verified Free Guide 2025 — LATAM Edition

Cybersecurity for Businesses in
Latin America and Central America

A practical guide featuring a checklist of controls, regulatory frameworks, an incident response plan, and an implementation roadmap for organizations seeking to protect their digital assets.

calendar_today 2025 Edition menu_book Sources: IBM X-Force, CIS Controls v8.1, NIST CSF 2.0, Kaspersky ICS CERT, ENISA public Focus: Latin America & Central America schedule Reading time: ~25 min

Contents of this guide

Section 01

Overview of Threats 2025

The global cost of cybercrime exceeded $9.5 trillion USD in 2024 and is projected to reach $10.5 trillion in 2025 (Cybersecurity Ventures). Organizations in Latin America are being targeted by sophisticated attackers who exploit the gap in security maturity.

$4.88M
Global Average Cost of a Data Breach
Source: IBM Cost of a Data Breach 2024
277 days
Average time to identify and contain a breach
Source: IBM X-Force 2024
74%
Of the gaps, some involve the human factor
Source: Verizon DBIR 2024
+40%
Increase in Ransomware Attacks in Latin America Compared to 2023
Source: Kaspersky 2024
3rd
LATAM is the third most targeted region globally
Source: IBM X-Force Threat Intelligence
68%
Of the SMEs in Latin America, do not have a formal incident response plan
Source: EY Global Information Security Survey
warning
LATAM Alert 2024–2025: Mexico, Brazil, Colombia, and Argentina account for 78% of ransomware attacks in the region. Costa Rica was the target of a state-sponsored attack in 2022 that paralyzed critical government services for weeks. Organizations that do not invest in active defense are next on the list.
Section 02

Threats Criticism of LATAM

These are the eight categories of threats with the greatest documented impact on Latin American organizations in 2024–2025, according to data from IBM X-Force, Kaspersky ICS CERT, and ENISA.

lock
Ransomware
Critic
Data encryption with ransom demands. Modern cybercriminals (LockBit, BlackCat, Clop) employ a two-pronged extortion strategy: they encrypt and exfiltrate data. The average ransom in Latin America exceeded $850,000 USD in 2024.
trending_up Sectors most affected in Latin America: healthcare, government, manufacturing, retail
phishing
Phishing / BEC
Critic
Business Email Compromise and targeted phishing (spear-phishing) account for 40% of incidents in Latin America. Attackers use AI to personalize highly credible messages in Spanish.
trending_up Top entry vector #1 in Latin America — often combined with credential theft
bug_report
Unpatched vulnerabilities
High
60% of security breaches stem from known vulnerabilities for which patches are available (ENISA, 2024). ProxyLogon, Log4Shell, and VPN/Citrix vulnerabilities remain active on networks in Latin America.
trending_up Patch cycles longer than 90 days are the norm in medium-sized organizations in Latin America
key
Credential Theft
High
Infostealer malware (Redline, Vidar, Lumma) collects credentials from browsers and applications. In Latin America, the initial access market sells corporate VPN/RDP credentials for $100–$5,000 USD.
trending_up Costa Rica, Mexico, and Colombia are among the top 5 in listings by initial access brokers
factory
Supply Chain Attacks
High
Compromising a software or service provider to gain access to multiple client organizations. The MOVEit attack (2023) affected more than 1,000 organizations globally, including entities in Latin America.
trending_up ERP, accounting, and CRM providers are common channels in Latin America
cloud
Incorrect cloud configurations
Medium
Public S3 buckets, exposed databases, API keys in repositories, and excessive IAM permissions are the most common causes of data exposure in cloud infrastructure in Latin America.
trending_up The accelerated migration to the cloud following the pandemic left unresolved configuration issues
person_alert
Internal Threats
Medium
Malicious or negligent employees access, steal, or destroy data. High employee turnover and remote work without proper controls have increased this risk. 34% of data breaches involve an internal component (Verizon DBIR 2024).
trending_up The financial and retail sectors in Latin America report an increase in internal fraud in 2024
smart_toy
AI-Driven Attacks
Medium (increasing)
Use of LLMs to generate personalized phishing emails, malicious code, and voice deepfakes for BEC. The barrier to entry for non-technical attackers dropped dramatically in 2024–2025.
trending_up High-quality AI-generated phishing in Spanish now outperforms basic human detection
Section 03

Checklist for Essential Controls

Based on CIS Controls v8.1. IG1 controls are the minimum acceptable standard for any organization. IG2 applies to organizations that handle sensitive data or operate in regulated industries.

