Latin American companies, governments need more focus on cybersecurity

For the first time, over a dozen cybersecurity companies have come together to produce an agnostic study titled LATAM CISO Report 2023: Insights from Industry Leaders. More than 200 CISOs in the Americas region, in addition to the Inter-American Development Bank (IDB), Latin American Federation of Banks (FELABAN), and the World Economic Forum (WEF), contributed to the report. Duke University conducted the survey.

The 2023 LATAM CISO Report offers different cybersecurity perspectives of industry leaders in Latin America. The report was created to identify gaps in security and the needs and limitations of organizations in Latin America that are preventing them from better securing themselves against cyberattacks. This document presents findings from a survey of leaders throughout the Latin American region. It provides guidelines and recommendations for creating public policies to develop and strengthen cyber capabilities.

LATAM cyberattacks increasing

More than 1,600 cyberattacks are reported in Latin America per second, making cyberattacks one of the fastest-growing security problems in the area. The data collected in the report reveals that the economic damages of cyberattacks could exceed 1% of some countries in the Americas’ GDP and rise to 6% if critical infrastructures are attacked. Additionally, only seven of 32 countries analyzed by the Inter-American Development Bank (IDB) have plans to protect their critical infrastructure from such attacks, and only 20 have computer emergency response teams (CSIRTS).

Major findings of the report include that more than 70% of respondents said that the number of attacks on their organization has increased from the previous year. It highlights phishing and ransomware as some of the most prominent cyberattacks facing this region and concludes with recommendations on constructing public policies to address these rising threats.

Many organizations take the increasing threat of zero-day attacks seriously, and room for growth remains. Over half of all organizations (60.83%) perform security risk assessments only at least once a year (33%) or at least twice a year (28%). LATAM CISOs reported that patches were applied within 30 days (29%) or 60 days (26%).

Over 50% of respondents reported providing security awareness training monthly (26%) or quarterly (25%), with others doing so at least twice a year (18%) or once a year (22%). Only 8% reported a complete lack of security awareness training. When asked about C-level executives, 47% of respondents believed those executives had a “moderate awareness and knowledge of strategic cybersecurity issues,” and 41% believed they have “enough awareness.”

New approach to cybersecurity budgets, frameworks needed

The report also highlights many areas that require more focus from governments, such as budgets, patching, and multi-factor authentication. Developing customized approaches to budgets can ensure that citizens and businesses have the right assistance to protect their data and networks. Additionally, governments should promote the creation of cybersecurity frameworks that require organizations to conduct ongoing vulnerability testing and manage government funds for conducting such assessments. Cybersecurity operations should take an approach that combines security operations with technology, improving visibility, orchestration capabilities, and operational feedback to build up cyber resilience.

It is the hope that this report enables organizations to thoroughly examine their cybersecurity capabilities and understand what next steps to take to increase resiliency against attacks. The LATAM CISO Report 2023 found that while efforts are being made to strengthen capabilities, the threats persist at concerning rates. Organizations and governments must continue to pay more attention to their vulnerabilities and take proactive steps to address them.

Belisario Contreras is senior director, global security & technology strategy at Venable LLP. The views expressed in this article are those of the author alone and not of his employer.