cybersecurity...- universities are adding to their portfolio of cybersecurity careers but not at a...
TRANSCRIPT
C Y B E R S E C U R I T YM A R K E T A N A LY S I S
BUSINESSINTELLIGENCE UNITUIN
Author:
Marco Erick Espinosa Vincens, Head of UnitClaudia Esteves Cano, Executive Director of StrategyJosé Manuel Cortés, Innovation and Knowledge Management CoordinatorJulio S. Rodríguez, Senior Project ConsultantLuisa Regina Morales Suárez, Editorial design
© January 2018, ProMéxicowww.promexico.mx
Produced by:
Images downloaded from:unsplash.com / pixabay.com / pexels.comIcons downloaded from:flaticon.com
TA B L E O F C O N T E N T S
EXECUTIVE SUMMARY
DIGITAL REVOLUTION
CYBERCRIME GLOBAL OVERVIEW
CYBERSECURITY GLOBAL OVERVIEW
REGULATORY OVERVIEW
BEST PRACTICES
DIGITAL TRENDS IN MEXICO
CYBERCRIME IN MEXICO
CYBERSECURITY OVERVIEW IN MEXICO
MEXICAN CYBERSECURITY SUMMARY
APPENDIX
4
6
14
22
27
30
37
40
45
55
63
4
E X E C U T I V ES U M M A R Y
5
E X E C U T I V E S U M M A R Y
Our analysis has reinforced the importance of the cybersecurity industry as a whole and its growth prospects, globally as well as in Mexico. Some specific areas of improvement were also highlighted. The main results have been as follows:
- Given the increasing connectivity in the personal, corporate and urban environments, dependence on technology and the related vulnerabilities and risks of cyber-attacks are increasing. Equally the cycles of technology innovation are shortening and impacting the adoption, as well as the reaction times.
- The megatrends that are becoming increasingly relevant across all geographies such as Big Data and Cloud solutions, Internet of Things (IoT), Industry 4.0 and the rapid development of Smart Cities will continue to be the main drivers for the industry.
- The higher the digitalization levels of an individual or a company, the greater is the vulnerabilities of the related devices and sys-tems. Cybercrime has had an estimated financial impact of US$575 billion per year, representing 0.5% of the global GDP. The main motive behind cyber-attacks remains financial and most exposed industries are financial services, as well as different branches of the public sector.
- As on global level, the market demand in Mexico is high, there are several large international companies but also some national ones benefitting from the growth of the industry. There is a clear requirement for an increased product offering (specifically for SMEs) and more competition within the sector. Dedicated IT Clusters could be a solution to develop lower-cost cybersecurity pro-ducts and services.
- There are several building blocks of the industry that will continue to enable its future development; the basis of the legal and re-gulatory environment has been established, a national cybersecurity strategy has been defined, both of which should make way for the necessary improvements in the execution of the defined laws and regulations.
- Universities are adding to their portfolio of cybersecurity careers but not at a sufficient rate and the costs of necessary certifications remain relatively high. All degrees might have a cybersecurity awareness course and investment in cybersecurity communication.
- General awareness building and training for companies as well as individuals on the good practices to minimize the risks to cyber-security are key for the user community to operate in the current/future digitalized and connected environment.
6
D I G I T A LR E V O L U T I O N
7
D I G I T A L I S I N C R E A S I N G LY B E C O M I N G A K E Y T O P I C I N B U S I N E S S S T R A T E G Y
of large enterprises are information-based businesses.
One of the top 3 priorities of CEOs for the next 3 years is implementing disrup-tive technologies and 47% are concerned whether their organization is keeping up with new technologies.
41% of CEOs said their company will besignificantly transformed in the next 3 years.
74% of CEOs said their company is stri-ving to be the disruptor in its sector.
Source: KPMG analysis with information from IDC and KPMG ‘s Global CEO Outlook 2017
CEOs recognize there is work to be done to protect their organization, with 58% of CEOs not feeling fully prepared for a cyber event.
30% of CEOs rank Cyber Security as one of the top 5 risks for the next 3 years.
56% of CEOs are concerned about the data they are basing decisions on.
Digital Transformation
TechnologicalEvolution
On top of CEO’s mind:Technology
CEO’s top of mind:Cybersecurity
65% of CEOs will have spent at least 5 years insome kind of a technology leadership role.
By 2020, 33%
8
T E C H N O L O G Y O V E R V I E W
T E C H N O L O G Y E V O L U T I O N
MAINFRAMES
1940-1970
PC/SERVER
1980’S
INTERNET
1990’S
E-COMMERCE/CLOUD
2000
DIGITAL
2010
Technology evolution had key moments through history like the first computer and the creation of the WWW, however in the late years its changes have been faster, deeper and more complex, changing interactions and human routines.
The first computer worked with a binary system and
a vacuum tube.
Later on, computerscould be reprogrammed
and worked withtransistors; allowing
computers to be cheaper, faster and smaller.
Minicomputers appeared in the 60’s with keyboard and monitor, increasing
their reliability and reducing their energy
consumption.
Computers could be personalized with
software.
Personal computers (PC) appeared in the
market which lead themicrocomputer industry boom.
Network file systems similar to local storage were
developed allowing users on a clients
computer access filesin a network.
Banks of servers were installed in several companies so data
rooms were created.
The World Wide Web was created and every company wanted a fast
internet connectivity and nonstop operations.
Server rooms started to grow which needed larger facilities, so the service of data center
became popular.
The Internet allowed a faster and more
efficient connectivity with access to
information and companies from over
the world.
Through simple websites delivery companies were
created allowing ecommerce.
Online marketplaces started increasing
allowing the customers to compare prices and
reviews.
Online storage and infrastructure services
were being developed, a predecessor to
cloudbased services.
First smartphones appear in the market allowing
internet acc cess in your hand.
Data centers became virtual and global becoming more
efficient and cheaper.
Companies used Big Data to store, analyze
and monetizeinformation of their
business, making datafication a trend.
Constant connection and communication hyperconnectivity
appear n the industry.
Digital labor and professional
augmentation.
Artificial intelligence.
Source: KPMG analysis with information from Dublin City Council and Forbes.
9
EMERGING TECHNOLOGIES MEGATRENDS HYPE CYCLE FOR EMERGING TECHNOLOGIES
The force and speed with which technological innovation is moving through the economy is creating an inflection point for the business sector.
In terms of technology, there are three main trends that cluster the expected improvements that will stren-gthen business capability:
Deep LearningDeep Reinforcement LearningArtificial General IntelligenceAutonomous VehiclesCommercial UAVs (Drones)Conversational User Interfaces
4D PrintingAugmented RealityBrain-ComputerInterfaceConnected Home
5GDigital TwinEdge ComputingBlockchainIoT Platform
Enterprise TaxonomyOntology ManagementMachine LearningSmart DustSmart RobotsSmart Workspace
Human AugmentationNanotube ElectronicsVirtual RealityVolumetric Displays
Neuromorphic HardwareQuantum ComputingServerless PaaSSoftware Defined Security
Source: KPMG analysis with information from 1) Gartner 2017, 2) Gartner 2017 Hype Cycle for Emerging Technologies.
ARTIFICIAL INTELLIGENCE EVERYWHERE:
TRANSPARENTLY IMMERSIVE EXPERIENCES
DIGITAL PLATFORMS
T E C H N O L O G Y O V E R V I E W
T E C H N O L O G Y T R E N D S
Time
Innovation Trigger
SmartData
Trough ofDisillusionment
Slope of Enlightenment
Plateau ofProductivity
As of July 2017
Peak ofInflated
Expectations
AugmentedReality
Blockchain
loT Platform
Software-Defined Security
Artificial General Intelligence
Deep Reinforcement Learning
Human Augmentation
Convetional User Interfaces
Serverless PaaSE
xpec
tati
on
s
Virtual Realty
5 to 10 years2 to 5 yearsless than 2 years
Plateau will be reached in:
more than 10 years
Digital Twin
VolumetricDisplays
5G
Enterprise Taxonomy and Ontology Management
Brain-Computer Interface
Quantum Computing
Neuromorphic Hardware
Augmented Data Discovery
Cognitive Expert Advisors
Smart Workspace
4D Printing
Commercial UAVs (Drones)
Cognitive CompetingNanotube Electronics
Autonomous VehiclesMachine Learning
Connected HomeVirtual Assistants
Smart Robots
Edge Computing
Deep Learning
10
T E C H N O L O G Y O V E R V I E W
STRATEGIC TECH TRENDS – SMART CITIES & INDUSTRY 4.0
SMART CITIES 1
MAIN IDEA
KEY TECHENABLERS
SHARED KEY TECH ENABLERS
INDUSTRY 4.0 2
In the strategic sphere for technology, two main trends are being promoted and considered as the highest level of digita-lization, Smart Cities in a Governmental/public approach and Industry 4.0 for the private businesses.
Source: KPMG analysis with information from 1) Department for Business Innovation & Skills and IEEE 2017 2) Gartner 2017 and IEEE 2017
A Smart City is an innovative city that through information & communication technologies (ICTs) and other meanseffectively integrate physical, digital and human systems to improve quality of life, efficiency urban operation and services, and competitiveness, while ensuring the satisfac-tion of present and future generation needs.
Networking and communications
Simulation and prototype
Augmented reality
Robotics
Processintegration
Open data UrbanOperating System
Cloudcomputing
Internet ofthings (IoT)
Industry 4.0 is the new industrial revolution that introduces digital technologies and digital transformation to the industries.
Industry 4.0 addresses the digitalization of com-plex value chains, aiming future cross-industry models with high digital technology use.
Additivemanufacturing
CybersecurityProcessintegration
11
T E C H N O L O G Y O V E R V I E W
TACTICAL TECH TRENDS - INTERNET OF THINGS
MARKET SIZE
OUR PERSPECTIVES
CONNECTED IOT 1 DEVICES IN 2017 AND EXPECTED CAGR
IoT connectivity has undergone consolidation as vendors´ portfolios have became larger. The IoT market is expected to grow at a 17.8% from 2017-2025, enabling smart solutions in major industries.
Note: (1) IoT: is the network of physical objects that contain embedded technology to communicate and sense or interact with their internal states or the external environment.Source: KPMG analysis with information from University of Maryland University College (UMUC), Cisco IBSG and IHS
In terms of people rather than of companies, IoT for medical uses, connected homes and wearable technology are expected to be the main trends.
IoT (1) installed base, global marketBillions USD
As Big Data and Cloud solutions mature, new applications for IoT solutions arise, driving growth for this industry. In global terms, Predictive maintenance, Smart agriculture and Smart cities are considered as key drivers for IoT industry.
By 2020 it is expected that 50 billion devices will be connected through IoT. Connected devices per person that barely reached 2 in 2010 are expected to grow at a 13% CAGR reaching 7 devices per person by 2020.
Key challenges to growth are the security and scalability of all new connected devices and the adherence to open standards to facilitate large scale monitoring of different systems
FORECAST
2015
$15
2016
$18
2017
$20
2019
$27
2018
$23
2020
$31
2021
$36
2022
$43
2023
$51
2024
$62
2025
$76
+17.8%
Military & aerospace 0.01
Automotive 0.20
Medical 0.32
Computers 1.70
Industrial 3.60
Communications 6.00
Consumer 8.00
Billion objectsConnected IoT 1 devices in 2017 CAGR
2015-2025
13%
22%
18%
2%
28%
9%
16%
12
T E C H N O L O G Y O V E R V I E W
TACTICAL TECH TRENDS – CLOUD
Rapid growth in the Cloud Computing Market can be attributed to increased customer confidence in technology mainly driven by customized service delivery models and cost effective product offerings.
Source: KPMG analysis with information from KPMG Germany and Market media research
In terms of people rather than of companies, Cloud is still a disruptive trend mainly used for individual storage purposes and communication via Cloud based apps.
Global Cloud MarketBillions USD
Cloud Computing market is expected to almost quadruple in terms of value between 2015 and 2020, reaching 270 billion USD.
