With more than 84% of its population online, South America is one of the world’s most connected regions, trailing only Europe and North America in internet penetration. It’s also one of the world’s biggest digital markets, with more than 368 million internet users in all.
It’s no wonder that cyber attackers see it as a prime target.
As the region undergoes a digital transformation, it faces a growing deluge of ransomware, business email compromise (BEC), phishing, and other attacks. Case in point: our annual State of the Phish report found that more than 70% of organizations in Brazil faced at least one successful phishing attack in 2022.
Chelian Senator Kenneth Pugh isn’t surprised. Representing the country’s Valparaíso Region since 2018, Pugh was key in backing a law that declared October “Cybersecurity Month” in Chile. (Chile is one of the region’s most digitally advanced; it has the highest percentage of internet users and the fastest average broadband speeds.)
The former Chilean navy officer views cybersecurity and its importance as a joint mission of government and the private sector. Last year he helped to pass a bill protecting the country’s critical infrastructure. He also took part in crafting new laws on intelligence, personal data protection and computer crime. In his Senate role, Pugh is now working on legislation to set cybersecurity standards and protect critical infrastructure. Among other measures, the proposal would create a new national cybersecurity agency for Chile.
Pugh recently spoke with Proofpoint to share his views of the threat landscape in Latin America and what’s next for the region:
What is the state of cybersecurity in Latin America? How are the threats targeting organizations in the region similar to or different from those in other regions?
The state of cybersecurity in Latin America is at an “intermediate to low level.” That is according to measurements done every four years by the Organization of the American States (OAS), which follows the cybersecurity capacity maturity model developed by Oxford University. In the last report from 2020 the most mature countries in the region were deemed at stage 2 to 3 (out of 5) on each dimension.
There are some common threat actors with global range. There are also a few local ones—like the “Red Guacamaya” group that targeted large companies and government organizations last year.
Is there a perception gap between the threats organizations face and their awareness of or preparedness for those threats? Or between security leaders in the region and their users?
Indeed, there is a perception gap. Criminal actors in cyberspace have all the resources—time, talent and money—and no rules to follow. Government and industries must follow the rules. And sometimes, they don’t have adequate resources to face cyber attacks.
You can have certain awareness in your preparation time. But during an attack, you may face organizational and preparedness issues [that hinder your ability] to respond adequately. You have to prepare your organization for these scenarios.
Security leaders need to expand beyond the IT department and be more present across the organizations they serve—sometimes they are not even heard enough by their corporate governance. We need qualified cybersecurity directors on boards.
As the internet is all around our lives, we also need a new breed of politicians to be security leaders in cyberspace to help protect people and their rights. For example, freedom of speech is a human right to protect in cyberspace. But it is a right for humans—not for artificial intelligence (AI).
What is needed at an individual country level to effectively meet the challenge of combatting the growing volume and sophistication of threats in the region?
[We need] more talented people with sound knowledge and experience in cybersecurity to quickly adapt and react to new ways of attack, new TTPs (tactics, techniques and procedures). [We also need] the support of AI in this process to speed up the response. Once this talent and cyberculture is developed, [we need to] take the initiative to disrupt those attacking forces.
What are the roles of government and the private sector in cybersecurity, and are they different from other regions? Are there opportunities for the two to work together? Is there a danger of over-regulation from government agencies trying to respond to fast-evolving threats.
Government should define a permanent policy on these issues, a strategy to face the situation with clear and measurable objectives [that are achievable within a defined timeframe] and produce public policy 2.0 with clear rules for everybody—and then enforce these rules. Technology is evolving very fast, so once you have done a complete measurement, this process should be reviewed at least every four years, as the OAS does.
The private sector must follow the rules stated by the government and prepare their people. They need to invest in cybersecurity training for their teams, including participation in international security challenges. They should also invest in updating hardware and software, and creating a company culture on cybersecurity that starts with corporate governance at the board level. And they should test their capabilities using external company’s services.
Is there a danger of over-regulation from government agencies trying to respond to rapidly evolving cyber threats?
There is risk involved in over-regulating a specific technology, of course. Public policy 2.0 should be based on data and evidence, not on a particular technology.
Cyber-criminal actors do not follow rules or regulations. They have significant resources and time. On the other side, government and companies follow rules and have limited access to resources.
The definitions of principles and the creation of a new cybersecurity culture in both industry and government are essential. This problem can’t be addressed and solved just by the industry or the government alone. Public-private sector collaboration is a must.
What advice would you give to Latin American organizations aiming to stay secure without impeding business processes or user productivity?
Be one step ahead of cyber criminals. Invest in your cyber teams and equipment. Update and research constantly. Conduct training with internal and external teams and make them compete in cybersecurity challenges and training exercises. That will help to create a new cyber culture in your organization.
Try to follow zero trust best practices and invest in a robust digital identity. Also, invest in the knowledge of all members of the organization—including the third parties you work with—so they know how to recognize and avoid phishing or disinformation campaigns.
Learn how Proofpoint helps organizations in South America protect people and defend data.