Francisco Lomas has worked for sixteen years as Chief Innovation Officer at Kruger Corporation. Kruger has operated as a multinational enterprise in the technology industry for twenty-six years, with a presence in ten countries. Francisco brings extensive experience in the software sector, with a focus on Business Architecture, Technological Architecture, Software Architecture, Project Management, R&D, and more.
Thanks to his deep background in the technology world, we spoke with Francisco about his perspective on cybersecurity in Latin America, starting with the following question:
What is your opinion regarding cyber-attacks in Latin America?
It’s crucial for us, as technology companies, to build a culture of cybersecurity—and that’s the greatest challenge in LATAM. There are countries across the world that are far more advanced, primarily because they take cybersecurity seriously.
Interestingly, many of the most serious attacks originate from within our own infrastructure—that is, from internal actors or employees. This represents one of the biggest cybersecurity challenges in the region.
How would you compare Latin America to other regions that are more advanced in cybersecurity?
Latin America is not in a critical state, but there is a lack of awareness. Our cybersecurity practices often lack a strong cultural foundation.
For example, in many development processes across the region, secure coding practices are not commonly applied. In contrast, other countries are deeply committed to cybersecurity—and that’s largely thanks to education systems that embed these practices from the start. It has become part of their culture.
If we compare ourselves to countries like Israel, we’re certainly behind. We’re not at immediate risk of having everything stolen, but we could be doing much better. More investment in culture and research is essential.
What types of cybersecurity initiatives does Kruger undertake—internally and for clients?
Internally, we are very aware of cybersecurity needs. From the early design stages of any solution, we assess and define the required level of security. We also have minimum security standards in place. For example, no application is allowed to operate without SSL or TLS encryption. Additionally, authentication, authorization, and auditing processes are clearly defined and required.
We also keep our staff informed and are incorporating DevSecOps practices into projects—especially in customer DevOps environments—where testing and security are embedded throughout the lifecycle.
For our clients, we analyze their environment and level of exposure. Depending on the client—for instance, government institutions—they may already have defined security protocols. Others may not, and in those cases, we recommend foundational security measures. Our goal is to raise awareness about the dangers of neglecting cybersecurity, but we always communicate responsibly, avoiding unnecessary panic.
What technologies are currently available—or emerging—that can help small and medium-sized enterprises (SMEs) avoid cyber-attacks?
Cybersecurity is a necessity for all companies—large, medium, or small. Organizations must update their systems and seek professional guidance. Protecting only select types of information at random is not a best practice. That’s why we recommend starting with information classification, which is the first step in any effective protection strategy.
Another strong recommendation is to store information in the cloud. There are global providers offering these services, even in regions like Latin America.
Looking ahead, Artificial Intelligence is bringing in more autonomous cybersecurity services that can evaluate, prevent, and defend against threats. Large companies, such as Microsoft, are already incorporating AI into their antivirus solutions to detect hard-to-identify threats. Thanks to economies of scale, tools like Security Operations Centers (SOCs)—currently expensive in LATAM—will become more accessible to SMEs in the near future.
What low-cost cybersecurity practices can companies implement today?
It’s common to find companies that haven’t implemented basic protection systems, such as antivirus software—and that’s a problem. At a minimum, all company devices should have antivirus programs and firewalls. These are foundational security layers that should not be overlooked.
Also, companies must understand that hackers are after valuable information, which is why it must be protected. If neglected, the potential losses can be significant.
Finally, I recommend every company adopt and embed the Triple “A” principle—Authentication, Authorization, and Audit—as both a process and a cultural value. Understanding and applying this framework efficiently will significantly strengthen any organization's cybersecurity posture.