Identity and Access IG1
MFA enabled for all remote access and corporate email Without MFA, stolen credentials are enough to gain full access. It's the security measure with the highest ROI.
Priority: Critical — implement within <30 days
Principle of Least Privilege (Access Only to What Is Necessary) Review and remove unnecessary access rights. No user should have administrator privileges for day-to-day use.
Priority: High
Updated inventory of privileged users and service accounts Forgotten accounts are a favorite target for attackers. Audit active accounts every 90 days.
Priority: High
Password Policy: Minimum 12 characters + complexity + no reuse Implement a corporate password manager (Bitwarden, 1Password for Business).
Priority: Medium
Endpoints and Devices IG1
Next-generation EDR/antivirus software installed and up to date on all endpoints EDR (CrowdStrike, SentinelOne, Defender for Business) detects malicious behavior that traditional antivirus software misses.
Priority: Critical
Operating system patches applied within <30 days (critical patches within <7 days) 60% of security breaches exploit vulnerabilities for which patches are available. Define a monthly maintenance window.
Priority: High
Disk Encryption Enabled (BitLocker / FileVault) on Laptops A lost or stolen laptop without encryption = a reportable data breach. Easy to implement, with a significant impact.
Priority: Medium
Complete inventory of assets: authorized hardware and software You can't protect what you don't know about. CIS Controls #1 and #2. Use an asset management tool.
Priority: Medium
Network and Perimeter IG1
Perimeter firewall with reviewed and documented inbound/outbound rules Close all unnecessary ports exposed to the internet. RDP (3389) and SMB (445) should never be open to the outside world.
Priority: Critical
Corporate VPN for remote access (do not expose RDP directly) An RDP exposed to the internet is the most commonly exploited entry point for ransomware. All remote connections must go through a VPN.
Priority: Critical
Network segmentation: Separating OT/IoT from the corporate network Cameras, printers, and IoT devices are common attack vectors. A separate VLAN limits the attacker's lateral movement.
Priority: Medium
DNS filtering to block malicious domains and C2 servers Cloudflare Gateway, Cisco Umbrella, or Pi-hole Enterprise. They block most malware and phishing attempts at the DNS level.
Priority: Medium
Data and Backups IG1
The 3-2-1 Backup Rule: 3 copies, 2 different media types, 1 offsite/offline Backups are the only real defense against ransomware. The backup must be isolated (air-gapped or immutable).
Priority: Critical
Backup restoration test at least once a quarter A backup that hasn't been tested isn't a backup. Run a recovery drill and document the RTO and RPO.
Priority: High
Data Classification: Identify Sensitive Data and Implement Additional Controls PII, financial data, and trade secrets require encryption at rest and in transit, restricted access, and auditing.
Priority: Medium
Detection and Monitoring IG2
Centralized logging: security events, accesses, and critical changes Without logs, forensic investigation is impossible. Basic SIEM or open-source Wazuh for medium-sized organizations.
Priority: High
24/7 Automatic Alerts for Critical Security Events Logins outside of normal hours, access from unusual IP addresses, privilege escalation. Detection time directly impacts the cost of the incident.
Priority: High
Dark Web Monitoring for Exposed Corporate Credentials Services such as Have I Been Pwned Enterprise, Flare, or a managed SOC alert you when your credentials appear on criminal forums.
Priority: Medium
Section 04

Frames of Reference

The three most relevant frameworks for organizations in Latin America, based on maturity and industry type.

