Francisco Lomas has worked for six teen years as the Chief Innovation Officer in Kruger Corporations. Kruger Corporations has been working as a multinational enterprise in the technology industry for twenty six years in ten countries. Francisco has an extensive experience in the software industry, especially in topics related to Business Architecture, Technological Architecture, Software Architecture, Project Management, R&D, and others.
Due to his extensive experience in the technology world, we dialog about his point of view of cyber security in LATAM, starting with the following question:
What is your opinion regarding issues of cyber-attacks in Latin America?
In this case, it’s important that we as technology companies create this culture and that’s the big challenge here in LATAM. There are countries around the world more advanced than we are in terms of cyber security and the main reason is because they take it very seriously.
The most serious attacks actually come from within our infrastructures, i.e. from our own employees. Therefore, this is where we face an extremely high cyber security challenge in Latin America.
How would you compare Latin America with other regions of the world that are more advanced in cybersecurity?
Today Latin America is not in a precarious state, but perhaps it is in a state in which it has not gained so much awareness, since there is not a strong culture immersed in our cybersecurity processes.
For example, in all our development processes it is very common for companies in this region to not consider security practices as safe code practices. Meanwhile other countries are very committed on it and that’s because the education provided by their universities and now it’s part of their culture.
If we compare to other countries such as Israel, we are a little behindhand, i.e. we are not at the point where anyone can come and extract all our information. However, we could improve much more. Certainly, what we need is to implement more culture and encourage more research.
What kind of projects does Kruger take into consideration to promote the issues of cybersecurity, both internally and with its customers?
Internally, we are aware with everything about cybersecurity and its needs. I.e. since, we have a design to prepare; we are conscious how much security it needs. We also have minimum degrees of safety. For example, we do not allow any application to work unless it has encryption SSL or TLS. Also, the authentication, authorization and audit processes must be defined clearly. We keep staff aware of any issue and we are incorporating DevSecOps practices in the scenario that we have customer DevOps cycles, where testing and security practices are included.
With clients, we understand their environment and when they are exposed, so we are in a position to recommend safety measures. This will also depend on the client, if is a government client, they usually have their own security measures already specified, as there are others who don’t have them and this is where we recommend the basic measures that should be implemented. In this way, we try to make people understand how much danger exists if they don’t protect their company. We tell them this so they can be aware of the problems and current situations, but we are conscious in how we say it because we don’t want to cause panic.
Which solutions or technologies are available now or in the future for an enterprise (either small or medium) avoids those attacks?
Undoubtedly, it is a necessity for companies, whether small, medium or large. They need to update and seek professional advice. Companies should be concerned, and protect all their information; it is not considered “best practices” to protect only certain type of information randomly. That is why we recommend classifying the information, because is the first step you need to consider before analyzing any protection strategy.
Another recommendation is to keep the information in the cloud. There are companies that offer these services and can support this even in any part of the world.
Not too distant in the future with the topic of Artificial Intelligence, you will find more independent and even autonomous services that will help companies to prevent these attacks. How they do it? By evaluating, preventing, and even making defenses of what is going to happen. We can see certain trends in large companies as Microsoft, who is currently including Artificial Intelligence in their antivirus to detect threats that were not so easy to handle. In addition, with economies of scale and others, it will be more accessible for a small and medium company to access a SOC, which is currently expensive in Latin America.
What kind of rules or tools can a company implement without incurring a high investment in cybersecurity?
It’s common to see that companies haven’t applied protection systems such as antiviruses and that’s not a good thing. I would recommend that at least all computers have antiviruses or firewalls, these measures are the basic of protection, and companies should start with these main points. Another thing that you have to keep in mind is that hackers are behind valuable information, this is why you have to protect it, because it’s a necessity and if they don’t protect it, the company could have huge losses. The last recommendation is that companies should learn, understand and use efficiently the Triple “A” rule: Authentication, Authorization and Audit as process and a protection strategy and in their culture.