The main benefit of cloud solutions is that it is a capital expenditure free, flexible and scalable solution that can be accessed from any location, without having the hassle of maintenance. Growth in adoption is predominantly driven by an increased sense of security (trusted companies), customized solutions and lower cost for companies:• Security, privacy and regulatory concerns in cloud usage have led the growth of Cloud solutions. This helps accommodating traditionally
conservative industries such as Healthcare, the Public sector and Financial services.• Cloud services are shifting away from a “one size fits all” solution towards a more flexible business model in order to accommodate the needs
of individual businesses (e.g. capacity volume, maintenance and service levels).• As datacenters grow in size, cloud solution costs decrease rapidly, making it affordable and attractive for companies.
Key challenges to growth revolve around the reliability and real time accessibility of the network (e.g. minimizing the impact of maintenance downtime).
2015 2016 2017 2018 2019 2020
7395
122
159
208
270
FORECAST
+30.0%
Global Cloud Computing market structure
Required investment/ scale operation High
SaaS(Software As A Service)
PaaS(Platform As A Service)
IaaS(Infrastructure As AService)
Key
solu
tions
Cloud hosted softwaresolutions offered toclients via the internet.
Maintenance, storageand installation ofsoftware.
Operating system todevelop and runsoftware.
Platform that connectsclient software withdatabase software.
Physical data storageacross differentlocations.
Infrastructure (e.g.networks, servers).
Maintenance andadministration.
13
T E C H N O L O G Y O V E R V I E W
TACTICAL TECH TRENDS - URBAN OPERATING SYSTEMS (UOS)
By 2020 it is expected that the global market for smart urban systems will reach 400 billion dollars. The benefits of this technology are broad but should be compared to the cost of potential attacks.
Source: KPMG analysis with information from the University of Sheffield, Civil and Environmental Engineering MIT, and IEEE.
Connectivity, new urban mobility plan and security strategy are expected to be the main trends.
It is fed information from an integrated sensor network within theurban environment.
UOS provide one of the platform for the IoT. It enable Living Cities and Machine Learning Communication (M2M).
• Access to Mailbox everywhere in the city,• A complete transformation of retail and leisure,• An enhanced tourism,• Solutions for transportation,• Healthcare and public safety,• Facilitate the industrialization of the internet.
High cost, not enough server capacity, and lack of coverage.
Transportation-mobility electronic market for optimized travel, SMART “Future Mobility” project; the road to future urban mobility; estimating social welfare of traffic information systems.
Networks-motion coordination and vison-based control of unman-ned air and ground vehicles; resilient design of networked infras-tructure systems: models, validation, and synthesis.
Sensing and data mining, e.g.: mining big data to link affordable hou-sing policy with traffic congestion mitigation in Beijing, China.
Urban and regional systems, e.g. a simulation-based optimizationalgorithm for dynamic large-scale urban transportation problems.
Communication, security, availability, resiliency, energy efficiency, network bandwidth, focus on the citizens, Big Data and standards.
By 2020 it is expected that the Global Market for Smart Urban Sys-tems will reach 400 billion dollars.
Definition: Key areas:
UOS platform:
Challenges:
Benefit of UOS:
Limits:
Investment:
Main companies to offer Urban Operating System:
14
C Y B E R C R I M EG L O B A L O V E R V I E W
15
G L O B A L T R E N D S A N D T H R E A T S
GLOBAL CYBER RISKS
The higher the digitalization level of a company, the greater the vulnerability of its systems. Cybercrime costs the worldUS$575 billion dollars per year, representing 0.5% of the world Gross Domestic Product.
Source: KPMG analysis with information of CYBERCRIME LOSS AS A PERCENT OF GDP (McAfee 2014) and The Global Risk Report (World Economic Forum 2017)
Cyberattacks are ranked within the top 10 Global Risks in terms of likelihood of occurrence, together with extreme weather events, large-scale involuntary migration, natural disasters, and terrorist attacks. In terms of the impact, cyberattacks are positioned above the average of the eva-luated risks which within the top 3 risks include weapon of mass destruction, extreme weather events and water crises.
The rise of cyber dependency due to increasing digital interconnection of people among different infrastructure networks is increasing the scope for systemic failures.
.32%
.08%
.14% .19%
.01%
.11%
.11%
.14%
.17%
.64%
.17%
BRAZIL
SOUTH AFRICA
COLOMBIA
MEXICO
US
UKCANADA
NORWAY
ZAMBIA
KENYA
UAE
ITALY .04%
.16%
IRELAND
.20% 1.6%
.64%
SAUDIA
GERMANY
.18%
.41%
.17%
SINGAPORE
MALAYSIAFRANCE
NIGERIA
16
W O R L D W I D E C Y B E R S E C U R I T Y D I A G N O S T I C
EVOLUTION OF CYBER-ATTACKS
From 2005 till 2017, 5,290 billion of identities and data have been stolen. Personal financial information accounted for almost 40% of data.
Data and identities stolen (in millions) 2005-2017
Source: KPMG analysis with information from Symantec volume 22, dTheftCentre and DataBreaches.net.
2002: Severalcompanies,
ShadowCrew, wasable to siphon 45million credit and
debit cardinformation, around
4000 members
2005: AOL,Citigroup,
CardsystemsSolution e-mail sold
to spammers andcredit card fraud
enabled
2006: US Dept of Vet Affair, T-Mobile, AOL, criminal stole
information from highprofile German citizens and a com-
puter containingimportant personal
data was lost
2007: TK /TJ Maxx, UK Revenue, TD
Ameritrade,Hannaford BrothersSupermarket Chain stole data on people and their credit and
debit cards
2008: Utah Hos-pitals & Clinics,
University of Miami, UK Ministry
of Defense, they stole social security, health information,
bank detail, address, salary
2009: Virginia Dept.Of Health, US
Military,Rock you, Heartland
patient records,incentive payment,
user accounts
2010: New York City Health & Hos-
pital, JP Morgan, Educational Credit
ManagementCorp, Bet fair, creditcard data, personal
records
2011: Washingtonpost, Tricare, SutterMedical Foundation,
Sony PSN, user ID,email, patient data,
personal data, creditcard data
2012: Zappos, Iranian banks, South
Carolina Gover-nment, 7-Eleven, Linkedin, Greek
government, Drop-box, Apple personal
information from patients,credit card
data
2013: Yahoo Japan,Vodafone, Tumblr,Snapchat, NMBS,
Living social, Kissin-ger cables, Everno-te, Adobe, personal
data, diplomatic records
2014: Yahoo, UPS,Target, Sony, NewYork Taxis, Japan
Airlines, Home Depot, Ebay, Gmail, personal informa-tion from patients,
credit carddata, GPS routes
2015: Voter Data-base, US Office of
PersonnelManagement, Mspy,British Airways, vo-ters data, personal
data (eyescolor, friends, etc)
2016: MySpace,Banner Health,Anthem, Daily-motion, Mobile
company, Telegram banking detail,
users, passwords, personal info
2017: Deloittehack, at least 350
key accountinformation
compromised
1,500
1,000
2005
44.2
2006
70.3
2007
156.3
2008
130.0
2009
256.8
2010
16.1
2011
229.0
2012
704.5
2013
1,252.3
2014
913.0
2015
429.0
2016
506.3
2017
601.0
500
0
17
G L O B A L T R E N D S A N D T H R E A T S
GLOBAL CYBER ATTACKS (1/3) – TYPE OF TECHNOLOGY AFFECTED
It is not only about who is affected or why is it happening, the affected technology will determine the damage of an attack.Protecting a company is not enough if the user devices remain vulnerable.
Security incidents per type of assetPercentage Security incidents per type of asset
Incidents
User Devices 6,769
3,426
1,637
1,181
121
20
62%
14%
43%
14%
8%
51%
Server
Media
Person
Kiosk/Terminal
Network
Pattern Action Asset
Source: KPMG analysis with information from 2017 Data Breach Investigations Report Verizon
ElseWeb App Attacks
Payment Card SkimmersCyber-Espionage
Physical Theft and LossPrivilege Misuse
CrimewareMiscellaneous Errors
Denial of ServicePoint of Sale
Hacking and malware have grew within the past 10 years with a clear exponential pattern.
In terms of incident classification patterns, Web App Attacks, Cyber-Espionage and Privilege Mi-suse represent more than 50%.
HackingOf breaches featured hacking 81% of them leveraged stolen or weak passwords
Misuse14% of breaches involved privilege misuse
MalwareOver half of breaches included malware. Ransomware represents more than half of malware incidents
SocialWere social attacks
ErrorsErrors were causal events in 14% of breaches
PhysicalPhysical actions were present in 8% of breaches
User devices were clearly the main target in ter-ms of security incidents.
10.7%
11.5%
14.3%
14.9%
29.5%
8.0%
4.6%
0.3%
3.8%
2.4%
18
G L O B A L T R E N D S A N D T H R E A T S
GLOBAL CYBER ATTACKS (2/3) - WHO IS BEHIND THE ATTACK
It is not only about filtering threats, but also about insiders learning capacity, because as long as stakeholders haveknowledge, motives and entries; cyber attacks will remain as a risk for countries, business and people.
Behind the breachesStakeholders
Groups
Source: KPMG analysis with information from 2016 Data Breach Investigations Report, Verizon
Cyber attacks will show different patterns and outcomes depending on the stakeholders behind them.
There are several groups whom attack for an specific reason.
Nation state - Cyber warfare - Cyber espionage
Organised crime
Individual criminal
Hacktivists
Insiders - Inadvertently or Deliberately
In these attacks, many times the organized crime is involved and sometimes work with other groups as internal actors, partners, outsiders and multiples parties.
75%
51%
18%
3%
2%
25%
Outsiders75% of the breaches were perpetrated by outsiders.
Organized criminal groups51% of the breaches involved organized cri-minal groups.
Internal stakeholders25% of the breaches involved internal actors.
State-affiliated stakeholders18% of the breaches were conducted by sta-te-affiliated actors.
Multiple parties3% of the breaches featured multiple parties.
Involved partners2% of the breaches involved partners
19
G L O B A L T R E N D S A N D T H R E A T S
GLOBAL CYBER ATTACKS (3/3) - MAIN DRIVERS
Cyber attacks will remain existing as long as motives keep exceeding risks and regulations. While financial motives have driven attacks for many years, other have gained importance like information based power sponsored by espionage.
Threat actors motives
Source: KPMG analysis with information from 2016 Data Breach Investigations Report, Verizon
There are different motives that may trigger cyber attacks, thus a segmentation enables a more specific analysis not only for countries but also for industries.
Each of the following groups present a main motive for a cyber attack and sub categories or examples to explain the main idea.
FinancialMoneyBribery
Identity theft
EspionageCoercionMilitary motives
IdeologyProtest/Influence
JusticeGenerate chaos/
vulnerability
Others
Espionage
Financial
GrudgeImmobilize the
competitionRevenge
FunCuriosity
ChallengesAdrenaline
Others
During the last four years espionage has gained market share from financial in terms of motivation behind executing a cy-ber attack, exceeding 25% of the incidents.
Although there is an expected growth within espionage moti-vation, market’s perspective states that the financial motives will remain as the key factor for the cyber attacks.
26.0%
11.0%
63.0%
20
G L O B A L T R E N D S A N D T H R E A T S
AFFECTED INDUSTRIES
Depending on the nature of a business and the sector in which it operates, a company is exposed to its own set of cyber risks.
Data breaches per industryPercentage
Most affected industries
Source: KPMG analysis with information from 2016 Data Breach Investigations Report, Verizon
Financial institutions and healthcare sector are the most ex-posed industries in terms of cyber risks, not only because ofthe number of data breaches that have occurred but also because of the sensitivity of the data and the impact of each loss, fluctuating from economic to life.
Energy, utilities and transport and telecommunications sec-tors are becoming key industries in terms of cyber risks be-cause of the sensibility of data and the severity of the possibleoutcomes.
A major cyber-attack or incident involving an energy or utility company could result in a significant outage, physical damage, or even loss of life, while a cyber war between two countries could disrupt internet services around the world.
Professional 5.6%
Administrative 1.4%
Information 5.8%
Unknown 3.5%
Other services 6.3%
Education 3.8%
Manufacturing 6.4%
Retail 4.8%
Accomodation 10.4%
Public
Healthcare 15.3%
Finance 24.3%
12.4%
21
G L O B A L T R E N D S A N D T H R E A T S
THE REAL COST OF A STOLEN RECORD
Due to the sensitivity of the information, data across industries is not worth the same. In average, a stolen record cost $141 dollars, while for the Healthcare Industry more tan $380 dollars and for the public sector $80 dollars.
