Adriel Araujo, Hackmetrix: “hacking a small supplier is the perfect gateway to reach these large companies’ assets”

A single cybersecurity gap may trigger a chain of attacks, resulting in significant financial and reputational losses for companies of all sizes.

Organizations are prone to a misleading belief that it’s the scope of the company that defines whether it’s a lucrative target for cybercriminals. Yet, threat acters rarely discrimiante, taking use both of large businesses’ financial capabilities to pay a ransom and of small companies’ poor cyber defences.

To find out more about the importance of a well-managed cybersecurity system among small and large organizations, the Cybernews team has interviewed Adriel Araujo, Co-Founder and CEO of Hackmetrix, which takes care of cybersecurity for startUps.

How did the idea of Hackmetrix come about?

Alejandro worked as Ethical Hacker and Security Consultant for a couple of American companies asking himself: Why is Latam so far from the security levels and standards compared to the USA?

He talked with Adriel, previously the founder of a regulated fintech startup complying with cybersecurity. Together they found a massive problem in the region and started developing a solution.

They discovered that cybersecurity was not designed for small companies but large corporations, leaving behind startups and digital companies with fewer resources and a limited budget.

SMBs need to pass audits and comply with regulations designed for the big companies and not for small contenders. But, going deeper into the solution, both realized that automating the compliance processes made it possible to patch the gap and level the field between corporate and startups.

Can you introduce us to what you do? What challenges do you help navigate?

At Hackmetrix we understand what it means for startups and small tech companies in Latin America to implement their security programs. That is why we developed our security compliance platform. We help them enforce security programs following international standards such as ISO-27001 and PCI DSS. We give them calm and certainty with an easy-to-use platform backed by security experts' support.

Implementing a security program allows you to prove that your business and your stakeholders are safe and secure.

Thanks to our platform, the compliance process between companies, corporations, regulators, and auditors is faster and more transparent than they could ever imagine.

Also, we know that technology is the backbone of these businesses. Safety in operations cannot be left behind. Our platform, backed by offensive security and ethical hacking experts, finds our customers’ vulnerabilities and guides them to patch their security gaps, ensure their tech infrastructure and applications are safe and comply with regulations. For example, CNBV demands two pentests a year to comply with Mexico’s Fintech Law.

With the support of our experts and the certainty in implementing security programs provided by our platform, we have the perfect advantage to make cybersecurity a success engine for digital companies.

Which vulnerabilities are you the most concerned about at the moment?

A Supply chain attack is the most concerning vulnerability. But, first, we must remember that supply chains represent more than one connected platform between a customer and their service provider.

By compromising a single supplier, cybercriminals can hijack their distribution systems to turn any application they sell, any software update they push out, or even the physical equipment they ship to customers into Trojan horses. With one well-placed intrusion, they can create a springboard to the networks of a supplier's customers – sometimes numbering hundreds or even thousands of victims. But it's just a one-off event. This vulnerability can turn into a domino effect damaging additional platforms with the same supplier.

Most IT supply chain attacks target small digital businesses and startups because targeting corporations is more challenging due to their extensive security programs. Therefore, hacking a small supplier is the perfect gateway to reach these large companies’ assets.

How do you think the recent global events have affected your industry?

Both the pandemic and geopolitical conflicts boosted unprecedented growth in the cybersecurity industry.

We are seeing more and more countries developing regulations to protect information. The fintech law of Mexico, Chile’s RAN 20-10, and Colombia’s external circular 007 are the best examples. Venezuela and Peru are also trying to develop regulations. As a result, digital companies are forced to have security programs compliant with these regulations.

On the other hand, the demand for security programs is also rising among big companies and corporations’ auditors to ensure they will not be hacked through their suppliers.

In your opinion, what cybersecurity details are often overlooked by new companies?

Companies generally forget to validate users’ roles, allowing them to access other users' private information or allowing privilege escalation attacks against their platforms.Also, they commonly forget to correct network and environment segmentation/segregation, exposing the Development and Staging environment to the Internet and configuring duplicated private keys. This common mistake gives an attacker the chance to use this less protected environment to study the system as an internal Developer. A successful exploit of this environment with improper segregation could put the whole company at risk. It is common to find null authentication policies in API endpoints exposed to the Internet. In addition, the considerable complexity of microservices increases the difficulty of correctly handling User Authentication and Authorization across all the APIs that a company exposes for their systems to work.

By the way, not all the issues are technical ones. For example, there are companies with outstanding technical security practices. Still, they do not run training campaigns for their collaborators to teach them about Phishing Emails, Company Trust Relationships Abuse, and they should never have written their passwords on notepads.

Why do you think some businesses are unaware of the risks they are exposed to?

There are two types of companies, those that were hacked and those that will be. The second batch is the ones oblivious to the risks. It's like those households who hire an alarm system after being robbed. They will never risk losing their valuables again.

In your opinion, what kind of tests and checkups should every company conduct regularly?

First, we have to train our staff. No matter how complete and extensive the security program is, it only takes one member ignoring policies and procedures to become the gateway to the company's sensitive data. Therefore to keep our assets safe, we have to ensure that each policy and procedure of the security program is being compiled.

We must perform frequent pentests to find and fix the security breaches in our tech’s infrastructure and applications. Doing so will save us time and headaches by avoiding a catastrophe.

What cybersecurity solutions will be trending in the next few years?

It is only natural for digital companies to seek growth and expansion. Therefore, the automation of procedures to reach their objectives more efficiently will increase relevance. These companies are not born to protect users. However, they must do so. Therefore AI-backed Devtools will become a hot and trending solution for the market.

What does the future hold for Hackmetrix?

We will be the leading cybersecurity company for Latam. From Tijuana and down to Tierra del Fuego, startups and digital companies will have a cybersecurity guide that helps them overcome corporate and regulation audits to grow and expand while keeping their platforms safe and secure from the multiple risks in the digital world.