Cybersecurity for the Border: Unique Risks Facing El Paso Businesses

El Paso’s business community has always operated at the intersection of resilience, grit, and cross-border opportunity. But that same geography—and the tightly woven family and industry ties that make it unique—also create cybersecurity challenges that don’t exist in too many other places in the country.

At Kosh, we’ve worked with logistics and manufacturing clients across El Paso and Santa Teresa long enough to know: cybersecurity isn’t just a technical challenge—it’s a cultural and operational one.

Cross-Border Data, Cross-Border Risks

While it’s common to think of “cyber threats” as global, El Paso businesses sit at a literal international crossroads. Data flows across borders just as freely as freight. And yet, many businesses don’t fully understand how regulatory compliance, data privacy, and supply chain exposure change when you’re operating in a binational context.

• Is your customer data stored in the U.S. or Mexico? / ¿Sus datos de clientes están almacenados en EE.UU. o en México?

• Are your vendors using cloud-based platforms headquartered elsewhere? / ¿Sus proveedores utilizan plataformas en la nube con sede en otros países?

• Do your IT policies account for both U.S. and Mexican regulatory standards? / ¿Sus políticas de TI contemplan las normativas de EE.UU. y México?

You don’t have to be a Fortune 500 company to face compliance scrutiny. Mid-sized manufacturers and distributors in this region are increasingly expected to meet security standards required by larger partners, often without the internal expertise to do so.

A few first steps / Primeros pasos importantes:

• Talk with your IT provider about where your cloud services physically store data. / Hable con su proveedor de TI sobre dónde se almacenan físicamente sus datos en la nube.

• Review contracts with vendors and partners to see what data compliance language is included. / Revise los contratos con proveedores y socios para identificar cláusulas sobre cumplimiento de datos.

• Ask your legal or compliance team (or consultant) about specific obligations under U.S. and Mexican laws. / Consulte con su equipo legal o de cumplimiento sobre las obligaciones específicas en ambas jurisdicciones.

Spanish-Language Phishing & Cultural Targeting

We’ve seen a rise in phishing scams and ransomware kits that specifically target Spanish-speaking users. These messages are getting harder to spot—they're not just bad translations anymore. They use familiar regional phrases, reference local logistics providers, and mimic vendors or government agencies in both countries.

Example / Ejemplo: A fake email claiming to be from “Aduanas El Paso” warns of a delayed shipment and links to a supposed tracking form. It’s written in fluent Spanish, references a real location, and looks like a normal business email—until you hover over the link and notice the URL doesn’t match the official site. The tone may also seem slightly off or overly urgent. Click it, and you’re hit with malware.

Estos correos pueden parecer legítimos, pero contienen señales de alerta:

• El remitente usa un dominio extraño. / Sender uses an unfamiliar or suspicious domain.

• El tono es demasiado urgente. / The tone is overly urgent.

• El enlace no coincide con el sitio oficial. / The link doesn’t match the official website.

This is where having bilingual staff and Spanish-language phishing awareness training matters. It’s not just about awareness; it's about knowing the cultural and industry-specific nuances attackers exploit.

If you're unsure what counts as a risky email or want to verify your current systems, start with a cybersecurity assessment.

El Paso’s Strength Is Also Its Vulnerability

If you’ve done business in El Paso long enough, you know relationships matter. This is a “Good Ol’ Boys” town in the best sense—built on loyalty, family ties, and taking care of your own. But that same trust can be exploited by bad actors.

The impulse to trust a familiar email address, to click on an invoice from a known supplier, or to skip multifactor authentication because “we know them”—that’s exactly the kind of environment attackers count on.

Instead of seeing this trust as a liability, we encourage our clients to extend that same loyalty to cybersecurity. Take care of your team, your vendors, and your customers by protecting the systems they rely on.

What to Do Next / Qué hacer ahora

1. Review cross-border data flows. Know where your information lives and what laws apply.

   • Ask your cloud provider about data residency. / Pregunte a su proveedor de nube sobre la ubicación de los datos.

   • Look for where your backups are stored. / Verifique dónde se guardan sus copias de seguridad.

   • Evaluate whether sensitive data is shared across border-operating partners. / Evalúe si comparte datos sensibles con socios que operan en ambos lados de la frontera.

2. Deploy Spanish-language cybersecurity training.

   • Go beyond direct translation—tailor training to real examples from logistics and manufacturing. / No se limite a traducir—adapte la capacitación a ejemplos reales del sector logístico y manufacturero.

   • Use phishing simulations that reflect common Spanish-language scam tactics. / Use simulaciones de phishing que reflejen tácticas comunes en español.

3. Vet your supply chain. A weak vendor link can become your biggest risk.

   • Ask: What cybersecurity protocols do you follow? / ¿Qué protocolos de ciberseguridad siguen?

