Barbadian Businesses are Not Immune to Cyberattacks

Barbadians and Barbadian businesses should not believe that they are immune from cyberattacks, says Dwight Robinson, President of the Information Systems Security Association (ISSA) Barbados Chapter, an international non-profit for cybersecurity professionals dedicated to educating the public and its members about technology risk and protecting critical information and infrastructure. In fact, he says, current circumstances, both locally and internationally, have made such attacks all the more likely.

“Within the past year, year and a half, we’ve seen a large number of attacks on corporate companies here in Barbados and globally. Right now it feels like the Wild Wild West when it comes to cyberattacks. Every day you turn on the news, it’s a new attack on some company or some critical infrastructure. We’ve seen hospitals, law firms… even the MTA Transit system has been attacked recently as well. It’s been incredible.”

Robinson, who is an Assistant Manager in Risk Advisory at Deloitte, made clear that many of the attacks being seen are not being perpetrated by people acting alone. “They’re not just lone wolves out there on the internet looking to attack individuals. These are criminal enterprises, and that’s the structure right now. And that’s one of the reasons they can have such a strong reach in terms of attacking companies and individuals across the globe.” That is why he says local businesses must not be lulled by the idea that because of the size of the island or their business, that they will not be targeted.

This is particularly true in the COVID environment, he disclosed, citing two ways the pandemic has increased cyber risk. The first is that people’s desire to learn more can lead them to click on links or attachments in malicious emails purporting to offer information.

“We’ve seen a lot of phishing attacks, especially COVID-themed attacks, where they send emails to employees, luring them in, in terms of providing them with information that can look enticing on the topic of COVID – could be vaccines or COVID stats overall – and getting them to click on links or open attachments. And then they attack these organisations, spreading malicious software on these networks and exfiltrating data as part of the process, too.”

The second is that the increase in remote work has made some workers and businesses more vulnerable from both a technological and behavioural perspective:

“For businesses, it is difficult to secure these individuals the way they would normally. So people are at home, they are less focused on work. They’re more likely to click on an email and not pay attention that it is something malicious. They may also have a laptop that doesn’t have up-to-date software, too, and that then exposes the organisation.”

This confluence of factors has made it “Christmas for criminals”, the cybersecurity consultant and information risk evangelist says.

One policy measure that Robinson believes could help local businesses become aware of the severity of the risk would be to make it mandatory for businesses to report attacks against them.

“Here in Barbados, we don’t have the regulation that says attacks must be reported, so it’s difficult to quantify how prevalent attacks are here in Barbados. I think since 2018, we’ve seen a couple of attacks on supermarkets and individual firms, but the actual quantity is not numbered because we don’t know how prevalent they are.

“We don’t know how many companies have been attacked; we don’t know what types of attacks are prevalent, and I think that’s one thing that’s lacking, that framework that requires that attacks on companies be reported, to give a sense of businesses knowing how vulnerable they are and how prevalent attacks are here in Barbados so they can then say “This is serious. I’m not a small company anymore. I’m not just a five-employee organisation. I’m equally vulnerable to attacks, too’.”

Given the increase in cyberattacks, Robinson offered some advice to businesses on how they can protect themselves and mitigate their risk in this area:

“It really starts at the top. Having that stance, setting that tone at the top in terms of what’s important, what should be protected first as an organisation. That’s critical. It really starts with having a strategy, and that starts with understanding what’s most critical to your business in terms of what do you want to protect the most and also what criminals are most likely to go after. Depending on the organisation, you may have one that is geared toward financial resources, so then they may be looking to take money directly out of your systems. If you’re a company that’s focused on having sensitive data, they may try to steal sensitive personal data from your systems as part of the process. If you’re an organisation that has intellectual property, they may actually try to steal that to then resell it and gain a corporate advantage.

“It really depends on what your organisation is and what’s most critical. And that starts with having these businesses consider what’s most critical to them to protect, and then having a staggered approach where you protect your most critical systems and data first, and then other systems, you spend money on those systems as necessary. But it really starts by thinking critically about ‘How can I be attacked? And what’s most sensitive?’ and build out from there.”