For Latin American Companies, Data Theft Poses a Serious Threat
How would you feel if every time you opened your front door you were attacked by thieves? Obviously, you wouldn’t feel safe.
Companies have the same experience every time hackers try to access their databases with an eye toward stealing the identities of their customers. Natalia da Silva, director of Latin American marketing and communications for Gemalto, a supplier of security software, says, “Beyond that, there is the phenomenon of technological convergence. Today’s computers and notebooks have the functionality of telephones, and [the latest] cell phones provide access to the Internet. Traffic in voice, images and confidential data is no longer secure, which contributes a great deal to the current potpourri of threats and cybercrimes.”
According to the Yankee Group consulting firm, companies in Latin America are more vulnerable to the theft of information via mobile devices, essentially through notebooks. Consultants say that Latin American countries must improve their data protection policies, especially those that involve accessing critical information.
These are the conclusions of a “Mobile Survey” conducted by the Yankee Group, which interviewed 225 information technology executives in companies located in Mexico, Brazil and Colombia. The study established, among other things, that more than 80% of those companies use a system of simple passwords for protecting data about the identity of their own users. Moreover, only big companies use ID authentification tools such as digital certificates, tokens and smart cards (digital keys and intelligent cards). Only 67% of firms in the survey use data encryption technology to protect data.
The companies in the survey were from several sectors, including healthcare, manufacturing, financial services, retailing, construction and even government. According to Andrew Jaquith, senior analyst at the Yankee Group, his company chose Mexico, Brazil and Colombia as a representative sample for the entire region, but it won’t rule out the possibility that it will duplicate its research in other countries in Latin America.
Scarcity of Information Security
Enrique Canessa, professor of engineering and sciences at the Adolfo Ibáñez University in Chile, cites several reasons why inadequate data protection is a bigger problem in Latin America than in more developed countries. “The volume of online transactions in the countries of the [Latin American] region is lower than in Europe, the United States and some markets in Asia.” As a result, those companies in the region that implement measures for data security only do so when they have reached a critical volume of transactions. “It’s only at that point that they incur the costs of safeguarding their most sensitive information.”
For the same reasons, Alejandro Mellado, professor at the School of Information Engineering at the Catholic University of Temuco (Chile), notes, “corporate investment in security systems is lower in comparison with developed nations.” An equally significant factor, argues Horst Von Brand, a professor in the information technology department at the Federico Santa Maria Technical University (Chile), is that “security software costs a great deal, which constitutes an additional hurdle for Latin American companies.”
Experts agree that other factors of a professional, educational, cultural and political nature influence the region’s slow pace of adopting security standards. These factors also act as barriers.
Mellado stresses that one of the main cultural barriers is “a lack of concern [for data security] among managers of the region’s firms, who have also failed to keep up with technological changes and the latest techniques for dealing with data theft.”
Eduardo Moreno, professor of engineering and sciences at the Adolfo Ibáñez University (in Chile), agrees. “This lack of concern means that some banks have web sites that use protection systems that provide a very low level of security-- where users access the site by using passwords that have only four digits.”
In that respect, Natalia da Silva of Gemalto emphasizes that there is a major problem in the region when it comes to passwords. “Generally speaking, the user name and password are very weak so it is easy for hackers to copy and clone them.” Moreno says that it is hard to get users to change their passwords regularly, or to get them to use more complex key systems. For that reason, he adds, “Latin American companies give up the whole idea of keys, and simplify their use, while keys for accessing data at a higher level, such as digital certificates, are not even considered” by such companies.
Adds Eduardo González, professor of engineering and sciences at the Adolfo Ibáñez University: “The problem is that even employees share access keys among themselves.” In his view, this fact reflects a failure to adopt policies that communicate to employees the importance of maintaining clear security standards.
Professional and Educational Obstacles
Mellado notes that, in Latin America, only a small number of professionals specialize in data security. This factor has had an influence on the generally low level of concern that companies have when it comes to maintaining [the latest] architecture for protecting data.
For his part, González says, “Unlike their counterparts in such countries as the United States, executives in Latin America don’t understand the numerous technology products that exist in the market for securing information. Since they don’t understand how these applications work, these products are considered less important and, ultimately, [the process of] implementing them winds up lower on the list of [corporate] priorities.”
Von Brand agrees: “Encryption – that is, codification of information so that it cannot be deciphered or intercepted – is a very efficient tool for protecting data but I have seen very serious problems occur when encryption is used inappropriately, as well as some serious problems when companies fail to use encryption at all. This problem involves education. Only a small number of professionals today know the innovations that the security industry offers, and know how to use them correctly.”
