Q&A: Latin American Financial Firms Lag on Security Spending

Level 3 is a U.S. company based in Broomfield, Colorado, that operates a fiber-optic cable network that spans continents, both under the sea and overland. It maintains an office and two data centers in the Colombian capital of Bogotá, and has been expanding in the country.

In January, Level 3 launched another data center in the western city of Cali, a prime location near the Pacific coast. Situated nearby a subsea cable landing station that the company activated in 2015, the expansion has given the nation access to its vast cable network at the bottom of the Pacific Ocean.

“We decided to add this data center in Cali because it is the main urban and economic engine for southwest Colombia,” said Felipe Gómez, Level 3’s data center and security director for the Andes Region. “Level 3’s fiber optic cable runs undersea for 300 kilometers to the seaport city of Buenaventura on Colombia’s Pacific coast and then 154 kilometers over land to the city of Cali, making Valle del Cauca an important area for a data center.”

Finance Colombia Executive Editor Loren Moss recently caught up with Gómez to discuss the evolution of data security and the growing sophistication of hackers. The financial sector is one of the most-targeted industries, and he says banks and other firms in Latin America are lagging behind their U.S. counterparts in terms of investing in security solutions.

Felipe Gómez, Level 3’s data center and security director for the Andes Region, says that DDoS attacks continue to plague the financial services sector. (Credit: Loren Moss)

Finance Colombia: What does Level 3 offer in the field of security?

Felipe Gómez: We have a complete solution from the point of view of security services. We have all the solutions handed over as a service, very much focused on the whole subject of perimeters, like firewalls, intrusion prevention systems, web application firewalls, all of that.

But really we have evolved a lot because we think that security has to go a bit beyond the perimeter. The perimeter has been disappearing with the arrival of mobile devices. That doesn’t mean that you don’t have to protect the perimeter, but we have realized that what we have to protect, in addition to the perimeter, is the network.

We have 320,000 kilometers of fiber in the world, and the majority of the internet traffic in the world passes through those 320,000 kilometers. On that fiber network we have placed more than 1,000 devices that allow us to detect an enormous quantity of threats.

So when we realized all the quantity of threats that pass through the IP traffic in the world, what Level 3 did was to set up nine cleansing centers — called “scrubbing centers” — and in those scrubbing centers what we do is we clean the traffic of the clients who have contracted the cleansing service. With absolute security, when an attack comes along for a specific client, we are able to detect that attack, clean it up at the nearest cleansing center, and deliver clean traffic.

Security has evolved. It’s not only at the perimeter level. Nowadays we also have it set up at the network level.

Finance Colombia: Talking about the financial sector in the world, how have you seen the attacks evolving, especially the sophistication of hackers? What changes have we seen in the last two or three years?

Felipe Gómez: What we’re seeing is that the attacks nowadays are much more sophisticated than they were in the past. There are many more of them. I mean, we’re seeing an increase in attacks. We thought that attacks would decrease, but what we’re seeing is that 40% of the attacks that we detect on the IP network are now DDoS attacks, which is incredible. I mean, unknown attacks — attacks that are not configured and had not been seen by anyone — and we’re beginning to see that 40% of those attacks are DDoS attacks.

Finance Colombia: What are the challenges to financial institutions — talking about stock exchanges, insurance companies, banks — to protect their data and at the same time to make access experience easier to their consumer?

Felipe Gómez: Well, it’s not a secret for anybody that the financial sector is the one most attacked, and it’s the sector that consumes the most in the area of information security, precisely because there is a quantity of very valuable information about wealthy clients. And obviously the financial sector has more protection, and the more protection you give, the more sophisticated the attacks become.

That’s why we think that the financial sector should be a bit more alert to all these denial of service attacks. All of these network attacks that we’re seeing nowadays are affecting the financial system to a great degree.

Finance Colombia: Are there any differences in the attacks or degrees of sophistication from one part of the world to another?

Felipe Gómez: No, no. This is global. What you find in Russia, what you find in China, what you find in the United States, it’s the same as what you find in Colombia.

Finance Colombia: In the Caribbean and in the Americas, do the entities understand the importance of protecting their systems? Or is it still a challenge to explain and sell?

Felipe Gómez: No, they understand it perfectly. The financial sector is the most advanced sector in the whole information security system. Historically it is the one that has invested the most, and I think it will continue to be the one that invests the most.

However, obviously the companies in Latin America are a little different to the companies in the United States. Although the attacks are the same, the investments are not the same as to the quantity of money they invest in this area. They invest a lot but I think they’re still a bit far from investing what a U.S. company invests in the area of denial of service and in the area of sophisticated attacks to the network.

Why? I think it has a bit to do with legislation. In the United States, when a bank is attacked and client data is compromised, the bank has to notify its clients that it was attacked and the data was compromised. That kind of legislation doesn’t exist in Latin America. Since that kind of legislation doesn’t exist, even if the banks are attacked and the data is compromised, they don’t have to inform clients that the data was compromised.

That makes a big difference in the investments that they make. Because when I have to tell the clients that the information was vulnerable, I’m putting myself at risk. When I don’t have to tell them that the information was compromised, I’m not taking a risk with the client. That makes a big difference.