Average cost of a stolen record
US Dollars
Cost reduction of each stolen record with Cyber Security implementation
US Dollars
Source: KPMG analysis, with information form 2017 Cost of Data Breach Study: Global Analysis Ponemon Institute/ IBM
Consumer
Public
Energy
Media
Research
Industrial
Retail
Communications
Technology
Transportation
Life science
Hospitality
Education
Services
Financial
Healthcare
Cost incrementation of each stolen record
US Dollars
380141
-19-16
-13-11
141 2 3 68 9
11
210
-8-7 -6
-6 -5-5
37
-74%
132
137
119
101
149
154
150
165
123
188
124
200
223
245
71
Inci
dent
resp
onse
team
Exte
nsiv
e us
e of
Enc
rypti
on
Prov
ision
of I
D p
rote
ction
Cons
ulta
ns e
ngag
ed
Rush
to n
otily
Lost
or s
tole
n de
vice
s
Use
of m
obile
pla
tafo
rms
Com
plia
nce
failu
res
Exte
nsiv
e cl
oud
mifr
ation
Third
par
ty in
volv
emen
t
Empl
oyee
trai
ning
BCM
Thre
at s
harin
g
Use
of D
LP
Insu
ranc
e
CISO
Use
of S
egur
ityan
alyti
cs
Dat
acl
assifi
catio
n
Boar
din
volv
emen
t
CPO
appo
inte
d
+49%
22
C Y B E R S E C U R I T YG L O B A L O V E R V I E W
23
C Y B E R S E C U R I T Y G L O B A L O V E R V I E W
CYBERSECURITY MARKET SIZE
The global cybersecurity market is estimated to grow at a CAGR(1) of 18.1% to reach 203 billion USD by 2021, even though the growth projection is unlikely to be linear. The lack of reported incidents historically and an ever-changing environment of the industry makes future projections challenging.
Note: (1) CAGR, Compound annual growth rate: is the mean annual growth rate of an investment over a specified period of time longer than one year.Source: KPMG analysis with information from Cyber Security market report q4 2016 and Gartner.
Cybersecurity marketBillion USD
Cybersecurity market size is expected to grow at a two digit CAGR for the next 5 years, exceeding 200 billion dollars by 2021.
Cybersecurity industry growth is expected to be driven mainly by 3 factors, including the increase of people’s connectivity, cybercrimes anddigital trends.
Protection needs against cybercrimes will boost cybersecurity industry. Cybercrime damage cost is expected to double within 6 years reaching 6 trillion dollars.
The rapid development in the IoT devices and cloud adoption pose many changes that will act as important drivers for the cybersecurity industry, for example, the struggle with security of critical infrastructure as it becomes ¨smart and connected”. As the number of devices that areconnected to a corporate network increases, security moves away from the corporate perimeter to the end point devices including IoT devices,increasing the network’s vulnerability.
Cloud usage leads to less hardware on the premise, changing the dynamics of what needs to be secured in an organization´s digital environment.
2015 2016 2017 2018 2019 2020 2021
$75
$89
$105
$124
$146
$172 $203+18.1%
24
C Y B E R S E C U R I T Y G L O B A L O V E R V I E W
CYBERSECURITY EVOLUTION (1/2)
RISK MANAGEMENT
1940-1970
DEVELOPING DECADES
1980’S
RESILIENCE ATTITUDE
1990’S
RESILIENCE, REACTIVE APPROACH
2000 2010
Digital revolution has occurred at a fast pace thus driving an important growth in cybersecurity, forcingsuppliers and customers to evolve and react.
Process to manage natural disaster
First disaster recovery in response to system
failure
Virus protection developed
Emergence of a an antivirus industry
Business switched to online
Outsourcing of services (e.g Cloud)
Increase in connectivity
Global shocks of phenomena: terrorist,
climate, political
Cyber espionage and cyber turned
state-sponsored
Development of modern encryption
Hardware: Firewall for the biggest companies
Network: password, token
Software: Antivirussignature
Standard: BS 7799, Part 1
Hardware: Firewall
Network: private corporate network,
password
Data: Layers
Software: patch, update
Standard: BS 7799, Part 2
Capacity: IT department
Capacity: shortage of qualified securityprofessionals, IT department and
cybersecurity department
Standard: ISO/IEC 27003:2010
Hardware: SIEM, AntiDDoS-DoS
Network: IAM (1)
Data: Layers, encryption
Software: Encryption, DLP, HIPS, Virtual SIEM, Ne-
twork Forensics
Standard: ISO/IEC 27001, ISO/IEC 27005
Cost of attacks: $USD 455 million in 2002
Note: (1) identity and access management.Source: KPMG analysis with information from Cisco, The Wall Street Journal, MITRE, Graham, CSI/FBI 2002 Computer Crime and Security Survey, Juniper Research, Speakers of BlackHat and Gartner
MAINFRAMES PC/SERVER INTERNET E-COMMERCE/CLOUD DIGITAL
25
C Y B E R S E C U R I T Y G L O B A L O V E R V I E W
CYBERSECURITY EVOLUTION (2/2)
PRO-ACTIVE, HOLISTIC, RISK-BASED APPROACH
DIGITAL DISRUPTION
2020-2027
The adaptive cybersecurity defense is addressing the new relentless and smarter threats. For the next 10 years, cyberse-curity trends are expected to be focused on protecting valuable information and mitigating those threats.
The digital age will need a strong security and ethics during the customer journey
Hardware: Firewall, Deception traps, Threat Protection Systems, Orchestration solutions
Network: private corporate network (users right), recognition technology, IDaaS (2), network firewall, secure web gateway (SWG) and web application firewall (WAF) platforms, nSIEM UBA /UEBA,
Data: Layers, encryption, SSL Visibility, IOC, YARA Rules, SDN, NFV
Software: machine learning and artificial intelligence technologies, update, Enterprise Immune System, File integrity Monitor, Proactive hunting Solutions and Playbooks
Standard: ISO IEC 27032, UL 2900-1
Capacity: enough qualified security professionals, cybersecurity department
Policy: cyber security policy
Note: (2) Identity-as-a-ServiceSource: KPMG analysis with information from Cisco, The Wall Street Journal, MITRE, Graham, CSI/FBI 2002 Computer Crime and Security Survey, Juniper Research, Speakers of BlackHat and Gartner
26
G L O B A L T R E N D S A N D T H R E A T S
GLOBAL INDUSTRY SUMMARY
Digital trends increase system’s vulnerability, increasing cyber risks and boosting cyber security evolution.
“Digital” is increasinglybecoming a trending topic inbusiness strategy driven by therequirements of the operatingenvironnment.
Digital
The higher the digitalization levelof a company, the greater the vulnerability of its systems.
Cyber risks
Legal, technical, organizational,capacity building andcooperation are key pillar todevelop and strengthen cybersegurity industry.
Country Analysis
27
R E G U L A T O R Y O V E R V I E W
28
W O R L D W I D E C Y B E R S E C U R I T Y D I A G N O S T I C
GLOBAL ANALYSIS
Extending the rule of law into cyberspace is a critical step to create a trustworthy environment for people and businesses.However, many countries from Latin America are lagging behind the most advanced as Singapore and USA.
Data protection law around the world: regulation and enforcement
2017
Critical infrastructure law
Limitec
Heavy
Budapest conventionE- commerce data logistic regulation
Note: (1) Critical infrastructure: energy, transport, financial services, health, financial services and food supply chain.Source: KPMG analysis with information from DLA Piper, eMarketer and G20 report.
Critical infrastructure(1) is one of the main concerns of government, the newattacks like botnets are becoming prevalent in 2017. An inability or destruction asset could have an effect on security, like in 2016 attacks in Ukraine and Israel.
Personal data laws and system/infrastructure obligations are not integratedor reconciled in 2017.
In 2017, President Trump signed an Executive order on “Strengthening the Cy-bersecurity of Federal Networks and Critical Infrastructure” and in 2016, the Federal Energy Regulatory Commission (FERC) developed the Critical Infras-tructure Protection (CIP), one of the cybersecurity standards for the US power grid. The North American Energy Standards Board (NAESB) has also approved several cybersecurity standards for various segment of the energy industry.
It serves as a guideline for many countries, in 2017, 56 countries had signed the treaty.
Through the Budapest agreement (effective in 2004) there is an in-ternational guideline to help countries fulfill with their requirements against attacks.
Retail e-commerce sales reached $USD 1.915 trillion in 2016, which represents 8.7% of total retail´s spending worldwide. It is expected to reach $USD 4.058 trillion in 2020 (14.6% of total retail´s spen-ding in the same period).
National laws have been influenced by the United Nations on Inter-national Trade Law (UNCITRAL), Commission´s Model Law on Elec-tronic signature (2001) and Electronic Communications in Interna-tional Contracts (ECC) (2007). Actually “trust and security” are still a challenge.
Moderate
Robust
29
W O R L D W I D E C Y B E R S E C U R I T Y D I A G N O S T I C
REGIONAL ANALYSIS
All regions in the world have one leader country involved in an advance program on Cybersecurity in 2017, difficulty for them is to find a representative speaker and coordinate a common strategy.
Source: Source: KPMG analysis with information from European commission, “Observatorio de la ciberseguridad en América Latina y en el Caribe”, BID, 2017, ITU GCI and several Governments data bases.
EUROPE ASIA AMERICA AFRICAMEDITERRANEAN & MIDDLE EAST
CY
BE
R R
EG
ULA
TIO
N
AN
D L
AW
S F
RO
M
CO
UN
TR
IES
UN
ION
CO
-OP
ER
AT
ION
RE
SPO
NSE
TO
CY
BE
RC
RIM
E
Directive on security of network and information systems
(NIS Directive)
Directive on attacks against information systems
2013/40/EU
General Data Protection Regulation
Neither global regulation nor laws
No global regulation neither laws
No globalregulation neither laws
No global regulation neither laws
- Budapest Convention- United Nations (Resolutions
55/63 and 56/121)- The European Network and
Information Security Agency’s(Regulation 460/2004) (ENISA)
- Budapest Convention- United Nations
(Resolutions 55/63 and 56/121)- ENISA
- The ASEAN Cyber Collaboration Centre (ACCC)
- APEC Telecommunications and Information Working Group
- Budapest Convention- United Nations
(Resolutions 55/63 and 56/121)- G-8 24/7 Network
- Budapest Convention- United Nations
(Resolutions 55/63 and 56/121)- G-8 24/7 Network
- Budapest Convention (3)- United Nations
(Resolutions 55/63 and 56/121)- G-8 24/7 Network
- Interpol / G-8 24/7 Network- Nato (Cyber Defense Centre of Excellence)- Europol’s European
Cybercrime Centre (EC3)- The EU institutions’ Permanent
Computer Emergency Response Team (CERT-EU)
- European Defense Agency (EDA)
- Interpol / G-8 24/7 Network- OECD guidelines
(ICCP: Computer and Communications Policy,
WPISP: Working Party forInformation Security and Privacy)- Several CSIRTs (computer secu-rity incident response team) for
the most advanced cybersecurity countries: Japan, Singapore
- Nato (Cyber Defence Centre of Excellence)
- The APEC Telecommunications and Information Working
Group (TEL WG)- OECD guidelines (ICCP, WPISP)
- Interpol / G-8 24/7 Network- Several CSIRTs for the most
advanced cybersecuritycountries: USA, Canada
- Interpol / G-8 24/7 Network- Several CSIRTs for the most
advanced cybersecurity countries: South
Africa, Tunisia
- OECD guidelines (ICCP, WPISP)- Interpol / G-8 24/7 Network- Several CSIRTs for the most
advanced cybersecurity countries:Oman, Israel
30
B E S T P R A C T I C E S
31
W O R L D W I D E C Y B E R S E C U R I T Y D I A G N O S T I C
COUNTRY SELECTION
Based on the Global Cybersecurity Index we selected 4 countries who’s overall maturity situation in terms of cybersecu-rity represent an example for the understanding of key milestones and development in order to strengthen a cybersecu-rity market.