Frame Focus Ideal for Complexity Cost
CIS Controls v8.1 18 prioritized and actionable controls. Based on real attacks. IG1 = "basic security." Small and medium-sized businesses just starting their program. Quick results in 3–6 months. Cancel Free
NIST CSF 2.0 Manage, Identify, Protect, Detect, Respond, Recover. Framework for communication with executives. Organizations with an established security program that seek to further develop their approach and communicate risk to the board of directors. Media Free
ISO/IEC 27001:2022 93 controls across 4 domains. Certifiable Information Security Management System (ISMS). Companies that require certification for contracts in the enterprise, financial, government, or healthcare sectors. Sign Up $15K–$80K for implementation + audit
lightbulb
Recommendation for LATAM: Start with CIS Controls IG1 (18 basic controls that can be implemented within 6 months using internal staff), then adopt NIST CSF 2.0 as a reporting framework for senior management. ISO 27001 should only be implemented when it is an explicit contractual requirement. Do not jump straight to ISO 27001 without first achieving maturity in the fundamentals.
Section 05

Regulations on LATAM

The regulatory landscape in the region has evolved rapidly. Noncompliance can result in fines, criminal liability, and reputational damage. These are the regulations that have the greatest impact on companies operating in Latin America.

location_on Costa Rica
Law 8968 — Protection of Individuals with Respect to the Processing of Their Personal Data
It regulates the collection, storage, and use of personal data. It requires explicit consent and appropriate security measures. PRODHAB is the supervisory authority.
warning Fine of up to ₡223M (~$430K USD) + civil liability
location_on Brazil
LGPD — General Data Protection Law (2020)
Equivalent to the European GDPR. It applies to any company that processes data from Brazilian residents. It requires companies to appoint a DPO, implement "privacy by design," and report data breaches within 72 hours.
warning Fine of up to 2% of revenue (max. R$50M ~$10M USD) per violation
location_on Mexico
LFPDPPP — Federal Law on the Protection of Personal Data Held by Private Parties
It requires a privacy notice, the data subject's consent, and security measures. The INAI is the regulatory authority with the power to conduct inspections and impose sanctions.
warning Fine ranging from 100 to 320,000 days' minimum wage (~$500K USD max)
location_on Colombia
Law 1581 of 2012 + Decree 1074/2015
It regulates the processing of personal data. The SIC (Superintendency of Industry and Commerce) oversees compliance. It requires data processing policies and database registration.
warning Fine of up to 2,000 SMMLV (~$600K USD) for serious noncompliance
public Regional
NIS2 Directive (indirect impact on companies with ties to the EU)
It applies to suppliers operating in the EU or serving European organizations. It requires risk management, incident reporting within 24 hours, and supply chain accountability.
warning A fine of up to €10 million or 2% of global revenue
account_balance By Industry
Sector-specific regulations: banking, healthcare, telecommunications
SUGEF (CR), CNBV (MX), and SFC (CO) have additional requirements for the financial sector, including DORA-equivalent requirements for operational resilience and specific cybersecurity controls.
warning Revocation of an Operating License in Serious Cases
check_circle
Practical tip: Implementing CIS Controls IG1 and a documented privacy policy covers 70–80% of the region’s regulatory requirements. You don’t need a dedicated legal team to get started—you need a robust technical security program.
Section 06

Response Plan Incidents

68% of organizations in Latin America do not have a formal plan (EY, 2024). Every hour without a structured plan multiplies the cost of the incident. This is the minimum viable framework.

