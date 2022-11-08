AS THE Government moves to digitise the public service, it also needs to put safeguards in place to protect citizens’ data.
“With the large thrust to digitise private and public sectors (of all sizes and scales), the need for programmes, infrastructure and teams to proportionally support cybersecurity is growing. As the former has been growing much faster than the latter, the impact is that companies organically become high-risk for cyber attacks. Without the relevant cyber belts and braces, Trinidad and Tobago is a growing target,” said EY Caribbean’s Technology Risk consulting leader, Anil Persad.
He spoke to the Express Business last week in his continuing thrust to raise awareness, understanding and impact of cyber security.
So how vulnerable is the average citizen, through their social media on their smartphones where personal data is stored?
“It can reveal very sensitive and private information about an individual from identification to financial information to political affiliation to health matters. This information can sit on an individual’s cellphone and laptop, but persons generally publish a large quantity of it on social media platforms and much of it may be visible via the Internet,” he said.
“This presents direct incentives for malicious actors to target and monetise these assets. There have been billions of personal data records stolen over the past years through a host of breaches associated with some of the largest technology giants such as Facebook, LinkedIn and Yahoo.
“In some instances, hackers have monetised this data by trading for cryptocurrency on the darknet—a hidden part of the Internet that is anonymous and not accessible via regular internet browsers. Individuals are also targeted for data theft through phishing attacks—trickery, manipulation and deception—to provide personal details which are often used later for illicit purposes such as extortion, account takeover or even to cause harm or reputational damage to the business,” said Persad.
He noted that the most common use of stolen personal information has been for the purpose of identity theft.
“E-commerce and online payment activities rising to extraordinary proportions over the past ten years has fueled this, and credit card fraud has been the most prevalent form of identity theft perpetrated. This still remains a pain point even with the growing sophistication of tools and processes to deter the fraud,” he said.
He observed 2022 data suggest that the average person spends between two to three hours on social media interacting with “known and unknown actors on the Internet”.
Persad said information is often shared across multiple social media platforms with different intentions in most cases. That means anyone can utilise these platforms to collate and profile others with malicious intent.
“In some cases, we may share much more than we intend to, for example, in photos we may post, the geolocation properties may reveal exactly where and when the photos were taken (a vacation spot perhaps). In other cases, persons may reveal a lot of family history, information about friends, interests, etc. This is juicy information for someone building a profile on a target as these public sources of information can form a very telling story about a person,” he said.
The cyber expert noted that companies, governments and individuals utilise cyber (simply defined – computing technologies and networks) continuously today, in almost all aspects of existence and operations.
“There is a myriad of information being generated daily and growing exponentially—measurement terms like ‘quintillion’ are being used to define data sizes today. Just as this information highway has given rise to previously unfathomed speed, connectivity and convenience of access to information, so too has it created opportunities and enticement for ill-willed unethical or malicious persons, teams and even states.
“Within these data sets reside key and sensitive information which, if lost, stolen or inappropriately used can be high risk and even debilitating to the persons and entities. The threat actors continuously probe and scan the environment to identify and exploit opportunities and weaknesses, with financial, social and political agendas.
“In the absence of appropriate and continuously functional cyber safeguards, the individual, company or government can be at the mercy of the threat actors, and systems may not be provisioned with the proper tools, utilities and monitoring mechanisms to identify, detect and respond to the threats. This ‘tooling’ also applies to the individual, who if unaware, may not act with the proper diligence and skepticism required to navigate the highway today. Over 90 per cent of successful cyberattacks initially exploit user weakness via ‘social engineering’ or ‘phishing’ with the aim of stealing information or allowing the attacker entry into computers, phones and networks,” he said.
Cyber attacks increasing
Persad observed that the Caribbean has seen a spike in malicious cyber activities and the region appears to be attractive on the world’s stage for the ill-willed actors.
“The area has been plagued with malware attacks (like ransomware) targeting the large conglomerates, as well as medium and small businesses. The data, though unclear and incomplete, do not point to any specific sectors (outside of the obvious financial services) that are most targeted, as the targets have ranged from central banks to hospitals to educational institutions.
He noted that in 2019, over ten government websites in T&T were hacked and defaced by an attacker.
“The vulnerability exploited by the attacker was basic and he was able to get into an area that should have been protected from the Internet. This type of scenario has been very common, and today’s technologies make those types of vulnerabilities much more visible, traceable and hackable on the Internet. Unfortunately, some of our local companies continue to have vulnerable assets and services facing the Internet, and the weaknesses and holes are not being consistently identified and remediated, to keep the virtual shield perpetually strong. Some of the successful breaches and exploits experienced locally, similar to the rest of the world, have also been the result of successful social engineering/phishing attacks, where the attackers were metaphorically escorted into the organisation by an unsuspecting employee clicking on a malicious link or opening a malware infected file. In some cases these have led to complete organisation network takeover by these blackhat hackers,” he said.
He said some countries have attempted to strengthen existing legislation and regulations and institute national Cyber Security Incident Response Teams (CSIRT”). But, in his view, the the region has largely been in a reactive mode in responding to cyberattacks and cybercrime, with the delta between the security risks around the technologies and the programmes to secure them growing wider.
“Some jurisdictions are further along the legislative path like Barbados and Jamaica who have recently passed their data privacy legislations, very similar to the European General Data Privacy Regulation, which basically mandates that companies design organisational and technical controls for safeguarding and using personal data. This effectively pushes the organisations within those regions to institute and monitor proper cybersecurity programmes, or face severe non-compliance fines (and even imprisonment).
“With the lack of current and meaningful laws and regulations to match today’s businesses, the onus is on the companies’ boards and executive teams to prudently demonstrate a proclivity for proper risk management and demonstrate good cyber security practices to its stakeholders and customers. “Unfortunately, this is not commonplace across all organisations within Trinidad and Tobago and issues such as lack of budget and cybersecurity resources have been cited as the key challenges,” he said.