Source: KPMG analysis with information from ABI Research and ITU,
• Cybercriminal legislation
• Cybersecurity regulation
• Cybersecurity training
LEGAL
• National CIRT
• Goverment CIRT
• Sectorial CIRT
• Standards for organizations
• Standards and certification for professionals
• Child online protection
TECHNICAL
• Intra - state cooperation
• Multilateral agreements
• International fora participation
• Public - private partnerships
• Inter - agency partnerships
COOPERATION
• Standardization bodies
• Good practices
• R&D programmes
• Public awareness campaigns
• Professional training courses
• National education programmes and academic curricula
• Incentive mechanism
• Home - grown cybersecurity industry
CAPACITYBUILDINGORGANIZATIONAL
• Strategy
• Responsible agency
• Cybersecurity metrics
32
W O R L D W I D E C Y B E R S E C U R I T Y D I A G N O S T I C
MOST COMMITTED COUNTRIES IN CYBERSECURITY
Singapore with a recent increase in the ranking, United Sates as a leader, Malaysia and Oman as a potentialfuture model for neighboring countries, were some of the highest ranked in terms of the GCI index.
Source: KPMG analysis with information from ABI Research and ITU.
Singapore Global Cybersecurity Index 2017Ranked first in 2017
Legal
Legal Legal
Legal
Technical
Technical Technical
Technical
Cooperation
1 1
1
1
0.9 0.9
0.9
0.9
0.8 0.8
0.8
0.8
0.7 0.7
0.7
0.7
0.6 0.6
0.6
0.6
0.5 0.5
0.5
0.5
Cooperation Cooperation
Cooperation
CapacityBuilding
CapacityBuilding
CapacityBuilding
CapacityBuilding
Organizational
Organizational Organizational
Organizational
GCI Score
GCI Score GCI Score
GCI Score
United States Global Cybersecurity Index 2017Ranked second in 2017
Oman Global Cybersecurity Index 2017Ranked third in 2015
Malaysia Global Cybersecurity Index 2017Ranked fifth in 2017
33
W O R L D W I D E C Y B E R S E C U R I T Y D I A G N O S T I C
CYBERSECURITY REGULATION (SINGAPORE)
Singapore is adopting in 2017 a strict regulatory regime and focus on resilience issues. Due to a rapid growthof connected objects and the lack of suitable programs in Universities they built their own cyber academy.
Source: KPMG analysis with information from from ITU and Singapore government.
Legal and regulatory experience:
• 2005 - Cybersecurity master plan
• 2014 - MAS 2014 issued Third parties publication on consultationpaper on outsourcing and vulnerability assessment directive
• 2008 - 2nd National cyber security master plan
Control framework: Detailed and comprehensive framework of controls - broadly aligned to ISO 27001/27002
Main strength: Singapore´s Internet Content Providers (ICPs) and Internet Access Service Providers (IASPs) are licensable under the Broadcasting Act and they are requie-red to comply with the internet Code of Practice to protect children online. All service providers have been legally obligated to offter filtering services with Internet subs-criptions and to make this known to consumers when they subscribe or renew.
Industry collaboration: Internet Content Providers (ICPs) and internet Access Service Providers (IASPs) are obliged to comply with the Internet Code Practice to protect children online.
Training | Certification: CSA Academy partner with FireEye.
• 2015 - MAS issues early detection of incidents directive• 2011 - MAS issues IT outsourcing directive
• 2016 - Cybersecurity Strategy• 2013 - National Cyber Segurity Master plan 2018
• 2013 - Extensive guidance in Tech Risk Management Guidelines
Agencies to fight: Cybersecurity agency (2015) ex Singapore Infocomm Tech-nology Security Authority (SITSA) with the Singapore Computer Emergency Response Team Incident Reporting Detailed approach to incident manage-ment including mandatory MAS notification of incidents. RAFFLES series of cross-market resikience exercises.
International cooperation organized the Singapore International Cyber Week and host the 2nd ASEAN Ministerial Conference on Cybersecurity.
34
W O R L D W I D E C Y B E R S E C U R I T Y D I A G N O S T I C
CYBERSECURITY REGULATION (USA)
Leading the ranking in terms of legal environment and capacity building, United States sets an important benchmark for other countries. The intention to coordinate cybersecurity among all states within USA is one of the key initiatives of this country for the Cybersecurity Industry.
Nota: (1) ICANN: the Internet Corporation for Assigned Names and Numbers, (2) National Infrastructure Protection Center, (3) National White Collar Crime Center, (4) Internet Fraud Complaint CenterSource: KPMG analysis with information from ITU and US government.
Legal and regulatory experience:
• 1984 - first effective law as The Computer Fraud
and Abuse Act. (CFAA)
Control framework: NIST Framework saw growth in adaption and started to overtake ISO
Main strength: Vision to coordinate cybersecurity among all states-creation of Resource Center for State Cybersecurity, which offters best practices, tools and guidelines.Interagency partnerships / Cross-government security information sharing agreement. The Multilateral Information Sharing Agreement (MISA) binds government agencies from defense, health, justice, intelligence community and energy to work collaboratively to enbence cybersecurity information sharing.
Industry collaboration: 2008 the second annual Cyber Storm conference was exercised, involving 9 states, 4 foreing governments, 18 federal agencies and 40 private companies, ICANN 1 in 2009 signed an agreement with the United States Department of Commerce, 2010 National Cyber Security Aliance´s public awareness campaign, Internet Service Providers (ISP) are encouraged to fight against cybercrime, The Federal Financial Institutions Examination Council (FFIEC) issued in 2015 a Cybersecurity Assesment Tool.
Training | Certification: several private initiatives,NICCS Education, Free Government Cybersecurity Training, National Centers of Academy Exce-llence (CAE) program, ICS-CERT.
• 2003 - Can-spam law
• 2002 - Cyber Security Enhancement Act (CSEA)
• 2001 - Patriot Act
• 1996 - The National Information Infraestructure Protection Act (NIIA)
• 2005 - Anti-Phishing Act
• 2009 - released Cybersecurity Report and policy
• 2010 - Cybersecurity Act
• 1998 - Digital Milennium Copyright Act (DMCA)
• 1999 - Cyberspace Electronic Segurity Act
Agencies to fight: FBI, NIPC 2, NWCCC 3, IFCC 4, Computer Crime and Intellec-tual Property Section of the Department of Justice (DoJ), Computer Hacking and Intellectual Property Unit of the DoJ, and Computer Emergency Readiness Team/Coordination Center (CERT/CC).Incident Reporting: Information sharing between private companies and federal govermment througt FS-ISAC Information sharing legislation passed by congress.
International cooperation: USA signed and ratified the Budapest convention(Europe Union regulation) and participated in G8/DECD/APEC/OAS/U.S. China meetings (cutcomes to be signed).
35
W O R L D W I D E C Y B E R S E C U R I T Y D I A G N O S T I C
CYBERSECURITY REGULATION (MALAYSIA)
Leading the ranking in terms of technical institutions and capacity building, Malaysia sets an important benchmark for other countries. The creation of the Information Security Certification Body, which manages information security certi-fication is one of the key Malaysia’s differentiators.
Source: KPMG analysis with information from Malaysia Cybersecurity annual report 2015 and Malaysia government.
Legal and regulatory experience:
• 1997 - operation of Malaysia Computer Emergency Response Team
Control framework: The National Cybersecurity Policity (NCSP) is taking of the Critical National Information Infrastructure, certified under Information Security Ma-nagement System (ISMS), ISO|IEC 27001
Main strength: Scores 100 on capacity building due to a range of initiatives in that pillar. Cybersecurity Malaysia, the goverment entity responsible for information security in the country offters professional training via higher education institutions in Malaysia. It maintains the Cyberguru website, dedicated to professional security training.
• 2008 - Electronic transactions Act• 1997 - Digital Signature Act, Copyright (Amendment) Act, Computer Crimes Act
• 2007 - Cybersecurity Malaysia
• 2009 - Malaysia´s Malware Research Center
• 2010 - Personal Data Protection Act
• 1997 - 1998 . Communications and Multimedia Act
• 2001 - National ICT Segurity and Emergency Response Centre (NISER)
Agencies to fight: Cybersecurity Malaysia under the legislation of the Ministry of Science, Technology and Innovation (MOSTD, Malaysia Computer emergencyResponse Team (MyCERT), CyberDEFIncident Reporting: Cyber999 Help Centre
Industry collaboration: annual CSM-ACE (public-private community part-nership event), “National Security Councills Directive No. 24: Policy and Mechanism of the National Cyber Crisis”Management
Training / Certifications: MyCC Scheme, based on the Common Criteria ISO/EC 15408, CSM27001 Scheme, bassed on Information Security Mana-gement Sysmen (ISMS) ISOIEC27001Malaysia Trustmark, based on the WTA Guidelines,Cyber Security Professional Development Program
International cooperation: involved in regional collaborations among ComputerEmergency Response Teams (CERT) such as APCERT andOrganization of Islamic Cooperation Computer Emergency Response Team OIC-CERT, Asia Pacific Computer Emergency Response Team (APCERT)
• 2005 - NISER established as a separate entity under the legislationof the Ministry of Science, Technology and Innovation (MOST|)
36
W O R L D W I D E C Y B E R S E C U R I T Y D I A G N O S T I C
CYBERSECURITY REGULATION (OMAN)
During the last 15 years, Oman built a high level security strategy, a master plan and a complete roadmap evolving from atargeted country for cybercrime to a robust entity.
Source: KPMG analysis with information from ITU and Oman government.
Legal and regulatory experience:
• 2002 - The Telecom Act
Control framework: Oman Information Technology Authority has an official cybersecurity framework based upon ISO 27001 standard.
Main strength: Establishment of the eGovemance Framework, a set of standards / best practices and process management systems enhance the delivery of government services in alignment with the mission of e.oman. The framework spells out the rules and procedures that ensure that government. IT proyects and systems are sustainable and in compliance with the Informations Technology Authority (ITA) strategies and objetives.
• 2008 - The Electronic Transactions Law
• 2011 - The Cyber Crime Law
Agencies to fight: Oman Computer Emergency Readiness Team
Incident Reporting: Oman Computer Emergency Readiness Team
Industry collaboration: Cyber Security Informations Exchange
Training / Certifications: Oman National CERT with strategic collaborations like ISC, SANS and EC - council,350 public sector professionals certified,7 govermment and public sector agencies certified.
International cooperation: ITU, FIRST, APWG, Malware alliance, GGG CERT/OIC CERT
37
D I G I T A L T R E N D S I N M E X I C O
38
D I G I T A L T R E N D S & D I S R U P T I O N I N M E X I C O
INTERNET PENETRATION IN MEXICO
The number of internet users in Mexico has grown at a CAGR of 9.8% over the past 5 years mainly driven by the millennialgeneration. The increase in connectivity has spurred the growth of the Mexican digital economy.
Mexican Internet UsersPercentage of total population
Internet users in Mexico per age groupPercentage
Source: KPMG analysis with information from INEGI, CISCO, FMI and OEDE
Internet users went from 5% in 2000 to 59.5% in 2016. For the past five years, Internet users in Mexico grew at a 2 digit CAGR.
Today 75% of mobiles are smartphones due to their reduced cost and increased functionality and connectivity. As connectivity grows, thevulnerability of an attack increases, as each smartphone becomes a potential target for cybersecurity attacks.
Typically people between 18 to 24 years old use the Internet with highest frequency, but it also has a very important penetration for thegenerations between 12 and 34 years old . On average, Mexican Internet users spend 7 hours a day on the Internet. This number represents anincrease of an hour compared to one year ago.
A program promoted by Mexican Federal Government developed “Mexico Conectado” in 2014 to increase the access to free broadband Internet.This program is working to reduce digital gaps within the country through the deployment of more than 100,000 public space Internet spots.
2012 2013 2014 2015 2016
41%46% 46% 47%
60%+9.8%
25 to 34 years old
34 to 44 years old
45 to 54 years old
55 + years old
18 to 24 years old
12 to 17 years old
6 to 11 years old 53%
71%
56%
42%
18%
83%
85%
39
D I G I T A L T R E N D S & D I S R U P T I O N I N M E X I C O
MOBILE PENETRATION IN MEXICO
Smartphone adoption has grown as technology has evolved. Whereas for 2015, 50% of total connection numbers weresmartphones, this number is expected to exceed 70% by 2020.
