Ecuador is in seventh place in Latin America’s cybersecurity standards. At the regional level, it is one of the last countries, only ahead of Venezuela and Bolivia, according to the Global Cybersecurity Index 2018 (GCI).
The GCI monitors compliance with the commitments made by 194 States parties to the International Telecommunications Union (ITU). Five areas are analyzed: legal, technical, organizational, capacity building and cooperation.
Ecuador is ranked 98 in the general list. Ecuador was rated with 0.367 points, which places it in the group of countries that have an average level of commitments made.
The report also notes that Ecuador has developed complex commitments and participates in cybersecurity programs and initiatives.
The study shows that there is still a visible gap between many countries in terms of knowledge for the implementation of legislation on cyber crimes, national cybersecurity strategies, computer emergencies with response teams, awareness and ability to disseminate strategies, capabilities, and programs.
In that sense, Ecuador, Venezuela and Bolivia are the three countries that lack a data protection law. Christian Torres, manager of Kryptos, a firm that prevents the leakage of confidential data with artificial intelligence, explains that the country’s position is also influenced because it housed Julian Assange.
Data security in Ecuadorian territory is still fragile, despite the fact that in 2013 the extinct National Secretariat of Public Administration issued the Government Information Security Scheme (EGSI), which mandated the mandatory use of standards ISO-27 000 for Information Security.
Despite this, 74% of public entities still store their information within their own structures, “without all the recommended securities to prevent loss of information, ‘hacking’, theft and cyber attacks,” explained the Minister of Telecommunications in recent days. Andres Michelena.
The plan is to incorporate these institutions into a centralized information complex of the National Telecommunications Corporation, within 6 months.
In 2019, the National Cybersecurity Strategy began to be delineated with the advice of the Inter-American Development Bank (IDB) and the NRD Cyber Security Consultant. Additionally, on September 19, the Government presented the draft Data Protection Law, following the theft of sensitive information from 20 million Ecuadorians, including deceased and 6.7 million children.
Rights, obligations, sanctions, access and security of personal data are some of the topics addressed by the initiative in 90 articles. Regarding security, it is proposed that the person in charge of the processing of personal data implements integral security practices. One of them is encryption, encryption or data encryption.
The government information security mechanism will include the measures that must be implemented in the case of processing personal data to deal with any type of threat. The initiative also seeks to reduce response times.
In the last case of data theft, for which the Ecuadorian company Novaestrat is investigated, the blocking of the server followed protocols and was done four days after the alert was received.
The draft Law states that the person responsible for the processing of the information must notify the Personal Data Protection Authority of a possible violation of the systems within three days after hearing the case.
Unjustified delays in the notification will be sanctioned. The Ecuadorian Association for Data Protection (AEPD) collaborated in the initial stages of elaboration of the standard.
The union raised three axes: recognition of the rights of the citizen over their personal data, responsibilities in the processing of data and create an independent control authority.
Governments, companies and civil society must take cybersecurity with great responsibility, since violations of personal data also represent significant losses of money, Torres said, adding that a law is not enough and that additional actions are needed to mitigate the maximum risks
Hugo Carrión, director of the Imaginar Center, which does research concerning the information society, says that the common mistake is to believe that cybersecurity is limited to setting secure passwords and renewing them frequently, when what you need to create is a digital culture .
The manager says that the concept of “information assets” (data and facilities) must be implemented in order to protect the data according to its level of relevance.