González adds that companies often tend to imitate the security policies carried out by other companies without evaluating their own needs beforehand. “When you do that, the only thing you achieve is to maintain the vulnerability of your information.”
According to Von Brand, political factors have had an influence on data security in Latin America. “We in the region have emerged from a long period of authoritarian governments under which the protection of personal data was almost a contradiction in terms. That explains why current laws give preference to the efficient access to data above protecting the identity of users.”
For example, Von Brand says that in order for business to take place between private individuals in Chile, you need a Unique Tax Number, known as a RUT. “In the United States and the United Kingdom, this sort of thing would never be possible because of the privacy risks that implies.”
Beyond that issue, “There is very low level of participation in Latin America in important events that involve information security,” notes Italo Foppiano, head of the technology architecture division of the University of Concepción (Chile). For example, he cites the Sixteenth Annual Conference of FIRST, the Forum for Incident Response and Security Teams, which took place in Budapest, Hungary in 2004. FIRST is the global organization that promotes more effective response to information security incidents by promoting best practices and the use of the latest technology.
At the Budapest conference, notes Foppiano, “There were only six representatives from the entire [Latin American] region, compared with more than 30 professionals from Asia-Pacific, and 20 specialists from Germany [alone].” One of the key reasons, he adds, is that Latin American governments only rarely participate in these areas. “That explains the scarcity of regional legislation regarding data protection and privacy.”
The Consequences of Exposure
“During the 1980s, viruses spread via diskettes. They only infected individual machines, and it took weeks or months for them to spread,” states a report called “Self-Defense Networks,” published by Cisco Systems, the supplier of information connectivity and security software, in 2006. In contrast, during the 1990s, viruses were propagated largely through e-mail and hacking incidents began to break out, affecting business networks within days or weeks, notes the report.
The study concludes that today’s threats have acquired numerous forms, and that “the impact is at a global level; the speed at which they are spread can infect hundreds of thousands of computers in only seconds.”
Add to all that, the rise of financial fraud and identity theft -- the product of the manipulation of data – as well as other more sophisticated cybercrimes such as information sabotage, a technique for obstructing the normal functioning of the system. Foppiano warns that these developments have had a major impact on Latin American companies who can wind up losing their [corporate] image and credibility.
“For small companies, the repercussions are not so harmful,” notes Mellado. However, he adds, “Medium-size and large companies are not prepared for the sort of technological change that occurs in today’s connected society, where geographical barriers have been eliminated through the Internet. The absence of security standards can deprive them of growth, and generate distrust among their customers, as well as affect their competitiveness in a globalized market.”
Mellado warns that “Often, information theft is done by the very same people who work within the organization, and that type of attack is [usually] not so sophisticated.” A recent report by International Data Corporation (IDC), the technology consulting firm, concludes that no less than 70% of all attacks are generated by employees who are unhappy about the company for which they work.
For that reason, one of the first measures Mellado recommends when it comes to reducing the risk of an attack is “to evaluate personnel before hiring them, and to make sure that a psychologist is present at this evaluation, so that you can seek out professionals who are committed to ethical behavior and integrity.”
Measures to Mitigate Vulnerabilities
In a second sort of initiative, adds Mellado, each organization should spell out a policy for managing security information. It should define responsibilities and controls for access to various levels of information. “A third measure is to apply systems for encryption, and a fourth would be to apply tools for authentification with encryption keys as well as biometric identity controls.”
For his part, Foppiano suggests that “security standards must be supported by senior management, reaffirming their commitment to these issues as required by ISO 27001:2005, the standard governing management practices for information security.”
“Data security is a comprehensive practice that starts with auditing [the current condition of data security] and [then moves on to] programming and examinations, up to the point of launching the actual operations,” says Von Brand. “This also means incorporating security concerns in [a range of] professional training programs. Unfortunately, this sort of approach is only in its infancy” in Latin America.
As for key legislation, Von Brand stresses that “the current penal system needs urgently to be modernized when it comes to security concerns, such as the concept of ‘electronic evidence,’ which will require a special definition for classifying electronic crime.”
Foppiano notes that Chile has already taken the first step toward approving an electronic signature. “For their part, Mexico, Brazil, and Argentina have all established teams for responding to security incidents, which directly support government efforts in those topics.” The growth of technical groups that benefit from such global organizations as FIRST, he adds, can promote greater awareness and knowledge about data security issues.
“Without doubt, however, Latin America faces a huge challenge when it comes to setting up a legislative framework that regulates data protection and privacy,” states Foppiano.