OVERVIEW OF CYBER SECURITY IN PANAMA
By: Mario Preciado
The cybersecurity issues have gained renewed importance since the pandemic of the new SARS-CoV-2 virus causing COVID-19 disease has caused significant numbers of people to be working remotely through so-called “teleworking”. This situation has brought new threats to the work environment that threaten the security of information and internal processes of companies and organizations.
In the wake of the pandemic, cyber-attacks such as phishing, identity theft, social engineering, e-mail spoofing and the common and well-known ransomware, by cyber criminals have increased significantly, with a 140% increase worldwide. It is everyone’s responsibility to be alert to this reality, which can affect both companies and individuals.
Below, we will reflect on relevant aspects in Panama on this important topic. We will try to give a general overview of aspects such as legislation, strategies, among others.
Overview of Cybersecurity in Panama
The first important step that Panama took as a country was the creation in 2011, through Executive Decree No. 709, of the “CSIRT PANAMA” (Computer Security Incident Response Team), National Response Team to Information Security Incidents of the Panamanian State, which is responsible for investigations related to incidents affecting the security of computer and communication systems of State entities.
The National Strategy for Cybernetic Security and Critical Infrastructure Protection was later approved by Resolution No. 21 of 2013 of the National Council for Government Innovation. This document, issued by the National Authority for Government Innovation, describes the different risks faced by Panama in the use of Information and Communication Technologies (ICT).
The pillars of the strategy are:
- Prevent and stop criminal behavior in cyberspace or the use of it for any kind of crime or illegal acts.
- Strengthen the cyber security of critical national infrastructures.
- To promote the development of a strong national business network in cyber security, as a reference for the region.
- Develop a culture of cyber security through training, innovation and adoption of standards.
- Improve cyber security and incident response capability of public institutions.
Panama is a signatory to the 2001 Budapest Convention on Cybercrime, approved by Law No. 79 of 2013. This law refers to the convention on cyber-crime, terminologies, measures to be adopted at the national level, computer crimes, crimes related to child pornography, crimes related to infringements of intellectual property and related rights, among others.
The Criminal Code of the Republic of Panama in its Title VIII, on crimes against the “Legal Security of Electronic Media” categorizes crimes against computer security. Articles 289 through 292 establish the following crimes and their penalties: improperly access or use of a database, network, or computer system, and anyone who improperly appropriates, copies, uses, or modifies the data in transit or contained in a database or computer system, or interferes with, intercepts, obstructs, or prevents its transmission. Aggravating circumstances are also determined that increase the prison sentences.
We would like to take this opportunity to express our opinion on the need to develop legislation on this subject. Given the advance of technology, the aggressiveness and expertise of cyber-criminals, the two types of criminal offences mentioned above are highly insufficient. We need to update our laws to comply with the commitments made when we signed the Budapest Convention.
It is essential to remember that it is a serious mistake to assume that “this is not going to happen to me”. The threats to cyber security are real. In this digital age, individuals, small businesses, large companies and even governments are exposed to becoming victims of cyber-criminals. They face the threat of a breach or hacking of technological environments or data storage systems, through the use of ramsomware-based techniques, data breaches, malware, among others. Today’s cyber-criminals act in an organized manner in criminal networks known as the “Dark Web”. Therefore, it is extremely important to establish all possible security measures to avoid being the victim of an attack by cyber-criminals as much as possible.
The most common attempts of breach come by impersonation and are sent through emails. For that reason, we make the following recommendations that will work in your job environment whether you are in an office or teleworking.
Be vigilant, attentive, and observant. Make a good habit of checking and evaluating very carefully the appearance, information, and even spelling or unusual data that may be brought in by an email asking to open an attachment or a password validation.
It is not safe to open any type of communication that raises doubts. There is an attack called email spoofing that impersonates known domains. Even if you are dealing with a known domain, you must be very perceptive of what the message is saying.
Criminals have the technical ability to generate communications through any domain, even public ones, and from there anyone downloading the attachment can give entry to the virus, or electronic forms where you are asked for your passwords, so never give out passwords by email, or by phone, validate immediately with your technology advisor.
The recommendations for corporate environments are broad, however, we outline general recommendations for Directors, Managers or CTOs of companies below.
Assess and implement a methodology that allows the organization to generate guidelines to protect its information and anticipate unexpected events. The steps to implement this methodology are:
- Determine the possible risks and vulnerabilities of your systems.
- Implement and keep updated the appropriate antivirus and firewall software, SIEM monitoring systems.
- Vulnerability Analysis, Zero Day Protection Systems.
- Enable Sand Boxing for Mail Servers, Public DNS Analysis.
- Apply security certificates in our public and private environments.
- Use the best security practices based on User Authentication Protocol and Kerberos User and Password Authentication Protocol and on Double Password Authentication.
- Apply Security Consulting followed by application of recommendations, vulnerability tests.
- Provide training to employees on company safety policies, as well as keep technical staff updated.
- Implementing a Data Recovery Plan, and also finding out the recovery time it could take to recover a person’s or company’s data, anticipating the reaction to an attack, i.e., managing security incidents.
- Train your employees not to fall into the traps of spyware.
- Establish the methodology to maintain a backup of your information on site and additionally in the corporate cloud