Not subscribed
Mobile internet 3G+4G subscribers
Mobile internet 2G subscribers
Voice only subscribers
Smartphone penetration (% of connections)
Source: KPMG analysis with information from GSMA Intelligence and OECD
Over the years, Mexican users have become loyal smartphones customers, growing at 3 digit CAGR since they started as the technology hasevolved. There is an expectation for the usage of this devices to continue growing at a 7% CAGR from 2015 to 2020.
Along with technology evolution, customers usage has migrated through different stages. Not only non subscribed users are expected tobecome less than 16% of total population but also 3G + 4G has become the most used technology, expecting to achieve more than 60% ofthe mobile audience by 2020.
Mobile penetration in MexicoPercentage of population
2000
88.0%
12.0%
33.0%
67.0%
40.0%
41.0%
22.0%13.0%
8.0%
63.0%
16.0%
11.0%
36.0%
31.0%
7.0%
12.0%
0 0
30 30
60 60
90 90
10 10
40 40
70 70
100 100
20 20
50 50
80 80
2005 2010 2015 2020
40
D I G I T A L T R E N D S & D I S R U P T I O N I N M E X I C O
IoT OVERVIEW IN MEXICO
IoT technologies have been gaining importance not only within countries but also for entire regions. It is expected that IoT market size in Mexico will exceed 4 billion USD by the end of 2017.
Source: KPMG analysis with information from IDC
Latin America’s IoT market share almost reaches 2% of the Worldwide Industry. Mexico’s IoT market represents more than ¼ of LATAM share.
IoT market in Mexico is expected to grow at a 26% CAGR from 2016 to 2017 reaching 4.16 billion dollars by the end of the year. This growthis expected to be mainly driven by the interest in IoT technologies for industrial cases.
Investment in IoT technology will be mainly driven by the most impacted industries including transportation, manufacturing and energyapplications.
IoT market sharePercentage
Cyberattacks in Mexico
IoT market sizeBillion dollars
USA
Latin America
México
CHINA
Other Countries
2015
1.90
43.3%
28.6%
26.5%
1.2%0.4%
2016
3.30
2017
4.16+73.7%
+26.0%
41
C Y B E R C R I M EI N M E X I C O
42
C Y B E R C R I M E I N M E X I C O
CYBERCRIME VULNERABILITY IN MEXICO
58% of Mexican CEOs do not feel confident about their cybersecurity preparation. Cybersecurity incidents impact on Mexican Economy exceeded 3 billion dollars in 2016.
Source: KPMG analysis with information from CANIETI, PONEMON, INEGI, LexisNexis Millennials and Kaspersky.
Risk to leaks / attacks on sensitive and confidential data in workplaces2017
Mexico is ranked as the 2nd country in Latin America with most cyberattacks within a year.
Mexican economic situation along with FDI and GDP figures expect to increase the interest of cyber attackers. Thanks to its strategic positionand links with North America, Mexico is an attractive target for nation-state espionage groups.
The 2018 Mexican Presidential Elections could serve as a trigger for cyber attacks against governmental and political parties’ websites.
Millennials are considered as a high risk for sensitive and confidential data in the work place as they represent 39% of total population and donot use additional security systems to block their mobile devices (83%) whereas they tend to carry a lot of personal information on theirsmartphones and other connected devices.
18 to 34 (millennials)55% 39%
35 to 50 (gen X)25% 26%
51 to 69 (baby boomers)20% 10%
Greatest risk per age group Population percent
43
C Y B E R C R I M E I N M E X I C O
CYBERCRIME OVERVIEW IN MEXICO
Nowadays reporting an incident not only is not related with real solutions, but also may imply a public weaknessdemonstration.
Source: KPMG analysis with information from CANIETI, PONEMON, INEGI, Norton, LexisNexis Millennials and Kaspersky, (1) Information obtained based for Kaspersky Mexican clients
Driven by the fact that current regulation and institutions have opportunity areas to generate reaction plans, now-a-days reporting an incident not only is not related with real solutions, but also implies demonstrating a weakness, thus the number of real attacks is expected to be signifi-cantly higher than research shows.
In 2016 39.1% of computers users were affected by malicious programs, the 10 safest countries had an average of 16%.
Cyberattacks are not only becoming more frequent within Mexico, but they are also becoming more expensive.
Most common cybercrimes that consumers experienced2016
Cyberattacks in Mexico
Total maximum incidents per day(1)September 2017
Spam
Networks attacks
On demand scan
Local infection
Web threat
Infected mail
Vulnerabilities
Botnet activityMobile device theft Password theft Hacked email
1,401,135
730,735
454,477
276,564
43,525
12,603
-5,307
33.0%
26.0%
20.0%
21
44
C Y B E R C R I M E I N M E X I C O
FINANCIAL CYBERCRIME IN MEXICO
The online financial fraud is in constant increase in Mexico with a CAGR of 70.3% for the past 5 years, representing ~65million dollars in financial impact.
Source: KPMG analysis with information from CANIETI, CONDUSEF, PONEMON, INEGI, LexisNexis, Arbor Networks and Comisión Nacional Bancaria y de Valores (CNBV)
In 2017, 100% of millennial have been preoccupied by stolen identities, 91% by stolen credit card information and another 91% have verylimited faith in financial institutions to protect their data.
Out of $USD 64.94 million claimed on online fraud, the online retail operations are responsible for half of the total.
There is a large increase of cyber financial fraud cases in 2017 with a CAGR of 70.3 over the past 5 years.
Mexican Financial Institutions received between 60% and 70% extortion threats and it is estimated that 15% actually paid.
In Mexico, banks lost 150 million pesos due to attacks in 2015, 2016 and 2017 together but the recovery could be higher.
Total cyber attacksPercent by industry, 2017
Internet operation
Cell phone payment
Cybernetic
Traditional
Financial
Telecommunication
Retail
Insurance
ICS
Other
Internet retail
Personal operation
Cell phone bank
Total claims for cyber-financial fraudPercent by industry, 2017
Cyber financial fraudThousands
56.6%24.0%
2013
1,490
2014
1,349
2015
1,684
2016
2,672
2017
3,341
8.6%
15.0%
15.0%
5.0%
5.0%
21.0%
39.0%
10.5%
0.2%
1,303
188
1,116
233
1,379
304
1,835
837
1,763
1,678
+22.4%
45
C Y B E R S E C U R I T YO V E R V I E W I N M E X I C O
46
C Y B E R S E C U R I T Y O V E R V I E W I N M E X I C O
GENERAL REGULATORY FRAMEWORK
In 2017, there is no specific incentive to improve the companies´ cybersecurity measures but when they comply with a selfregulation scheme, authorities are softer when imposing penalties or sanctions for any occurred breaches.
Source: KPMG analysis with information from dlapiperdataprotection, council of Europe and expert reports,
Creation of Mexico’s Computer Emergency Response Team - CERT-MX under the jurisdic-tion of Mexico’s Armed Forces, responsible for protecting critical infrastructure, managing cyber incident response, investigating electronic crimes, analyzing evidence and responding to digital threats that would affect the integrity of critical networks.
Specialized Information Security Committee
The Federal Institute for Access to Information and Data Protection (Instituto Federal de Acceso a la Información y Protección de Datos) (IFAI) and the Ministry of Economy (Secretaría de Economía).
Scientific Division of the Federal Police (División Científica) to operate forensic and criminology laboratories in coordination with the nation’s intelligence agencies and to monitor and investiga-te cyber offenses, in particular identity theft, child pornography, cyber fraud and phishing.
Coordination Center for the Prevention of Digital Crimes (Coordinación para la Prevención de De-litos Electrónicos) to monitor and protect critical infrastructure.
Data Protection Authority in Mexico (INAI) in charge of solving any controversies derived from the exercise of personal data.
Federal Criminal CodeIt contains specific chapter related to cyberthreats provide criminal penalties for those persons who use, re-produce, distribute, store, sell or lease, among other conducts, copyrighted material, in a malicious way, seeking financial gain and without the corresponding authorization.
The Federal Criminal Code regulates as the crime of sabotage the damage, destruction or harming of roads, pu-blic services, or state services; steel, electric or basic industries; centres of production or distribution of weapons, ammunition or military equipmen, with the aim of disrupting the economy or affect their ability to defense.
Law of Credit InstitutionsIt sanctions diverse actions that affect any kind of financial payment instruments (eg, credit or service cards) or the information contained on them. It may result in 3 to 9 years´ imprisonment and a monetary penalty.
Telecommunications lawTelecommunication licensees should be able to handle the requests of information, geographic localization and private communication surveillance.
Federal Law on the Protection of Personal Data held by private parties Is regulate by the Regulations to the Federal Law on the Protection of Personal Data held by Private Parties (Reglamento de la Ley Federal de Protección de Datos Personales en Posesión de los Particulares). Every private party, individual or organization that process personal information has the obligation to appoint a data protec-tion officer.
Regulation applies when data controller is located in Mexican territory or on behalf of a Mexican data controller, as a consequence of Mexico’s adherence to an international convention and uses means located in Mexico to process personal data (unless such means are used only for transit purposes). It applies to private individuals or legal entities which process personal data, and not to the government.
Violations of the Law may result in monetary penalties or imprisonment from 3 months to 5 years
Authorities
L E G A L
47
C Y B E R S E C U R I T Y O V E R V I E W I N M E X I C O
MEXICAN CYBERSECURITY MARKET OVERVIEW
During the last 5 years the cybersecurity market has become more fragmented with many competitors joiningin. Currently, not a single Mexican company is among the leaders in the market where main solutions are carried out by leading multinationals.
Note: (1) Hardware could include: data center, routers, servers; software is related to email, malware, intrusion protection, VPN and services is about management, compliance, defense and cyber response.Source: KPMG analysis with information from Gartner and cybersecurity experts.
Hardware and Software companies
Technology services
Risk consulting
Security administration
• Cisci Talos
• Intel Security (McAfee)
• IBM
• KPMG Cárdenas Dosal,S.C.
• Scitum
• BlackBerry
• Dell (SecureWorks)
• PrincewaterhouseCoopers
• Kio Networks
• Nokia
• Microsoft
• Deloitte
• Bestel
• ZeroFOX
• Symantec
• Accenture
• Axtel
• Arbor Networks
• Trendmicro
• Atos Origin
• Guideance Software
• Tata Consultancy Services• TrapX
• Trustware• Darktrace
• FireEye• Nuix
• WhiteHat security• MetricStream
• T-systems• Verizon
• Accessdata
Hardware Software Main solutions 11Commodity product Innovate, leaders ServicesSCADA/ICS security
T E C H N I C A L
48
C Y B E R S E C U R I T Y O V E R V I E W I N M E X I C O
LEADING CYBERSECURITY COMPANIES IN MEXICO
IBM has invested in two data centers in Mexico and Microsoft is doing the same this year. Services and digital services are the new products (cloud, SaaS, etc.) that these companies are focusing on.
Source: KPMG analysis with information from Nexis, Factiva and annual report.
Even if the market for cybersecurity is mainly occupied by players such as Cisco and Symantec, new companies like Palo Alto Networks, Fortinet, Proofpoint, FireEye will keep growing in the overall SaaS space´s sub-segment.
There are 4 cyber insurance companies in México: Zurich/XL, Chubb, AIG y GNP. They mainly cover for the direct damage: lost of income, digital asset replace-ment and blackmail. They also have third part damage covering: stolen data, civil responsibility in web content, expense for security breach and legal.
- HQ: Mexico city and Reynosa (factory)- Net Sales in México ($USD): 7,459.07m (2015)- Increase in revenue in 2016: 3%- No. of employees: 130
- Insight: $4 billion, worth of expansion in Mexico between 2016 and2018. It should develop the creation of 270 jobs and 77 indirect jobs.
