Cybersecurity professional: Report cyberattacks

Cybersecurity professionals said it is necessary for businesses to report incidents of cyber attacks.

Ricky Duman director of pre-sales engineering at Digital Era Group said international companies that have not properly disclosed incidents of cyberattacks ran into problems and were even sued.

He was speaking at Amcham's HSSE conference, held at the Hyatt Regency, Port of Spain on Tuesday.

“Not every business does it,” he said. “They should, but they don’t.”

Duman added that there are two main reasons that you may have to report a cyberattack. One, you may have to, especially if there is personal information – credit card or personal home information.

“Every country in the world is forming some sort of regulation to address that,” he said.

The second reason is to improve collaboration between businesses and cybersecurity companies.

He said notifications of attacks help people become aware of the different tricks that hackers and scammers are using to fleece businesses and individuals out of their revenues.

He spoke about a trend called business email compromise – a phishing strategy intended to scam businesses by posing as a trusted figure who asks for a fake bill to be paid or for sensitive information for remote work.

"(For example) Hackers send out emails to the CFO saying there is a new bank, please transfer US$40,000 to the bank," he said. "Notification is for collaboration so people could be aware of it. If you notify the authorities properly you can recover that money and bring hackers to justice."

The panel discussion, The Business of Cybersecurity, also looked at the law for companies to report cyberattacks within 72 hours of the incident, in the Caribbean, and by extension in TT.

While it is not an obligation for the private sector to report breaches, it is encouraged as it boosts customer and shareholder confidence in the company.

Duman said companies in the US have been served with litigation for a lack of reporting.

On Monday it was reported that Austin, Texas-based software company SolarWinds Corporation and its chief information security officer Timothy G Brown were charged with fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities, stemming from a two-year long cyberattack.

TT has also been a victim of cyber breaches and attacks in recent months.

In August the Attorney General's office reported an attack on its systems. In April last year, supermarket chain Massy Stores also experienced a malware attack, which resulted in a shutdown of its loyalty card system. Hacking group Hive claimed responsibility for the attack, and dumped some 700,000 files on its website on the dark web, however, in January this year FBI officials said they seized the gang's website and released all its decryption keys to victims worldwide.

Learn from mistakes

In a separate session on the realities of the workplace, Gareth Lock founder of Human Diver – a company focused on bringing human factors to the diving industry – said it was necessary for a company to learn from mistakes, even more so than keeping clean sheets for accidents and incidents in the workplace.

“If you think about what you use to promote people in businesses it is invariably about liking metrics on productivity, not having incidents, all of the positive stuff,” he said. “When was the last time you celebrated someone making a mistake in their organisation?”

He said mistakes are bound to happen when operating in a novel space. He suggested that rather than counting incidents of “non-events,” leaders will benefit more from short metrics on learning.

“When was the last time we learned anything – a week ago? Two weeks ago? Six months ago? You mean we didn’t learn anything in six months? That is probably not a good adaptive organisation.”

“As a leader, you have to know what you want to reward, and it has to be about learning and improving and not about the status quo.”

Atlantic LNG CEO Ronald Adams added that while processes are important, it is necessary to balance the importance of procedures and the necessity of being flexible and learning from mistakes.

“There is a dilemma to manage that because procedures are important but it does not always go with the reality,” he said. “I think we need to find the way to communicate that in more spaces where we are operating, finding that right balance between the message that you have to follow procedures but that does not mean that they can’t be looked at; and we cannot wait until we have an incident before we re-look at that.”