Strengthening cybersecurity for your business

BitDepth#1395

MARK LYNDERSAY

AT THE TT Internet Governance Forum in January, cybersecurity professionals considered the essentials of hardening ICT business systems in the session The ART of Cybersecurity: Attacks, Risks and Threats.

Lieutenant General (ret) Vincent Stewart, director of the Port of Spain firm CyberEYE, warned that, "It doesn't matter how big or small you are; the cavalry is not coming. The adversary is interested in your network, and you are going to have to think your way through how you will defend that network.

"That adversary ranges from nation states to criminals to hacktivists to people who just want to make your life miserable."

Ricardo Martinez, chief revenue officer of the DigitalEra Group, warned of the changing motivations of black hat actors.

"Before it was kind of an honour or just an ego boost to say 'I hacked an organisation,'" Martinez said.

"Today it's, 'I got money in the bank and now I have my cryptocurrency and I can go buy a Ferrari with it;' so this is a very different kind of motivation driving these adversaries."

Insurance isn't a solution, he said.

"Businesses buy it as a way of avoiding doing anything to protect themselves. If something happens, I'll just tap into that. What we've seen from cyber insurance providers is that they are making it more difficult to tap into those resources. They won't just give you blank-check cyber insurance.

"Now they're asking to see your security programs. Show us that you have all these mitigating tools in place. You need a baseline of cybersecurity awareness and a program established before you can access it.

"What's also missing is an incident command structure," said Fortinet's Caribbean systems engineering manager, Emmanuel Oscar.

"In the private sector and even certain governments, there seems to be a lack of planning for disaster recovery or business continuity.

"When something happens, you don't just run around. We focus on what's happening. Usually, companies are most vulnerable when there's an incident and they have to look at a secondary type of attack. This is where partnership with experts or services can help and add value to your incident response. This is where co-operation in governance and between different islands and different entities can be important."

Key to incident planning for cybersecurity attacks, explained Anthony Peyson, president of the International Information System Security Certification Consortium's Caribbean Chapter, is knowing how long your organisation can continue before it fails.

"It is a difficult thing. I remember asking a CEO that question, and there was difficulty in answering it. Every CEO, every business owner doesn't want to think about something like that but it's very important for you to think about that. How long would it take so that you would know how much you will spend on the resources to protect your business.

"Your best firewall is an educated workforce," Stewart said.

"There are some very basic things that organisations can do, no matter how much resources they have. They have to know what their network configuration looks like. They must have updated operating systems. They've got to have antivirus and malware protection. They've gotta educate their workforce. They can't be lazy about passwords. It's stunning to me. Organisations that I go into and the password is password. Some of them get really clever, and they do uppercase P and they add 1234 on the back-end and they think that that's sufficient.

"While you may not think your identity is important, the adversary wants your identity because they can use that to move laterally inside your organisation, inside your network. So how do we protect our identity and how?

"We don't change our phone numbers very often, and in many cases, if I've got your phone number, that's a pretty good start to understanding your identity. And building from there, to your e-mail, the address of your organisation.

"Corporations will probably, and maybe this is too stark, will probably do the minimum. At least two organisations that I had the opportunity to look at had assessments that identified their vulnerabilities. They knew what the risks were, and they decided not to invest in mitigating that risk.

"Unless governments and institutions apply consequences for failure to act and hold these organisations accountable, they will continue to do only the minimum and only what will generate the revenue margins to keep their business in place. So I'm a strong proponent of holding organisations, corporations accountable with significant consequence, so they understand the loss of revenue when they are compromised."

Mark Lyndersay is the editor of technewstt.com. An expanded version of this column can be found there