For foreign investors, it seems like criminality comes with the territory when operating in Latin America. In spite of the region’s heavily publicized shortcomings when it comes to managing crime and corruption, investment from all corners of the world continues to flow into the region.
Cybercrime is causing real disruption in Latin America’s business climate, nevertheless. Private enterprises with operations in the region worry not only about being hit by cybercriminals, but also about having little or no legal options to recover from the damage done.
NSAM spoke with Juan Manuel Aguilar –a Mexican cybersecurity expert, former government official, academic and keen observer of Latin America’s overall security landscape– in order to understand foreign investors’ attitudes towards the region when it comes to matters of crime and cybercrime.
Aguilar speaks deeply about the relationship between security, business climate and investors’ sentiment in Mexico; about the shortcomings of Latin America when it comes to cybersecurity law; how businesses handle being the victims of cybercrime; and whether those businesses are being honest regarding their adherence to international cybersecurity protocols.
NSAM: In Latin America, how relevant is cybersecurity for foreign investors?
Juan Manuel Aguilar: It’s becoming more and more transcendental. Interest has increased in producing technical specialists on the discipline, and there’s been consolidation of a debate around the issue. Investors are interested in the demand for cybersecurity specialists as well as on the supply of experts within the region.
It’s expected that, in the short run, cybersecurity will become a major problem. When one reads reports from international security firms such as Sonicwall, Kaspersky and Norton, one can notice an increase in cybercrime directed towards big companies, with ransomware seeing the most dramatic jumps. It’s a fact that Latin America is the second region with the highest growth in ransomware attacks, surpassed only by Europe and the US.
This is becoming problematic in the sense that there’s no legal framework to which companies can hold onto when they’re hit by cybercrime. Although we haven’t seen strong pressure coming from company clusters or industry chambers, there is indeed a tight collaboration when it comes to regulation.
There’s no legal framework to which companies [in LATAM] can hold onto when they’re hit by cybercrime
Mexico in particular has a case, its first great investigation against cybercrime: the montadeudas (“debt riders”) network, which was tackled by Mexico City’s police. We’re now seeing a building of capabilities and actions being taken. Yet, there’s still no legal framework which inhibits cybercrime. Those montadeudas were able to walk free because there is no referent that allows for the proper judicial processing of cybercrimes.
Then again, even when the experience left us with a bad aftertaste, it also provided valuable insights that will become referents for investigation and operations undertaken by justice institutions in Mexico.
NSAM: Would you say that extortion has become normalized as a part of Mexico’s business climate?
Juan Manuel Abarca: Companies do face a very hostile business climate in Mexico, which can be associated with other crimes beyond extortion; merchandise is stolen, and there’s government corruption. In some contexts, the levels of insecurity are staggering.
Nevertheless, international economic activity does not stop. In states such as Campeche and Michoacan, in the ports of Manzanillo and Lazaro Cardenas; they are located right in the middle of high-crime areas, where criminal gangs such as the Jalisco and Sinaloa cartels operate. Even then, economic activity in those areas is still profitable.
I think that, yes, investors are aware of Mexico’s adverse business climate. The embassies of Japan and the UK, for example, do deep risk and security analysis in Mexico. And important projects keep landing. They assume the risk, in spite of everything, because the investment could prove profitable thanks to several of Mexico’s perks.
NSAM: Beyond the use of technologically advanced tools, what’s the difference between traditional extortion and digital extortion? Do the dynamics differ?
Juan Manuel Aguilar: Ransomware is an interesting topic, and a challenging one. In Mexico, the National Guard, the Scientific Police, are in charge of registering cyberattack reports. But in our country, there’s what’s known as “dark numbers”. Those are crimes that go unreported.
Companies which have been victims of a cyberattack will contact cybersecurity vendors until they’re neck-deep into the situation
In the case of cybercrime targeting companies, dark numbers increase because, for businesses, publicizing the fact that they were victims of a cybercrime could harm their image; the trust of consumers, investors and other groups could be eroded.
Another thing is that companies which have been victims of a cyberattack will contact cybersecurity vendors until they’re neck-deep into the situation. The vendor arrives, offers its services, solves the problem and asks if the company will report the crime to the pertinent authorities. What do you think is the common response? “No”. And why’s that? Because there’s an economic risk; because their public image could be damaged.
What companies want is to get their information back, to install tighter security controls that will prevent the success of similar attacks. And that’s it.
NSAM: What is more common among businesses: to pay in a traditional extortion racket or a digital one?
Juan Manuel Aguilar: Cybersecurity culture and norms advise companies against paying ransom. Nevertheless, the fact that ransomware attacks keep happening tells us that the crime is profitable.
I see a difference between what’s dictated by international protocols, such as ISO 2700, and what businesses actually do. To me, there seems to be a lack in information gathering, as well as in the companies’ honesty on whether they paid for ransom or not.
There is a concrete number on whether information is recovered once ransom’s been paid. In 85% of cases, the information is not given back.
In the case of traditional extortion, when we speak of transport and industrial parks, they are not exempt. It’s almost a given that they will pay, with security, for extortion, whether that be to allow merchandise to transit freely, to protect the integrity of their employees and installations, or to safeguard supply chains.