- HQ: Mexico city and Jalisco (factory)- Net Sales in México ($USD): 24.99m (2017)- Increase in revenue in 2016: N/A- No. of employees: 350
- Insight: Intel, sold in 2017 a majority stake in McAfee to free thecompany to spend more time on core areas while still retaining afoothold in the cybersecurity world
- HQ: Mexico city and one Innovation center in Nuevo Leon- Net Sales in México ($USD): 211.56m (2013)- Increase in revenue in 2016: N/A- No. of employees: 505
- Insight: In 2017, they acquired Hexadite, a technology provider toautomate responses to cyber attacks and the company initiated afacility to fight against cyber crime in Latin America with newCybersecurity center in Mexico.
- HQ: Mexico city, Monterrey and Guadalaja Campus- Net Sales in México ($USD): 549.9m (2013)- Increase in revenue in 2016: -14.5%- No. of employees: 4,500
- Insight: In 2017, IBM is changing their core products to cloudcomputing, cybersecurity and data analysis to mitigate the decrease insales for hardware and software
Cisco Talos Intel Security
Microsoft IBM
T E C H N I C A L
49
C Y B E R S E C U R I T Y O V E R V I E W I N M E X I C O
GOVERNMENTAL STRATEGY (1/2)
The growth and complexity of cyberattacks in the last years have forced governments and organizations to be more proactive on cybersecurity and commit to it as a key element within its security processes for the digital transformation.
Source: KPMG analysis with information from OAS, Wilson Center and Mexican government and BBVA.
National Security Program 2014-2018 (Programa para la Seguridad Nacional 2014 - 2018)
- Initiated in 2013-2018 Plan for Development (Plan Nacional de Desarrollo 2013-2018) by current president Enrique Peña Nieto,- It was created the Specialized Information Security Committee with the purpose to draft the National Strategy for Information Security,- The program is focusing on protecting and promoting national interests. Main promises were: - Promoting actions to prevent and combat cyber-attacks, - Strengthening mechanisms for preventing incidents in the Federal executive sites, - Maintaining compliance and development of procedures to evaluate and strengthen the performance of the response teams to incidents, - Improving human capital skills and technological infrastructure to address cyber security incidents, - Establishing international cooperation on cyber security and cyber defense in particular with North American countries to prevent and address attacks on the computer systems of the country.
The Financial Technology Law (ley Fintech)
- Fintech sector was not prepared to received attacks, a new regulation was necessary. Most of the Fintech manage data privacy from their client such as names, addresses, mobile phones, signatures, accounts which make them a perfect target.
- The new law released in October 2017 aimed at regulate crowfunding and tech-enabled payment platforms. It should help banks to reduce their ope-rating costs but above all crowdfunders, startups will be mandated to report the credit information of their clients. The purpose will be to address to the bank and clients more transparency, formality and information to put an end to money laundering and banking fraud.
O R G A N I Z A T I O N A L
50
C Y B E R S E C U R I T Y O V E R V I E W I N M E X I C O
GOVERNMENTAL STRATEGY (2/2)
National Cybersecurity Strategy is a first framework document build to evolve in a response to the technology evolution and the social dynamics in a short, medium and long term.
Source: KPMG analysis with information from OAS, and Mexican government.
National Cybersecurity Strategy (Estrategia Nacional de Ciberseguridad, ENCS) till 2030
- ENCS, published in november 2017 is a cross-wise strategy articulate around in 2013-2018 Plan for Development, Close and Modern Government Program (Programa Gobierno Cercano y Moderno 2013-2018), National Public Security Program (Programa Nacional de Seguridad Pública 2014 2018) and National Security Program (Programa para la Seguridad Nacional 2014- 2018).- Purpose is to strengthening the international cooperation, the economy, the society, government and the national security. The document is aimed for civil society, university, private sector and public institution.- Mexican government will have the Inter-American Committee support against Terrorism (CICTE) of the OAS.- Several recommendations were made for the strategy among them: state the high-level objectives, it must be supported at the highest level of government, establish a clear institutional framework, include the application of federal and state legislation on cybercrime and promote the cybersecurity education.- ENCS strategy to reach the main goal considers 5 strategic goals, which development requires 8 cross axis based on the 3 main principles
Cross axis
• Cybersecurity culture• Capacity development• Coordination and collaboration• Research and development in ICT• Standard and technical criteria• Legal framework and self regulation• Monitoring and measuring
3 main principles
• Human rights expectation• Risk management focus• Multidisciplinary collaboration and several players
Cybersecurity subcommittee regulator tasks:
• Approve and make public the Strategy• Follow up and coordinate the implementation• Spur the inter-institutional cooperation framework• Promote the civil society, private sector, technicalcommunity and university cooperation
Economy andinnovation
Society rights
Publicsecurity
Publicinstitution
National security
5 strategic
goals
O R G A N I Z A T I O N A L
51
C Y B E R S E C U R I T Y O V E R V I E W I N M E X I C O
CYBERSECURITY INFRASTRUCTURE IN MEXICO (1/3)
AT&T made an important move into Mexico in 2015, buying Iusacell and Nextel. They are building an LTE-M network in Mexico ready at the end of the year which is expected to reinforce the infrastructure and increase connectivity options.
Source: KPMG analysis with information from INEGI, IFT, Euromonitor and BMI
Mexico geography makes difficult to roll out infrastructure and provide investment to rural areas however growth is maintained in the country with the invest-ment in network expansion led by AT&T.
It is expected the mobile market to end 2021 with 109mn subscribers by 2021 with a 9.5% CARG. Driver being data services as 3/4G subscribers.
In 2014, in Mexico there was a direct relationship between ICT adoption and the economic unit size (number of employee). Micro companies were 97.6%, small 2% and medium 0.4% but the lack of policy in small companies could lead to security incidents.
2015
Forecast
+9.5%120,000
100,000
80,000
60,000
40,000
20,000
0
2016 2017f 2018f 2019f 2020f
3G & 4G phone subscribersComputer Internet
Telecommunication mobile landscape in Mexico from 2015 to 2021
Thousand susbcribers
Yearly growth rate of non-residential fixed broadband connection
by technologies in 2015
Computer and internet adoption by economic unit (EU) size in 2014
Growth percentage
2021f
106%
Model (coaxial)
10 employees (E) 11 to 50 (E) 51 to 250 (E) 251 or more (E)
Fiber optic DSL (copper)
-3%
52%
63,600 74,730 83,847 92,986 99,774 105,062 109,895
20% 86% 94% 96%
16% 81% 92% 94%
O R G A N I Z A T I O N A L
52
C Y B E R S E C U R I T Y O V E R V I E W I N M E X I C O
CYBERSECURITY INFRASTRUCTURE IN MEXICO (2/3)
With the prospect of a number of uncertainties with regards to the US market and its future policies, México could seeopportunities for the creation of a regional hub to offer outsourcing services, datacenters, and cloud computing.
Source: KPMG analysis with information from INEGI, Euromonitor and BMI
Computer manufacturers are expected to show a 3% CAGR from 2016 to 2021 due to retail cannibalisation of tablets and low-end notebooks. However ser-vers sales should increase at a 6.87% in the same period driven by cloud applications. In general a positive outlook is expected from 2017 to 2021, supported by the increase in middle class income and a positive demographic development of population aged 15-64 forecasted to increase at a CAGR of 1.4% over 2018 till 2021.
According to 2020 forecast the growth for the industry will come from a boost in Cloud computing with main inhibitor being the relatively high broadband charges. However an exit of the US from NAFTA would be a massive blow to the Mexican electronics industry.
Other inhibitors to continued growth include logistical challenges (for distribution of physical computer components, tablets, smartphones), informal retail and economy and security issues.
2009 2009
$13.61
$15.24
$13.65 $13.39
$15.29
$21.92
$24.07 $24.81 $25.56
$26.34$27.14 $27.97 $28.82
$5.47
$6.83 $6.55$7.22 $7.49
$8.09
$9.58 $9.87 $10.18
$10.48$10.80 $11.13
$11.47
2010 20102011 2011
Computer exportation
Total computer manufactured in Mexico from 2009 to 2021
Billon pesosForecast Forecast
Total electronic component manufactured in Mexico from 2009 to 2021
Billon pesos
Electronic component exportation
Computer manufacturing for national consumption or storage Electronic component manufacturing for national consumption or storage
2012 20122013 20132014 20142015 20152016 20162017 20172018 20182019 20192020 20202021 2021
+9.8%
+10.0%
+3.0% +3.0%
O R G A N I Z A T I O N A L
53
C Y B E R S E C U R I T Y O V E R V I E W I N M E X I C O
CYBERSECURITY INFRASTRUCTURE IN MEXICO (3/3)
Driven by the private sector as well as public sector initiatives such as Prosoft 3.0 (1) implemented in 2014, the ICT mar-ket is to reach $USD 58bn in 2024.
Total software sales in México from 2015 to 2021
Billion pesos
Total services sales in México from 2015 to 2021
Billion pesos
Nota : (1) PROSOFT is looking for supporting IT companies to grow their competitiveness at national and international level and sustain their growth to a long-term objectives.Source: KPMG analysis with information from Euromonitor and BMI
Mexican enterprise will see a strong growth in data analytics and cybersecurity. Manufacturer are looking to offset losses in hardware by increasing demand in software and services. From 2015 to 2021 CAGR for software industry is estimated at 9.4%.
Increasing dependence in information of the public and private sectors will general demand for integration and consulting. Besides cloud computing and IoT will drive a faster growth.
2015
Forecast Forecast
$61.16$98.34$67.42
$104.38$111.82
$119.69$129.45
$143.56
$158.78
$72.49$78.32
$85.82
+9.4%+8.3%
$94.75
$104.79
20152016 20162017f 2017f2018f 2018f2019f 2019f2020f 2020f2021f 2021f
O R G A N I Z A T I O N A L
54
C Y B E R S E C U R I T Y O V E R V I E W I N M E X I C O
CYBERSECURITY TRAINING IN MEXICO
There is currently a lack of around 157,934 trained professionals to fill employment positions associated with informa-tion technologies, specifically related to cybersecurity networks and operations; a number that should be slightly redu-ced by 2019, although there could still be 148,052 unfilled job positions.
Education and training in 2017 Most relevant cybersecurity certifications in Mexico
Source: KPMG analysis with information from IDC, CISCO, 2017 and Global Information Security Workforce Study” (GISWS)
The main reasons for worker shortage are expressed as follows: 35% say that qualified personnel is difficult to find, 45% say that correct requirements are not understood by leadership, 46% say that business conditions couldn´t support additional personnel, in 21% of cases security workers were difficult to retain and in 39% of cases there was no clear information for a cyber security career path.
The main cybersecurity job position required in Latin America is the “Incident & Threat Management & Forensics specialist” with 63% of the votes.
In Latin America the training cost often falls on the employee, representing 44% of the total cost whereas in North America it´s only around 22%.
Educational entity Career/ Major Institution Certification
Security GeneralKnowledge
ISACAInstituto Politécnico Nacional Maestría en Ingeniería en Seguridad y Tecnologías de la Información
Licenciatura en Seguridad en Tecnologías de Información
Maestría en seguridad de tecnología de información
Diplomado en Ciberseguridad
Varios
Maestría en Seguridad Informática (Online)
Maestría en Seguridad Informática (Online)
Ingeniería en seguridad informática y redes
Maestría en Ciberseguridad
CISA, CISM, CRISC
ISC
Universidad La Salle
CISSP
CompTIA
Universidad Autónoma de Nuevo León
CompTIA A+, Security+
CompTIA
UNITEC
Network+
SANS
UNAM
GIAC,GPEN, GWAPT
SEC-Council:
Escuela de Inteligencia para la Seguridad Nacional del Centro de Investigación y Seguridad Nacional (ESISEN)
CEH, CHFI
CISCO
Universidad Internacional de la Rioja (UNIR)
CCSP, CCNP, CCIP,CCDP
RSA
Universidad Internacional de Valencia
Instituto Tecnológico y de EstudiosSuperiores de Occidente
Various
Specialist
Product / Brand
C A P A C I T Y B U I L D I N G
55
C Y B E R S E C U R I T Y O V E R V I E W I N M E X I C O
SECURITY CERTIFICATION IN MEXICO
In 2016, two main factors were motivating companies to seek certification: compliance with contractual requirements and generating a positive image and opinion. Information technology company were mainly looking for certification.
