Cybersecurity in Mexico: The Public Sector's Invisible Gap
Cybersecurity in Mexico: The Public Sector's Invisible Gap
Cybersecurity today is a fundamental part of multinational companies, SMEs, universities, individuals, and government. Data privacy, system integrity, and security in general are essential for the correct operation of any digital service.
In recent months, I have been conducting research on internet visible applications. While analyzing various publicly exposed systems, I found a lack of essential security principles in web applications. I was able to identify some common misconfigurations, without serious repercussions in certain cases, but I also found critical vulnerabilities. What was most surprising was that some of what I found was present in a government entity's web application.
It is worth noting that these vulnerabilities did not arise from interaction with the systems, nor were there attempts to manipulate, exploit, or modify the affected services. The analysis was limited exclusively to observing information exposed publicly and accessible from the internet.
In this case, the findings stem mainly from improper handling of sensitive or private information that, due to configuration errors or improper exposure, became accessible without adequate protections.
At that moment, without hesitation, I tried to contact those responsible in various ways. First, I researched who the project leads (developers) were and tried to explain my concern directly. I continued this communication attempt for several weeks without success. Later, I expanded the contact to generic channels and technology departments of the corresponding state. For months, I tried to communicate the existence of these critical vulnerabilities without receiving a response at any time. To this day, I continue trying to establish communication to resolve it and avoid possible impact on people.
What is even more shocking is the little interest that seems to exist in addressing these types of critical errors. These vulnerabilities can be detected by anyone with internet access and basic security knowledge. What is alarming is the type of information these entities handle, and the limited attention, resources, and priority given to the cybersecurity of their systems.
It is concerning to know that government entities managing such sensitive data do not keep basic security principles in mind. The government should establish stricter standards to protect these fundamental rights, such as personal data protection, and implement effective communication channels to handle vulnerability reports from researchers, professionals, or anyone seeking to help.
So, what can be done to improve this? It is necessary to prioritize cybersecurity in government systems, but also in companies, including SMEs. Today, all organizations generate, collect, and process data in one way or another, so protecting that information should not be optional, but a basic standard.
The integrity of systems managing this data needs to be prioritized by incorporating security practices from the design phase, strengthening review and response processes for reports, and promoting a real culture of prevention instead of reaction. Only then will it be possible to reduce risks and build more reliable systems for all users.