||Central Bank Of Barbados
There’s no question that services in Barbados are becoming increasingly digital. More and more, in part because of the COVID-19 pandemic, people are doing their shopping, business, and even banking online. At the same time, we must be mindful of the vulnerabilities and risks that come along with greater digitisation.
As we noted in a previous article, Barbados and Barbadian businesses are not immune from cybersecurity concerns. Now, Dwight Robinson, President of the Information Systems Security Association (ISSA) Barbados Chapter, an international non-profit for cybersecurity professionals dedicated to educating the public and its members about technology risk and protecting critical information and infrastructure, identifies the major cyber risks in Barbados and how businesses can mitigate them.
What types of cyberattacks are most prevalent in Barbados?
Ransomware attacks and BEC (business email compromise) are the most prevalent attacks in Barbados. Ransomware attackers encrypt data on a victim's computers and demand payment in the form of cryptocurrency. After payment, the victim is given decryption keys to decrypt their data.
BEC attacks are centred around an attacker gaining access to the email of key finance persons within an organisation to steal money. Once access is gained, fake invoices and requests for money transfers are sent using the mail address of the victim.
And what types of cyber risks are commonly overlooked in Barbados that could affect businesses the most?
Third-party risks and misconfigurations are two of the most significant risks which face organisations in Barbados. Third-party risks are centred around vendor/consultant user accounts on in-house systems, outsourced systems housed by vendors and systems which interface with others managed by third parties.
Misconfigurations are often due to human error, but they are prevalent due to a lack of review. Ensuring new or ongoing systems are adequately monitored and reviewed is a critical risk management process often overlooked. Additionally, requiring technology staff also to function as security staff inherently causes self-review risks.
How has increased remote work due to COVID affected the need to address cyber risks?
Remote work has increased significantly due to the COVID pandemic. Businesses have shifted to remote work tools such as VPN (virtual private networks) and video conference tools like Zoom and Microsoft Teams to facilitate office connectivity and video communication. The shift to remote work has resulted in new systems and processes being adopted. In addition, some workers have had to shift to using personal computers and cellphones due to resource shortages. The result is misconfigurations of new systems deployed in a rush, computers which are not adequately monitored and updated, and customer data being sent insecurely on personal devices. These changes have all occurred while cyberattacks have increased, explicitly targeting these vulnerabilities and new systems.
Increased digital reliance has resulted in more communication in a digital format, creating more avenues for data to be compromised. In particular, more personal and financial data are being communicated via instant message, social media, and public email platforms. Sharing data in this way increases the opportunity for data to be retained longer than necessary, reused without proper consent, and for inappropriate access.
So, for businesses, and in particular financial organisations, in Barbados, how can they properly manage cyber risks?
To adequately manage cyber risk, it starts with having a strategy and having leadership and those charged with governance setting the tone at the top. In addition, defining a vision for acceptable cyber risks, prioritising crown jewel systems that are most important and aligning the people, processes, and technology to achieve this vision is crucial to success.
Should Internal Audit play a role in addressing Cyber risks?
Internal Audit is the third line of defence in businesses. They are charged with understanding the risks an organisation faces assessing the capabilities for managing these risks. Unfortunately, for many small to medium organisations, the first two lines of defence are typically weak or non-existent. The first line of defence by not having a strong controls approach to processes means there is no consistent approach to risk mitigation. The second line of defence, risk management and compliance, is often limited in scope to financial risk and regulatory compliance. The overall result is a lack of a holistic approach to risk, of which cyber risk is often a top concern.
Finally, the elderly are being forced to use more technology. How can we keep them secure?
The elderly have been forced to use modern technology in their daily lives, so they must be taught how to do so safely. It's essential to have conversations with them about the importance of protecting data, managing passwords, and how to recognise cybercriminals and scams.