Registered certifications in Mexico from 2006 to 2016
Amount
Global ISO 27001 certification share in 2016
Percentage
Source: KPMG analysis with information from ISACA, ISO and experts
ISO 27001 (NMX-I-27001-NYCE-2015 Mexican equivalent norm) is an international standard, with worldwide recognition, which lays down the requirements for the establishment of an information security management system. It applies to any organization type, however their implementation and certification is optional. Cost can vary from $200,000 pesos to 1 million.
ISO 20000 is the first worldwide standard specifically created for IT Service Management (ITSM), establishing metrics to manage the services supported by Information Technologies. NMX-I-20000-1-NYCE-2012 is the equivalent Mexican norm.
ISO 22301 determines potential threats to an organization, impacts that could affect the operations of the business and provides a framework for building the capacity of organizational reaction in an efficient manner in case of eventualities. NMX-I-22301-NYCE-2015 is the equivalent Mexican norm.
For the main certification the CAGR was 43.2%. Other certifications are available for company in México: PCI-DSS is a standard of data security for the credit card in-dustry, PROY-NMX-I-27032-NYCE-2017 is a guideline for cybersecurity. Additional to these standards, Sarbanes-Oxley Act legislation, needs to be satisfied by national companies that would like to invest in the US stock market.
Main professional fee certifications (ISACA, CISSP) in Mexico are approximately from $USD 500 to $USD650 with a renewable cost.
C A P A C I T Y B U I L D I N G
9 1331 49
56
+43.2%
70 7580
96
134
327
2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016
94
104
221
2 28 8
98
ISO 27001ISO 20000ISO 22301
Information technologies
Transport, storage and communication
Other Services
Electrical and optical equipment
Financial intermediation, real estate, renting
73.3%
16.0%
4.5%3.5%
2.8%
56
M E X I C A NC Y B E R S E C U R I T YS U M M A R Y
57
M E X I C A N C Y B E R S E C U R I T Y S U M M A R Y
CYBERSECURITY OVERVIEW
Mexico currently has several improvements to make in terms of dedicated institutional structures such as a specialized public sector agency certified under internationally recognized standards. Capacity building could also be improved.
Note: (1) Inter-American American Committee against Terrorism, (2) CNI: Critical National Infrastructure. (3) There is no specific legislation on cybersecurity, but it is included in the FCC.Source: KPMG analysis with information from Cybersecurity-Are-We-Prepared-in-Latin-America-and-Caribbean.
Regulatory and other experience:
• 19313 - Federal Criminal Code (FCC) contain chapters regarding: theft, fraud, forgery, offences related to minors, disclosure of secrets; as well as in a later pu-blication offences to computer and systems, infringement of copyrights.
• 1990 – Law of Credit Institutions in relation with misuse of payment systems, illegal electronic transfer of funds, interception of private communications.
• 2010 – Creation of Mexico’s Computer Emergency Response Team - CERT-MX, in charge of citizen complaints and incidents which could affect other countries.
• 2010 – Federal Law on Protection of Personal Data.
• 2014 – Conference for an accession to the Budapest Convention onCybercrime and Mexico hosted a workshop on in Latin America.
• 2014 - telecommunications law (stipulates different data retention practices and provisions)
• 2014 - National Security Program to: strengthen international coo-peration; identify, prevent, contain risks and threats to national secu-rity; improve human capital skills and technological infrastructure to address cyber security incidents.• 2017 – First forum “Fortaleciendo la Ciberseguridad para la Estabilidad del Sistema Financiero Mexicano” for bank cybersecurity.
General control framework (not mandatory): Cybersecurity framework based upon ISO 27001, ITIL and Cobit.
Achievement: In 2012 was created the Specialized Information Security Committee, in charge of the National Strategy for Information Security. Mexico has a specific legisla-tion on child protection: Law for the Protection of Children and Adolescents. Sinaloa was the first state to regulate and punish cybercrime in the Mexican Republic.
Industry collaboration: CERT-MX established communication and cooperation directly with private institutions.The Direction General of Digital Economy of the Ministry of Economy is also part of APEC’s Electronic Commerce Steering Group.The Federal Telecommunications Commission (Comisión Federal deTelecomunicaciones Cofetel) is part of APEC’s Telecommunications and Information Working Group (APECTEL).
Training / certification: several certifications are available through the private sector.Specialized training from the Police Development System of Mexico (SI-DEPOL) and UNAM-CERT.
Agencies : Military department is enrolled in the national cybersecurity. CERT-Mx is involved in CNI (2) protection.
Federal Police is responsible for investigating cybercrimes: Cyber Police Unity. Other private entities to respond are UNAM-CERT and Scitum-CSIR.
Incident Reporting: Information sharing
International cooperation: Mexico is member of APEC, CICTE and OAS. CERT-Mx is key component of the global Forum for Incident Response and Security Teams (FIRST). Participation with other team: Mnemo-CERT. Mexico stayed as an observer in the Budapest convention.
58
M E X I C A N C Y B E R S E C U R I T Y S U M M A R Y
SUMMARY: SURVEY AND INTERVIEWS
Cyberattacks are still a sensitive topic inside organizations. All professionals interviewed identify ways to reinforce theMexican cybersecurity and almost all of them see opportunities to improve cybersecurity for SMEs.
Note: (1) Specialized company refers to company working only on cybersecurity matters.
24 specialists from 22 entities were interviewed; 7 interviewees from top management and the rest as technical experts.
Sector selection was done in relation to the number of attacks. Some additional specialized companies (local and transnational) were chosen because oftheir technology and services knowledge. In addition, interviews were conducted with experts, universities and public institutions.
All the experts and directors were working in Mexico DF due to the concentration of company headquarters.
Most of the candidates asked to stay anonymous because of the confidentiality policies.
Company names which can be revealed are: IPN, La Salle, Kolibërs, KPMG, Axtel, CNBV and Banorte.
Following the interviews we made an analysis and extracted some guidelines in every chapters from the SWOT.
Company survey share
Percentage of sector
Industry survey share
Percentage of sector
Independent consultant
Bank44.4%
36.0%
20.0%
16.0%
12.0%
8.0%
8.0%
22.2%
22.2%
11.1%Energy
Retail
Telecommunication
Specialized company (1)
Public / GovernmentAcedemy
Industry
Internal
59
M E X I C A N C Y B E R S E C U R I T Y S U M M A R Y
SWOT ANALYSIS OF CYBERSECURITY IN MEXICO
There is currently a lack of around 157,934 trained professionals to fill employment positions associated with information technolo-gies, specifically related to cybersecurity networks and operations; a number that should be slightly reduced by 2019, although there could still be 148,052 unfilled job positions.
Strengths/ Maintain Weaknesses/ Solve
Opportunities/ Take advantage Threats/ Protect
L - Current regulation covers the relevantcybersecurity axes, a good starting point forfurther regulatory development.L - Well established child online protectionregulation.T - National, Governmental and sectorialCERTs/CRITs/CSIRTs.T - Cybersecurity professional standards andrequirements are clearly established.T - A Cybersecurity Council is currently beingestablished.O - Recent publication of a new cybersecuritystrategy (Estrategia Nacional deCiberseguridad 2017).
L - The law is not applied and crimes are notpenalized.L - Laws have many key elements that are optio-nal, not mandatory.L - Development and modification of laws take long periods of timeT - Use of outdated IT products & services.T - Lack of advanced cybersecurity technology.T -Lack of defined national cybersecurity stan-dards (data protection etc).T - Low speed of innovation for new technologiescompared to cyberattack sophistication.T - Long attack detection time.O - There is no responsible for following up oncybersecurity incidents
L - Active environment for setting new regula-tionsL - Cybersecurity standards required for tradetransactions with some countries.T - International progress in technology productsand services.T- Clear market with space for new participants.T - Fast technology evolution and increasedrequirements by clients.T - The country is experiencing an increase in ecommerce penetration making cyber products/services more relevant.T – Cybersecurity insurance trends
L - International attacks that can not be penalizedby the Mexican law.L - Industries generating historic personal data.T - Increased dependence on technology.T - Availability of cybercrime as a service.T -Digital transformation boom across all industr-yand customer lifecycles.T - High cost protection / weakest link.T - Incremental trends of made to order cyber-crime.T - Cybercrime increasingly becoming morecomplex.
O - Strategic standardizationinitiatives across different states.C - Training courses available bothface-to-face and on-line (universityprograms etc).I - Cybersecurity has already beenidentified as an area of focus anddedicated forums are beginning totake place.I - The development of aCybersecurity Council in progress.
O - Lack of a specialized authority to define and lead on cyber issues.C - Scarcity of cybersecurity specialists.C - Weak career offering for cyber specialization.C - Getting a certificate in cybersecurity takes a long time.C - Mexican society is largely unaware of cybersecurity issues.C - Few cybersecurity research centers.C - General staff within companies is poorly trained in cyber issues.C - Lack of budget to invest in cyber.I - Incidents are mostly not reported.I - Low levels of coordination betweengovernment, private sector and acade-mia.
O - Open environment derived from the recent publication of the National Cybersecurity Strategy (Estrategia Nacional de Ciberseguridad 2017).C - Mexican audience susceptible toawareness campaigns.C - Research investment globally that could foster alliances.C - Mexico is a country that attractsforeign investment (a total of US$30bn annually).I - Global trends of participation ininternational cooperation forums.I - Public and private sector alliances.
O - International attacks more fre-quent.O - Recently published strategy deve-loped at a high level thus subject tointerpretations.C - A lot of SMEs that still can not afford cybersecurity protection tools.C - Political cyber attacks.C - Organized and budgeted cyber-crime.I - Mexico is identified as an US entryplatform.
S
O T
W
60
M E X I C A N C Y B E R S E C U R I T Y S U M M A R Y
STRENGTHS- MAINTAIN
Legal Technical Organizational Capacity Building Cooperation
Penalties / fines / prison.Building a scheme of
applicable penalties inaccordance with other
countries Mexico has a treatywith.
Creating a dedicated unit of cybersecurity-police to focus
on the industry relatedcrimes.
Implement more robustSecurity Operations Center
(SOC) services in order toimprove incident response
time.
Using PROSOFT 3.0 such as cybersecurity platform toreinforce the different IT
clusters.
Promoting NationalCybersecurity Strategy
across different industries,including key milestones for
expected success
Increase specific cybersecu-rity degree offering as well as
legal degrees with minor incybersecurity.
Universities offering stu-dents the possibility to stren-gthen their IT degrees with a
minor in cybersecurity.
Making certifications moreaffordable and closely alig-
ned with Mexico’s needs.
Develop of a low cost opensoftware within universities.
Mexico shouldadhere to international
cooperation agreements.
Including cybersecurity topics within INADEM’s
meeting agenda to stren-gthen the cybersecurity
business vision ofthe participants.
61
M E X I C A N C Y B E R S E C U R I T Y S U M M A R Y
WEAKNESSES- SOLVE
Legal Technical Organizational Capacity Building Cooperation
Create an institutionresponsible for supporting
the judges involved in cyber trials in order to support
their knowledge and unders-tanding of the industry and facilitaten decision making.
Definition of stricter controls for segments of the regula-tion that are currently not
obligatory (i.e. follow ups on vulnerability/stress-testing).
Establishing sponsors oradvocates on behalf of the
private sector to align infor-mation and interests
ahead of meeting withregulators.
Identify emergingtechnologies and tendencies
in order to accelerate theregulatory changes required
in the future.
Regulation is needed related to infrastructure as well as
software & apps.
Software companies without sufficient controls, security
measures and mandatory compliance rules required.
Development of cybersecuri-ty tools for mobile devices,
detection and monitoring ofthreats and response
mechanisms.
Need to create services that integrate various measures, ensuring an end to end so-
lution as opposed to a short term incident fix.
Application of advanced tools such as Artificial Intelligence in order to better understand
the security threats.
Increased regulation orincentives in order for mobile
carriers to improve their areas of activity and respon-
sibility in reducing threats.§ Increasing awareness in behalf of the companies in
order to improve their often obsolete infrastructure (criti-cal as well) and upgrade to a
better protected one.
Understanding that sharinginformation is an imperative
step to achieve betterresponse speed.
Generating appropriatepolicies and controls to
achieve an alignment withISO 27001.
Business strategy shouldintegrate software, new
generation firewall, trainedpersonal and a designated
security team led by a CISO.
