Optimising a  company’s cybersecurity  investment

ADVANCEMENTS in technology have created unprecedented business opportunities for generating revenue, providing innovative products and services to customers, promoting distance learning, as well as fostering collaboration among friends, families, co-workers and other business associates. On the other hand, criminals are increasingly exploiting cyberspace and computing devices in order to steal intellectual property, commit credit/debit card fraud, effect illicit wire transfers as well as gain unauthorised access to sensitive personal information and bank accounts.

In the Caribbean, there has been a recent increase in cybercrime with the Trinidad and Tobago Cyber Security Incident Response Team (TTCSIRT) confirming 38 ransomware incidents in the region over the last six months, 16 of which occurred in Trinidad and Tobago alone.

Why are cyber criminals targeting the Caribbean region with such increased frequency? Given the economic challenges brought on by the current pandemic, regional organisations are under pressure to redirect scarce financial resources towards revenue-generating activities. As such, investment into cybersecurity may have been limited.

The pandemic has also forced many organisations to adopt various online collaborative tools and other remote-working technologies in order to maintain connection with employees, customers and other stakeholders. The combination of lower investment in cybersecurity, coupled with more widespread remote access to networks, systems and devices, has created a “perfect storm” for cyber criminals to capitalise on.

For organisations to effectively prioritise their cyber investment, they must adopt a risk management approach for identifying and prioritising responses to cyber threats. The process begins by accepting that not all information is of equivalent value. The investment in controls to mitigate the risks should be commensurate with the criticality and confidentiality of the information to be protected.

To do this, organisations must perform these preliminary action steps:

1) Perform an inventory of information assets to determine which are the most valuable

2) Identify the key cyber threats that could potentially affect those assets

3) Determine the likelihood of those threats impacting the assets

4) Determine the appropriate controls to mitigate the risks based on cost-benefit analysis

A comprehensive baseline of controls (such as defined by the Centre for Internet Security) is usually sufficient in addressing threats that are relatively low in sophistication.

Moreover, not all information assets are valuable enough to require protection from a sophisticated threat and so risk acceptance can be practised in those cases. This therefore provides coverage against the larger portion of cybersecurity threats from impacting information assets, leaving the focus on high-value spend on the most critical information assets as per figure 1.

Source: Economics of Cybersecurity, AFCEA International Cyber Committee

Addressing the top group of relevant threats, however, requires a good understanding of the organisation’s historical or projected frequency of cybersecurity incidents and the potential loss impact when such incidents transpire. This information can be obtained from regular vulnerability scans, penetration tests and cybersecurity audits.

In determining information asset criticality, organisations can adopt a classification process where information is categorised by security level based on the following key considerations:

a) The sensitivity or value of the information;

b) The financial or reputational risks associated with its unauthorised disclosure or modification;

c) Any legal, regulatory or contractual considerations; and

d) The relevance of the information according to the overall needs and goals of the organisation.

Once categorised by security levels, the impact of specific risks to the availability, integrity and confidentiality of the information can be assessed. Based on the impact assessment, organisations can implement specific security controls based on whether the information is classified as private and confidential, internal use only or public. In general, information classified as public does not require any substantial cybersecurity investment whereas information classified as Private and Confidential usually does.

The assumption is that the compromise of private and confidential information poses the greatest loss exposure to the organisation so the investment in cybersecurity controls for this category of information must be sufficient to offset the risk. Information classified as internal use only also requires relatively lower security controls but certainly stronger controls than for public information.

Also, today there are increasing regulations around the protection of Personally Identifiable Information (PII). PII refers to any information about an individual including:

(1) Any information which can be used to directly identify an individual

(2) Any indirect information when linked can directly identify an individual. Regulators across the world increasingly require certain organisations, including financial institutions, to have appropriate controls to ensure that private information is disclosed only to those who have a legitimate business need for such access. Investment in appropriate cybersecurity controls for protection of PII is not an option but a key requirement, especially for financial institutions seeking to adopt new digital products and services for their customers.

In conclusion, it is important that organisations adopt a risk-based approach for decision making when it comes to determining the appropriate cybersecurity investment.

RECOMMENDED FOR YOU

AS BHP marked first oil from its Ruby Project, the Australian­headquartered company is signal­ling that Calypso, it’s recently named deepwater block north-east of Tobago, is “orders of magnitude” larger than Ruby.

The business community has expressed relief and happiness following the announcement by Health Minister Terrence Deyalsingh that the gift of 100,000 doses of the Sinopharm Covid-19 vaccine should be leaving China for Trinidad and Tobago next week.

With no sales coming in over the next few weeks due to Covid-19 lockdown measures, and expenses still being incurred, Häagen-Dazs ice cream says it was left with no choice but to temporarily lay off employees across its ten shops.

REGIONAL insurance giant, Guardian Holdings Ltd (GHL) was welcomed back on to the Jamaica Stock Exchange (JSE), with speakers at yesterday’s listing ceremony underscoring the vitality of the securities industry in the north Caribbean country. 

Trinidad and Tobago Electricity Commission owes the National Gas Company for natural $2.175 billion- for the period 2019 to March 2021.

The Commission has an annual deficit of $1.1 billion.

AS the world gradually moves to cleaner energy, Cerebrum Energy Services Limited located on Edward Street in Port of Spain is doing its part to provide households, companies and industries with renewable electricity from wasted energy.