ADVANCEMENTS in technology have created unprecedented business opportunities for generating revenue, providing innovative products and services to customers, promoting distance learning, as well as fostering collaboration among friends, families, co-workers and other business associates. On the other hand, criminals are increasingly exploiting cyberspace and computing devices in order to steal intellectual property, commit credit/debit card fraud, effect illicit wire transfers as well as gain unauthorised access to sensitive personal information and bank accounts.
In the Caribbean, there has been a recent increase in cybercrime with the Trinidad and Tobago Cyber Security Incident Response Team (TTCSIRT) confirming 38 ransomware incidents in the region over the last six months, 16 of which occurred in Trinidad and Tobago alone.
Why are cyber criminals targeting the Caribbean region with such increased frequency? Given the economic challenges brought on by the current pandemic, regional organisations are under pressure to redirect scarce financial resources towards revenue-generating activities. As such, investment into cybersecurity may have been limited.
The pandemic has also forced many organisations to adopt various online collaborative tools and other remote-working technologies in order to maintain connection with employees, customers and other stakeholders. The combination of lower investment in cybersecurity, coupled with more widespread remote access to networks, systems and devices, has created a “perfect storm” for cyber criminals to capitalise on.
For organisations to effectively prioritise their cyber investment, they must adopt a risk management approach for identifying and prioritising responses to cyber threats. The process begins by accepting that not all information is of equivalent value. The investment in controls to mitigate the risks should be commensurate with the criticality and confidentiality of the information to be protected.
To do this, organisations must perform these preliminary action steps:
1) Perform an inventory of information assets to determine which are the most valuable
2) Identify the key cyber threats that could potentially affect those assets
3) Determine the likelihood of those threats impacting the assets
4) Determine the appropriate controls to mitigate the risks based on cost-benefit analysis
A comprehensive baseline of controls (such as defined by the Centre for Internet Security) is usually sufficient in addressing threats that are relatively low in sophistication.
Moreover, not all information assets are valuable enough to require protection from a sophisticated threat and so risk acceptance can be practised in those cases. This therefore provides coverage against the larger portion of cybersecurity threats from impacting information assets, leaving the focus on high-value spend on the most critical information assets as per figure 1.
Source: Economics of Cybersecurity, AFCEA International Cyber Committee
Addressing the top group of relevant threats, however, requires a good understanding of the organisation’s historical or projected frequency of cybersecurity incidents and the potential loss impact when such incidents transpire. This information can be obtained from regular vulnerability scans, penetration tests and cybersecurity audits.
In determining information asset criticality, organisations can adopt a classification process where information is categorised by security level based on the following key considerations:
a) The sensitivity or value of the information;
b) The financial or reputational risks associated with its unauthorised disclosure or modification;
c) Any legal, regulatory or contractual considerations; and
d) The relevance of the information according to the overall needs and goals of the organisation.
Once categorised by security levels, the impact of specific risks to the availability, integrity and confidentiality of the information can be assessed. Based on the impact assessment, organisations can implement specific security controls based on whether the information is classified as private and confidential, internal use only or public. In general, information classified as public does not require any substantial cybersecurity investment whereas information classified as Private and Confidential usually does.
The assumption is that the compromise of private and confidential information poses the greatest loss exposure to the organisation so the investment in cybersecurity controls for this category of information must be sufficient to offset the risk. Information classified as internal use only also requires relatively lower security controls but certainly stronger controls than for public information.
Also, today there are increasing regulations around the protection of Personally Identifiable Information (PII). PII refers to any information about an individual including:
(1) Any information which can be used to directly identify an individual
(2) Any indirect information when linked can directly identify an individual. Regulators across the world increasingly require certain organisations, including financial institutions, to have appropriate controls to ensure that private information is disclosed only to those who have a legitimate business need for such access. Investment in appropriate cybersecurity controls for protection of PII is not an option but a key requirement, especially for financial institutions seeking to adopt new digital products and services for their customers.
In conclusion, it is important that organisations adopt a risk-based approach for decision making when it comes to determining the appropriate cybersecurity investment.