TO safeguard a business or organisation once meant simply having security guards, enhanced barriers and even vaults.
But in today’s world businesses and organisations must now keep safe beyond the screen. That means, ensuring safety in the cyber world.
Information now flows freely through cables whether that is your identity and or even your money.
So keeping safe for business and large organisations now, cyber experts Shiva Bissessar and Daren Dhoray agree, must include an assessment of cybercrime.
Britannica.com defines cybercrime as “the use of a computer as an instrument to further illegal ends, such as committing fraud, trafficking in child pornography and intellectual property, stealing identities, or violating privacy. Cybercrime, especially through the Internet, has grown in importance as the computer has become central to commerce, entertainment, and government.”
This definition includes cybercrimes such as electronic theft.
According to www.csoonline.com, cybercrime damage costs are expected to reach US$6 trillion by 2021.
Unlike csoonline, no true assessment of the debt cybercrime costs TT could be given since, according to Shiva Bissessar, managing director of Pinaka Consulting Ltd, there aren’t any statistics in TT indicating the extent to which large businesses and organisations are being affected by cybercrime.
Bissessar has worked with local telecommunications company TSTT and has a BSc in Computing and Information Systems and an MSc in Information Security. While, he said statistics are absent, it did not mean that activity was not taking place.
TT, like other places, he said, was also open to attacks like ransomware, worms, viruses and phising among others.
Daren Dhoray, director of Cybersafe Trinidad and Tobago, also believes some large organisations in TT fall prey to “the simplest of threats.” In e-mailed response to Newsday, Dhoray said, “Large organisations and or businesses in TT can be classified as those with employees ranging in the thousands and revenues in the millions and as such one would expect these companies to understand the importance of budgeting for cyber security. For the multinational / multi-regional companies this may be the case.
“This however, does not mean that our inherent ‘God is a Trini’ culture does not pervade even those large organisations who also fall prey to sometimes the simplest of threats. Unfortunately, we have seen some of these companies still using ‘free’ versions of software which often do not come with the full complement of cybersecurity features that you would need. There is also a very high incidence of ‘cracked’ software being used as well and that, in itself, opens up another Pandora’s box of issues both on the legal side and the security side.”
For him, employee education and training need to adequately address the cyber threats which “bombard us on a daily basis.”
Since, he added, no major business or organisation in TT today could function without opening an e-mail, PDF, clicking a link or visiting a website, every business or organisation was at risk of a cyber threat.
“Trinidad and Tobago is no different to the rest of the world when it comes to cyber threats. I have seen it all from phishing e-mails, ransomeware attacks, financial fraud scams, monitoring and listening, remote access, malware, viruses and the list goes on.”
safeguard continues on Page 20A
“Business and large organisations cannot operate (efficiently/effectively) without an internet connection and therefore this means every single threat that is developed and available online is a threat that can affect us here in TT.”
These everyday online activities, he said, “can be the catalyst for downloading a virus and infecting your computer and if proper tools aren’t installed then this threat can spread to the rest of the connected computers within the business.”
Dhoray said for businesses and organisations to keep safe in the cyber age investing in “proper software” was necessary. But employee education was equally important “as many threats have started from inside the organisation.”
Other ways businesses and entities could keep safe Dhoray said was by, depending on the budget, investing in a hardware based firewall; investing in an enterprise or business grade antivirus solution “as these versions of the software are often prioritised for updates and upgrades when compared to the cheaper home edition and the free versions.”
He also urged large organisations and business to put proper safeguards in place for employees bringing their own devices to work since “often these personal devices aren’t as equipped with cyber security software as those in the organisation and can therefore immediately pose a threat to the network.” Offsite backups should also be included as part of any cyber strategy as it would be the best option for fastest recovery in the event of a cyber attack. “Offsite backups or backups in the ‘cloud’ once done properly can help save business from having excessive (or any) downtime due to a cyber attack crippling their current network. There are many plans available to suit various budgets and needs,” he said.
While Dhoray outlined ways businesses and organisations could keep safe, Bissessar believes TT in its entirety has focused heavily on legislative development. Bissessar asked, “How can we bolster legislation to deal with someone or group once a bad action has been performed. What I want to see us focus on is the technical control. The technical control would prevent the bad things from happening and prevent an attack.”
He added more needed to be done around incident identification and management.
“Any entity operating in today’s environment from the big corporate entities and small SMEs’s need to be aware of the cybercrime threat and should know how they should respond if they fall victim to an attack. In that awareness or planning, they will come up with an incident response plan. It will vary from the big entity to the small entity as to how they come up with this plan,” Bissessar said.
Citing the recent Cambridge Analytica issue, Bissessar said it was sad to see the issue being politicised since it brought forward important questions the country needed to be thinking about right now.
“The issue of confidentiality and privacy of user data, not just on social media platforms, we talking about in a doctor’s office, in a lawyer’s office, in medical records, in any entity where users have their data stored. We need to understand how entities are storing user data. How they are potentially sharing it with third parties and how can the user become informed of how their data is being used. At the end of the day it is the client’s data. That whole Cambridge Analytica issue, we can’t just use it from the Facebook perspective. We have to look at it broader.”
TT also needed to look at how the Data Protection Act “can be put into sole proclamation so it can treat with some of the issues we see coming out of this. What is the role and function of the Information Commissioner Office in looking at and examining some of these issues that has been brought to the fore by the misuse of data examples.” The Data Protection Act was assented to in 2011 and partially came into force in 2012.
The focus on cybersecurity did not only extend to businesses and social media platforms but also to mobile applications and the users of these applications.
He said, “We are seeing a heavy push within TT towards mobile applications. Are we sure about how these mobile apps are being developed? People focus a lot on functionality and getting what if you click here. But they do not focus so much on the information security concept that needs to be taken into consideration when you’re talking about confidentiality and privacy of data.”
Cyber safety, he stressed, was a two-way street. The users of the mobile applications, Bissessar said, needed to be aware of the rights they give over to mobile applications. “You can’t say any more that you didn’t know. You need to look at what rights are you giving to this app. The end user agreement you sign on to that no one reads. There is this trust between these providers of these social media platforms/mobile apps/websites and the user where the user just wants to get the functionality of the thing without examining very closely what rights are they giving up to this thing that they want to participate in.”
But businesses, organisations and platform developers also had a responsibility in ensuring that their users understand their business model and how these organisation share users’ data with third parties.
For both Bissessar and Dhoray education was essential to cyber safety.
Dhoray said, “Lastly, employee education goes a long way in preventing some of the threats that are present today. This training does not have to be technical but should educate the average user about clicking on links within e-mails, using strong passwords, visiting certain sites at the office and downloading and opening files and executables. USB drives are also a haven for viruses and the simple act of just inserting it into a work computer can be the trigger for copying files on to the computer/network. Cyber criminals are also using very convincing social engineering tactics to trick the unsuspecting user so educating them about acts like these and having them contact IT whenever a hint of doubt may be present is often the best practice.”
While Dhoray believes that employee education is key and Bissessar does too, he also believes that developing a cadre of skilled information security experts is necessary for TT’s cyber safety.
“It is not an easy task, a very complex task but it not to say that we can’t get it done. We have brilliant lawyers, brilliant doctors and other professionals who are known worldwide, so why can’t we have an environment that can grow, nurture and produce brilliant information security experts,” he asked.