Managing cyber risks

THE LIST is long: the judiciary, the office of the Attorney General, the Telecommunications Services of Trinidad and Tobago (TSTT), the TT Postal Corporation, the Southwest Regional Health Authority, Courts and PriceSmart. These are just some of the entities that have fallen prey to cyber attacks or claims of attacks this year.

The breadth of this list – it includes public, quasi-public and private entities – tells a story. It is a reminder that all sectors face significant cyber risks that must be managed. Hackers care not about the legal status or nature of the entities they attack, but rather the potential for monetisation, notoriety and increasingly, given the shift in the global theatre of war from the real world to online, the potential for disruption. All are vulnerable.

We have known this for a while now. Last year, the Ministry of National Security reported a significant increase in attacks, especially ransomware.

In the years since the covid19 pandemic, when the world shifted heavily online, these attacks multiplied exponentially. It is believed 289 billion cyber threats affected Latin America in 2021. The first half of 2022 saw the Caribbean experience 144 million cyberattack attempts, according to experts.

The incident relating to Massy Stores in 2022 not only disrupted that chain’s operations, but also saw 704,047 corporate files released in what was said to be the largest data dump in the Caribbean at the time. Who can really say?

Part of the challenge in dealing with cybercrime is that a great deal of it is kept in the shadows by companies hoping it will simply go away. Leading tech journalist and Newsday columnist Mark Lyndersay warned last year that corporate culture on this issue remains “adamantly 20th-century.”

In the absence of the implementation of laws mandating companies to report breaches, it is hard to disagree.

There are lessons to be learned from TSTT’s recent experience, which culminated in the announcement on Tuesday of the appointment of a new CEO.

The company’s initial attempt to downplay the nature of what occurred, its hemming and hawing after its eventual confirmation that some data was compromised and its multiple attempts to justify its overall conduct – all of it constitutes a study of what not to do after a breach.

It is a reminder that what is at stake in cybersecurity is not just the protection of data but also the protection of a company’s goodwill. The threat is twofold, from without and within. This is critical if a company’s operations involve the management of sensitive data in the natural course of business, however routine the handling of that data may be.

While our laws and their implementation leave a lot to be desired, it is notable that some foreign-owned entities operating here do report data breaches to customers. They not only disclose such incidents, but also provide robust updates. That sort of practice needs to become the norm.

We hope the silver lining of recent events is that they help change corporate culture on disclosure.