   • Do you require MFA (multi-factor authentication) for your systems? / ¿Exigen autenticación multifactor (MFA)?

   • Have you had a security assessment or audit in the past 12 months? / ¿Han realizado una auditoría de seguridad en los últimos 12 meses?

   • If this is a new conversation, frame it around mutual trust: “We value our partnership and want to ensure we’re both protected.” / “Valoramos nuestra colaboración y queremos asegurarnos de que ambos estemos protegidos.”

4. Talk to a trusted advisor. You don’t need a full-time CISO to start building a smart roadmap.

   • At Kosh, we help organizations understand their exposure, plan improvements, and communicate security maturity to customers and partners. / En Kosh, ayudamos a las organizaciones a entender sus riesgos, planificar mejoras y comunicar su madurez en ciberseguridad.

   • Learn more about what cyber insurance does—and doesn’t—cover.

Cross-Border Compliance: What El Paso Businesses Need to Know

(Cumplimiento binacional: lo que deben saber las empresas de El Paso)

Logistics and manufacturing companies operating on the El Paso–Juarez border must manage cybersecurity risks while navigating a complex legal landscape that spans both U.S. and Mexican regulations.

Key Mexican Requirements / Requisitos clave en México:

• LFPDPPP: Consent for data collection, enforce ARCO rights, notify INAI of breaches, appoint a Data Protection Officer (DPO).

• Security Standards: While specific technologies aren’t mandated, aligning with ISO 27001 or NIST is recommended.

• Programs like NEEC: Trusted trader programs require secure data, personnel verification, and cargo monitoring.

U.S. Counterparts / Contrapartes en EE.UU.:

• State-specific laws like the CCPA (California), HIPAA (healthcare), and the new Maritime Cybersecurity Rules for transportation.

• C-TPAT (Customs-Trade Partnership Against Terrorism) aligns closely with NEEC for logistics and customs operations.

Shared Risk Areas / Áreas de riesgo compartidas:

• Breach Notification Timelines: Mexico requires notification within 72 hours; Texas allows 45 days. Are you ready for both?

• Data Flow: Under the USMCA agreement, data can legally cross borders, but each jurisdiction’s rules still apply.

• Vendor Compliance: You are liable if your vendor’s poor security causes a breach. Vet them thoroughly.

Best Practices / Buenas prácticas:

• Develop incident response plans that satisfy both jurisdictions.

• Conduct regular audits and update policies to reflect both national and international standards.

• Stay informed about Mexico’s pending cybersecurity law—it could shift expectations quickly.

In border cities like El Paso, cybersecurity isn’t just about defending your business—it’s about maintaining trust in a shared economic ecosystem.

El Paso businesses don’t just need generic IT support. They need partners who understand the regional dynamics—who speak the language, know the industries, and recognize the cultural terrain.

If that sounds like what your business needs, contact our El Paso team. / Si eso es lo que necesita su negocio, hablemos.

Resources for a deep dive into laws, regulations, compliance, and best practices for companies transacting between USA and Mexico.

Here are important official links and resources for exploring the most critical Mexican and U.S. cybersecurity, data protection, and cross-border compliance requirements and best practices:

Mexico: Official Laws, Guidelines, and Best Practices

• Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP)

  • Overview and official guidance (INAI, English):Guide to the Protection of Personal Data in Mexico (PDF)2

  • Privacy Impact Assessment Guide (INAI, Spanish):Guía para la elaboración de evaluaciones de impacto a la privacidad (PDF)1

• National Data Protection Authority

  • INAI (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales)2

• National Cybersecurity Strategy

  • Mexico’s National Cybersecurity Strategy (ENCS)3

United States: Official Laws, Guidelines, and Best Practices

• General Data Protection and Privacy Laws

  • U.S. Data Protection Laws Overview (DLA Piper)6

• Cybersecurity Standards and Best Practices

  • NIST Cybersecurity Framework and Resources5

• Customs and Border Security Programs

  • C-TPAT (Customs-Trade Partnership Against Terrorism) Program Overview (CBP)7

  • Mexican Long Haul Carrier C-TPAT Security Guidelines (CBP)4

Cross-Border and Bilateral Best Practices

• U.S.-Mexico Cybersecurity Cooperation and Best Practices

  • Exchange of Good Cybersecurity Practices Between Mexico and the U.S. (Center for Cybersecurity Policy)8

These resources provide direct access to official laws, guidelines, and frameworks for both Mexican and U.S. requirements, and offer insight into cross-border best practices and collaboration.

Disclaimer

The information contained in this communication is intended for limited use for informational purposes only. It is not considered professional advice, and instead, is general information that may or may not apply to specific situations. Each case is unique and should be evaluated on its own by a professional qualified to provide advice specifically intended to protect your individual situation. Kosh is not liable for improper use of this information.