Establishment of acybersecurity team aligned
with core business decisionsand supported by C-level
executives. This team shouldbe independent from thesystems department to
ensure a universal reachinstead of an isolated effort.This recommendation does
not depend on business size,also applies to SMEs.
Curriculum study focused on problem solving, not on specific products. Integral
training with business vision and technical capacity.
Bachelor’s and master’s degrees much more focused on the industry. Efforts with industry leaders to establish
programs that bring talent to companies and encourage
research.
Include a strong cybersecuri-ty component in the curricu-lum of all technology careers,
mainly for developers.
Master´s degrees offerconnected with the businessneed and development of the
industry.
Allocate more resources (pu-blic and private initiative) toresearch. Join efforts for the
development of researchcenters.
Provide training to all employees on the risks and
mitigating actions for cybersecurity.
Joint regulationsthat allow countries
to comply, cooperate and monitor crimes.
Establish a coachingsystem by those
who are moreadvanced in
cybersecurity andlearn from their
experiences.
62
M E X I C A N C Y B E R S E C U R I T Y S U M M A R Y
OPPORTUNITIES – TAKE ADVANTAGE
Legal Technical Organizational Capacity Building Cooperation
Provide more detail on thenational strategy with
specificregulations applicable to
Mexico.
Analyze main commercialpartners in order to prioritize
laws and agreements withthose countries first.
Development of biometric data technology to increase
security and access measures.
Initiatives to support public and private projects in therelevant/related manufac-turing space, boosting the
in-house technology development.
Develop a “settling-in team” with both technical and lan-guage knowledge in order to
fully benefit from international cybersecurity solutions.
Developing consulting services to support the tools as tools on their own don´t offer sufficient
protection.
Offering cybersecurity insurance policies.
Encourage companies to build a business cybersecurity strategy
regardless of theirindustry and current cyber
risks.
Internal SWOT analysis toidentify main risks,
weaknesses and threats, inorder to define their
investment budget protecting their key assets/capabilities.
Strategy evolution towardsprevention, detection and
reaction.
Business strategy alignmentwith digital transformation
trends, considering riskmitigation plans for the maintechnologies such as IoT and
Cloud Services.
Awareness course(s) in alluniversity degrees aboutcybersecurity impact and
relevance of attacks.
Improved awareness coursesfor companies and individuals.
Increase the investment incommunication to show theimportance of investment in
cybersecurity.
Forums and events for C-Levelexecutives in order to raise
their awareness aboutcybersecurity.
There is anopportunity to
exchange specializedknowledge with other
countries.
Partnerships betweenthe public and private
sectors.
Efforts with otherLATAM countries.
Opportunity to workwith Brazil or to
establish itself as aleader in Latin
America.
Partnerships betweenuniversities in other
countries to shareinformation /
learnings / careerprospects.
Public and privateinitiatives via jointevents and forums.
63
M E X I C A N C Y B E R S E C U R I T Y S U M M A R Y
THREATS- PROTECT
Legal Technical Organizational Capacity Building Cooperation
Data protection regulationneeds to be strengthened,
especially for industriesgenerating historic personal
data.
Definition of regulatoryrequirements per sector,
focusing on the mostimpacted ones but also the
ones that will experienceincreasing number of attacks
in the future.
Developing internationalnormativity and agreements
that will allow persecutingcyber-crimes in Mexicooriginated from another
country/ geography.
Harmonizing federal and state laws, guaranteeing theprotection of personal data
and encouraging theexchange of information.
Development of cost effecti-ve SaaS for SMEs as most
commercial solutions remaincostly.
Development of intellectual property rights and replica-
ble frameworks.
Ensure new generationproducts and services includethe disruption by the cybera-
ttacks and thereby includeimproved solutions to
confrontthese.
Third party contracts should include clauses covering
security breaches, related penalties and minimum
requirements.
Support the development of the cyber industry and
infrastructure in Mexico inorder to not share local
information out of the coun-try just because the solutions are being developed outside.
Data and analytics as inputsfor cybersecurity tools in
order to preventsophisticated attacks.
Cyber exercises with red,blue and purple teams to
improve their IncidentResponse Training.
SME strategy developmentcovering at least the
minimum securityrequirements for their
largest clients/key data.
Develop and offer securityawareness programs.
Automation trend of thesecurity management
processes withincompanies. Frameworks
needed to generateautomatic responses for the
identified threats.
Run attack simulations /phishing tests / ethical
hacking.
IT defined procedures within the companies to protect
their cybersecurity integrity by penalizing errors.
Events and forums looking to bring closer those sectors
that have not yet been a priority for cybercrime.
Reports creation bythe industry itself
to share among theparticipants in a
mandatory mannerand generate
knowledge andalliances to dealwith organized
crime.
Collaboration,sharing information
betweencompanies,
nationally andinternationally.
Government supportto SMEs in terms of
financial supportand knowledge
assessment.
64
M E X I C A N C Y B E R S E C U R I T Y S U M M A R Y
CONCLUSIONS
Increased digitalization and connectivity of the current environment makes cybersecurity a key industry in terms of relevance and growth opportunities. This trend is at the same time contributing to a rise in cyber-attacks and an improved user and company pro-tection is required. Mexico is however facing a perceived lack of awareness and incentives to invest in cybersecurity.
Note: (1) ENCS: Estrategia Nacional de Ciberseguridad, (2) data from interviews.Source: KPMG analysis with information from ITU, BMI, OECD and experts
Drivers
Increased targeting of enterprises and governmentagencies by cyber-attackers.
Increased state involvement in cybersecurity policiesthrough compliance and regulatory requirementdirectives.
Regional expansion of smart cities and digitalinfrastructure projects.
Inhibitors
SMEs lack of incentive to invest while cyber-attacksfocus mainly on large businesses. High cost ofcybersecurity investment beyond the means of mostsmall and medium-sized businesses.
Wide availability of unsecure pirated software andcontinued reliance on old, unprotected devices.
Opportunities
Cybersecurity insurance policies could be a newproduct insuring company a minimum awarenessabout the risk. Boost the in-house technologydevelopment.
Awareness course(s) in all university degrees aboutcybersecurity impact and relevance of attacks.
Provide more detail on the national strategy withspecific regulations applicable to Mexico andstrengthen laws and agreements with maincommercial partners.
Encourage companies to build a businesscybersecurity strategy.
More partnerships between the public and privatesectors.
Challenges
Shortage of cybersecurity professionals.
Consumers and SMEs will continue to suffer a lack ofawareness of the sophistication of cyber threats.
Anything that can be connected can be hacked.
Rising adoption of cloud-based services andapplications means that cybersecurity can be bundledin by service providers and not left to end-users.
Proliferation of smart city projects will lead to anaccelerated device replacement cycle and mayaccelerate the regulatory changes required in thefuture.
Cyber security fraud (2013-2017) CAGR: 70.3%
Investment around 2 o 3% ofIT budget in 2017 (2)
Products are available abroad (2)
Established the ENCS (1)
and can be updated
2017, Windows 7 users:market share was 43.5%
Only specialized degrees hadcybersecurity awareness (2)
Guadalajara Smart Connec-ted City initiative
In 2017, lack of 157,934trained professionals
Main Universities are for now: IPN, Unam, la Salle
Reliance on hardware morethan on awareness
Espected Cloud CAGR from2015 to 2021: 21.22%
Mexican companies uninfor-med about cyberattacks (2)
In 2016, 8 million IoTs
65
A P P E N D I X
66
KEY DRIVERS OF TECHNOLOGY TRENDS (GENERAL)
Tech trends are not aligned to a single time frame. In order to be able to achieve IT success is vital to understand thedifference between strategic/long term trends, tactical/planning technology and organizational tech enablers.
Source: KPMG analysis with information from Gartner
The 3 levels abovementioned will intrinsically bring benefits, challenges and risks, thus, understanding not only the potential but also the effect of each trend will be
crucial to manage connected cities, connected industries and connected people.
Disappearing data centers
Interconnect fabrics
Containers, micro services andapplication streams
Smart Cities
Industry 4.0
Business-driven IT
DCaaS-IT delivers services, notinfrastructure
Stranded capacity
Urban operating systems
Remote device (thing) management
Micro-and edge computing environments
New roles in IT
STRATEGIC TACTICAL ORGANIZATIONAL
67
MAIN KNOWN CYBERSECURITY ATTACKS IN THE WORLD
In 2017, ¼ of business opportunities and 30% of companies’ revenues were lost due to cyber attacks.
Global financial impact estimate (in USD bn) 2000-2017, est. until 2021
Note: (1) Malware (malicious software) includes spyware, keyloggers, true viruses, worms, Trojan horse, Browser hijacker, Rootkit, Malvertising.Source: KPMG analysis with information from Symantec volume 22, Cisco annual report 2017, 2014 McAfee and CSIS economic impact cybercrime report and several articles.
1998: X SolarSunrise, a systematic
cyber attack waslaunched in the USAwhich seized control
of over 500government and
private computersystems
1999: Virus, Melissavirus, infected Microsoft
Word documents andautomatically sent itself
as an attachment viaemail to users
2000: DDosMafiaBoy, hacked
companies with highlevels
of security,which included the
computer giant Dell,Yahoo, Amazon, Ebay,
Fifa.com and CNN
2002: Sniffer, wardriving,ShadowCrew,
was able to obtain 45million credit and debit
cards information, around4000 members
2004: Worms, Titan Rain,hackers were able to
infiltrate several computersnetworks including those atNASA; it opened the way for
other hackers to infiltratetheir systems as they left
backdoors on thesemachines
2006: Trojan, Operation Shady Rat, hit at least 72organizations worldwide
including the InternationalOlympic Committee
(IOC), the United Nations, various global defense
contractors
2011: Fishing, Epsilon,hackers targets were the marketing giant´s email addresses (staff and clients) that were later used for a range of criminal activities
2017: Ransomware, Back-door, Spearphishing,
malware (1), WannaCry, locked down all the files on an infected computer and
asked the computer’sadministrator to pay in order to regain control
of them
2016: X, Tsar team andFrancy bear, hacked FBI, CIA and DHS to
influence the USA presidential election;
they stole theworld anti-doping
agency´s athletes drug testing information
2017: Ransomware, Petya, hit Ukrainian infrastruc-
ture particularly hard, dis-rupting power companies,airports, public transit, and
the central bank, just the latest in a series of cyber
assaults against thecountry
2,000
6,000
1,000
0
2000
$1.2
2001
$40.0
2002
$0.3
2003
$226.0
2004
$56.0
2005
$7.0
2006
$11.1
2007
$24.7
2008
$0.1
2009
$40.6
2010
$2.5
2011
$6.0
2012
$111.3
2013
$2.7
2014
$445.0
2015
$0.7
2016
$815.0
2017
$1,129.8
2018
$1,673.2
2019
$2,100.0
Forecast
2020
$3,669.8
2021
$6,000.0
68
CYBERSECURITY INHIBITORS IN MEXICO
In 2017, older less secure software is still part of the Mexican landscape, leading to an unsecure environment for the companies and government technology adoption.
Desktop Windows Versions Market Shares in 2017Percent
Probability perception which digital data could be stolen in 2017Frequency distribution
Source: KPMG analysis with information from CANIETI, BMI and CISCO
Consumers and SMEs will continue to suffer a lack of cyber threats sophistication awareness, most of them have in 2017 the perception, digitaldata could have a low and medium probability to be stolen.
Recent WannaCry attack exploited weaknesses in older Windows XP, devices and the relatively high penetration rate of XP-powered devices.
Enterprise, had insufficient investment in anti-virus software for devices such as desktop and laptop computers as well as more portable devicessuch as smartphones and tablets could amplify the effect of a determined cyberattack.
The lack of qualified professional was an inhibitor for the full company and government technology adoption (it is estimated 60% gap for themissing cybersecurity professional in 2017 and 64% in 2019 from the 37% IT demand shortage).
Win7 43.5%
Win10 38.0%
10%
Win8x 15.2%
28%
WinXP 2.9%47%
Others Low probability
Medium probability
High probability
Very high probability
0.4% 15%
69
C Y B E R S E C U R I T YM A R K E T A N A LY S I S
BUSINESSINTELLIGENCE UNITUIN