01
Preparation
  • Define the Computer Incident Response Team (CIRT) and its roles
  • Establish alternative communication channels
  • Create a ranking tree with contacts
  • Document critical assets and their custodians
  • Define RTO/RPO by critical system
  • Conduct an annual tabletop exercise
02
Detection and Identification
  • SIEM/EDR Alerts Categorized by Severity
  • Initial Triage: Is It a Real Incident or a False Alarm?
  • Determine scope: How many systems?
  • Enable immediate intensive log collection
  • Notify management if Critical/High
  • Open an incident ticket with a timestamp
03
Containment
  • Isolate compromised systems from the network
  • Revoke Suspicious Credentials
  • Blocking Malicious IPs/Domains on the Firewall
  • Preserving Forensic Evidence (Disk Image)
  • Enable backups outside the compromised network
  • Document each action with a timestamp
04
Eradication
  • Identify the root cause (root cause analysis)
  • Remove malware, backdoors, and persistence mechanisms
  • Apply patches that closed the initial vector
  • Reinstall compromised systems from a clean image
  • Rotate all displayed credentials
05
Recovery
  • Restore from a verified backup
  • Validate the integrity of restored data
  • Intensive monitoring for 72 hours after recovery
  • Communicate with users and stakeholders
  • Notify regulators if applicable (<72 hours)
06
Lessons Learned
  • Postmortem within 2 weeks
  • Document the complete timeline
  • Identify ways to improve detection and response
  • Update playbooks based on what we've learned
  • Metrics: MTTD, MTTR, financial impact
warning
Most Common Errors in LATAM Incidents: (1) Failing to immediately isolate the compromised system—allowing the infection to spread. (2) Restarting servers before preserving forensic evidence. (3) Not having security provider contacts available outside of business hours. (4) Failing to execute the prepared communication plan—improvising during a crisis multiplies reputational damage.
Section 07

Roadmap for Implementation

A cybersecurity program is built in phases. This roadmap is designed for organizations in Latin America with 50–500 employees and limited resources.

1
Phase 1 · Months 1–3
Basic Hygiene — CIS IG1
  • MFA for email, VPN, and critical access points
  • EDR/Antivirus on all endpoints
  • Critical patches kept up to date (<7 days for CVSS >9)
  • Automated Backups with Restore Testing
  • Asset Inventory (Hardware + Software)
  • Password policy implemented using a corporate password manager
payments Estimated investment: $500–$3,000/month, depending on size | Maturity level: Basic
2
Phase 2 · Months 4–8
Visibility and Detection — CIS IG2
  • SIEM or centralized logging (Wazuh, Microsoft Sentinel)
  • Email security gateway with advanced anti-phishing
  • Network segmentation + firewall with IDS/IPS
  • Monthly vulnerability scanning of exposed assets
  • Security Awareness Training (Simulated Phishing)
  • Documented and tested incident response plan
payments Estimated investment: $2,000–$8,000/month | Maturity level: Intermediate
3
Phase 3 · Months 9–18
Continuous Monitoring and SOC
  • SOC 24/7 (in-house or managed as BorneoCR)
  • Threat intelligence integrated into the SIEM
  • SOAR for automating initial response (L1)
  • Annual external and internal network penetration testing
  • Formal Vulnerability Management Program
  • Quarterly Access Reviews + PAM for Privileged Accounts
payments Estimated investment: $5,000–$20,000/month | Maturity level: Advanced
4
Phase 4 · Year 2+
Resilience and Formal Compliance
  • BCP/DRP Program Tested Annually
  • ISO 27001 certification, if required by the business
  • Zero Trust Architecture (microsegmentation, ZTNA)
  • Brand protection monitoring + dark web monitoring
  • Red Team / Purple Team exercises
  • Supply Chain Security Assessments for Critical Suppliers
payments Estimated investment: $15,000–$50,000/month | Maturity reached: Optimal
Section 08

Upcoming Steps

Cybersecurity isn't a project with an end date—it's an ongoing practice. The three immediate steps with the greatest impact are simple, and their ROI can be demonstrated within weeks.

looks_one
Enable MFA for email and remote access this week. Cost: $0–$6 per user per month.
looks_two
Audit backups: Have they been tested? Are they isolated? Fix this this month.
looks_3
Request a free maturity assessment with BorneoCR to find out where your organization stands.
BorneoCR

Ready to protect your organization?

BorneoCR offers AI-powered AI-powered MDR for businesses in Central America and Latin America.
24/7 detection, incident response, and compliance—without having to maintain your own infrastructure.