Officer Duane Williams, his company and the industry at large face robust exposure to these kind of attacks.
“We integrate with many businesses, which increases the risk for us. If I am completely honest I can say that it is challenging to develop total immunity to these crimes. But we take constant active measures to contain that risk. We understand where the weakest points are in our systems as well as the human aspect of this issue,” said Williams.
Williams refers to the common practice of ‘phishing’, which targets employees with emails or malicious links to secure a source of entry into an organization’s systems.
“The human aspect is always the weakest link,” said Shample.
“Cybercriminals target employees at every level, they try reaching departments like HR where they assume there is less knowledge of the risk. Leaders need to be proactive about this, social media needs to be banned in work devices, and everyone needs to have training at the most basic level. It is essential to have a workforce that is aware of the risk as a way to mitigate it,” she explained.
“We provide general training for new employees, particularly phishing training and simulations on a regular basis to raise awareness. Now remote work inherently increases the risk. We did a risk assessment before adopting broader remote work practices and we’re now confident that if it is done properly you can integrate remote work into your organization’s structures successfully,” added Williams.
Most analysts agree that legislative efforts have been slow on this issue. In countries like Brazil and Mexico, which had the highest share of users attacked with ransomware in 2020 with 46.7% and 22.6% respectively, there has been little movement from politicians.
“Politicians prefer to sit in their comfort zone and act in a reactive fashion. But public officials have a responsibility to protect their nations and they are not moving quickly enough or learning how to do it when it comes to cybersecurity. The private sector needs to assist and push politicians to put better protections in place,” said Shample
For Clayton, politicians and business leaders need to fully accept the danger they’re facing.
“You can’t expect to keep yourself healthy if you don’t eat the right thing and exercise. But this is definitely the dominant approach for cybersecurity in the region. That needs to change fast,” concluded Clayton.