Cybersecurity in Critical Infrastructures in Latin America
Cybersecurity has been one of the most important risks in the last 5 to 8 years. Nonetheless, in the past year, due to the increase in the surface attack because of remote work, the adoption of digital channels, among other measures in response to the pandemic, the topic has obtained a special level of attention. Moreover, cyber criminals have been more active than ever, executing more sophisticated and more frequent attacks on companies in the private and public sectors, especially with the raising of ransomware attacks. This situation has called the attention of the top management of companies in many industries, but due to the high impact that a cyber-attack could generate; the critical infrastructures are one of the top targets and a main concern for governments and society.
How to identify, treat and mitigate cyber-risk?
Cyber risk is a fast-paced changing risk that many companies have not addressed yet in the right way. On the other hand, because cybercrime could be a very lucrative business, cyber criminals from all around the globe are more active and sophisticated than ever. These attributes contribute to the challenge that legal economies, governments, and individuals face to fight against it.
In this uneven fight, private and public sectors need to work together and consider some of the matters presented below:
1. Cybersecurity investments
According to a survey performed by Microsoft and Marsh about the state of cyber-risk in Latin America in times of COVID-19, the budget invested in information security and cybersecurity is very low in the region. Almost 50% of the companies are investing only between 0% and 5% of the IT Budget in information security and cybersecurity initiatives.
Cybercriminals, on their side, have significant budgets and invest in projects to be on top of the controls companies deploy. Legal economies in general are far from being protected against these malicious actors. Even if they have been deploying basic cybersecurity measures, it is often that they focus more on the preventive capabilities, and not on the detection, response, and recovery.
In the report mentioned before, it is clear that the main investments in Latin American companies are focused on protection capabilities, as malware protection, access management, and secure remote access, as the top categories where the companies are increasing their cybersecurity investment. On the other hand, other measures like cyber incident response, security monitoring, and cybersecurity training are not at the top of the list.
One of the focal points in many companies that are part of the critical infrastructures is the cybersecurity controls implemented around the ICS/SCADA systems. Safety and reliability were the top concerns in the design of these environments, when the current hyper connection was not an issue as it is today. Investing in cybersecurity controls to identify, protect, detect, respond, and recover from a cyber-incident in the Operational Technology environment is essential for critical infrastructure organization at this moment.
2. Holistic risk management
Today, it is vital for the critical infrastructure organizations to establish a cybersecurity strategy that considers people, processes, technology, and third parties.
Currently, people are one of the top targets for cybercriminals through social engineering attacks. It is very important for organizations to define and implement a cybersecurity awareness and training program. Cybersecurity awareness needs to be constant and focused on the main types of cyberattacks (e.g. phishing, ransomware, cyber fraud, etc.). On the other hand, a cybersecurity training program according to the roles of the employees must be defined in order to address the main risks they face in their day to day. Employees from the IT and OT environments need to know what to do in case of a cyberattack.
While defining their cybersecurity strategy, companies need to be aware that cyber risks have changed and they need to structure it in a way that addresses their main risks in a shorter period of time, thinking that a cyberattack is imminent or that it has already happened. This shift in the mindset will allow companies to rethink the strategies so that they can focus on what is more important for the company and to be proactive, as the situation requires today.
3. Governmental actions
During the last GRI Club’s meeting, interesting ideas about the role of the Governments in the cybersecurity landscape were suggested. Apart from their responsibility to deal with nation-related attacks and the implementation of cybersecurity measures in the governmental organizations, they also need a way to define and enforce cybersecurity regulations. A good strategy to incentivize the private sector to deploy this kind of measures, without affecting their revenues, could be for example a decrease in the taxes or maybe benefits according to their cybersecurity maturity level. Another critical topic in order to generate an evolving cybersecurity environment is to establish protocols and procedures to share information from cyberattacks in a secure way, protecting the affected companies’ reputation and helping other companies to defend against these threats.
Finally, the cyber threat landscape Latin America is facing, requires a structured strategy between the private and public sectors, focusing on the protection, detection, response, and recovery from cyber-attacks. This must be done, generating a cybersecurity culture in countries and preparing people to defend themselves and the companies they work for, in this evolving environment.
Marsh is the world’s leading insurance broker and risk advisor. In more than 130 countries, our experts in every facet of risk and across industries help clients to anticipate, quantify, and more fully understand the range of risks they face. In today’s increasingly uncertain global business environment, Marsh helps clients to thrive and survive.
We work with clients of all sizes to define, design, and deliver innovative solutions to better quantify and manage risk. To every client interaction we bring an unmatched combination of deep intellectual capital, industry-specific expertise, global experience, and collaboration. We offer risk management, risk consulting, insurance broking, alternative risk financing, and insurance program management services to businesses, government entities, organizations, and individuals around the world.