Cy­ber­crime is ex­pect­ed to surge in the next four years, ris­ing from US$9.22 tril­lion this year to US$13.82 tril­lion by 2028, ac­cord­ing to a re­port by Sta­tista’s Mar­ket In­sights that tracks such at­tacks world­wide.

It’s against this back­ground that em­pha­sized how im­por­tant it is to have prop­er cy­ber­se­cu­ri­ty aware­ness train­ing in the work­place to min­imise the risk of at­tacks.

Dho­ray told the Busi­ness Guardian that based on these fig­ures, cy­ber­crime seems to be a lu­cra­tive crim­i­nal ac­tiv­i­ty, and some of the ma­jor breach­es are con­duct­ed in a very so­phis­ti­cat­ed man­ner with pay­ment/ran­som be­ing re­quest­ed in un­trace­able cryp­tocur­ren­cy (bit­coin) trans­ac­tions. As such, Dho­ray said it leaves lit­tle rea­son to doubt why the pro­ject­ed fig­ures are so high.  

He said cy­ber-at­tacks re­sult in fi­nan­cial im­pact to the or­gan­i­sa­tion, which in­clude ran­somware at­tacks where com­pa­nies are faced with pay­ing a ran­som to the cy­ber­crim­i­nal to re­gain ac­cess to their sys­tems.  

Dho­ray said ran­somware at­tacks may al­so come in the form of phish­ing at­tacks where em­ploy­ees them­selves may end up be­ing tricked in­to pay­ing for a (fake) ser­vice or prod­uct, which of­ten re­sults in cred­it cards be­ing com­pro­mised.  

He not­ed that a 2021 re­port from PCH Tech­nolo­gies pro­vid­ed an es­ti­mate of the av­er­age loss per com­pa­ny based on size:

• ↓Small com­pa­nies (1-49 em­ploy­ees) lost an av­er­age of US$24,000;

• ↓Medi­um-sized com­pa­nies (50-249) lost an av­er­age of US$50,000;

• ↓Large com­pa­nies (250-999) lost an av­er­age of US$133,000; and

• ↓En­ter­prise Lev­el (1000+ em­ploy­ees) lost an av­er­age of US$504,00.

These fig­ures he said would have on­ly in­creased over the years.

Asked how many com­pa­nies and agen­cies with­in the re­gion have fall­en vic­tim to cy­ber­at­tack­ers be­tween 2020 to now, Dho­ray said un­like the Unit­ed States and the Unit­ed King­dom, there isn’t any leg­is­la­tion that man­dates crit­i­cal in­fra­struc­ture com­pa­nies such as en­er­gy, fi­nan­cial, com­mu­ni­ca­tions, gov­ern­ment etc. to re­port cy­ber­se­cu­ri­ty in­ci­dents.

 In March 2022, he said the US Se­cu­ri­ties and Ex­change Com­mis­sion pro­posed a rule to re­quire pub­licly list­ed com­pa­nies to al­so re­port their cy­ber­se­cu­ri­ty in­ci­dents.  

“For the Caribbean, a man­u­al cu­ra­tion of a few in­ci­dents that have been pub­lished would be the on­ly way to ac­quire such fig­ures.”

Dho­ray said this te­dious work was re­cent­ly com­plet­ed by Shi­va Paras­ram and Alex Samm of Com­put­er Foren­sics and Se­cu­ri­ty In­sti­tute (CF­SI) and Tier 10 Tech­nolo­gies re­spec­tive­ly who com­piled and launched the Ran­somware Ware­house pub­li­ca­tion on Feb­ru­ary 18, 2024.  

He dis­closed that this doc­u­ment pro­vid­ed a re­gion­al overview of cy­ber­at­tacks with­in Cari­com and the wider Caribbean. Of the da­ta shared, the re­port in­di­cat­ed that in 2022 there were 32 re­port­ed cy­ber­at­tacks and da­ta-leaks com­ing from Do­mini­ca, Puer­to Ri­co, Do­mini­can Re­pub­lic, Trinidad and To­ba­go, Ja­maica, Mar­tinique, An­tigua and Bar­bu­da, Aru­ba, Be­lize, Cu­ra­cao, Guyana, Haiti and the Ba­hamas.

As it per­tains to some of the in­dus­tries that were at­tacked in 2023, Dho­ray said Shi­va and his team were al­so able to doc­u­ment some of the 2023 at­tacks that hap­pened in T&T, such as man­u­fac­tur­ing-food bev­er­age, telecom­mu­ni­ca­tions, in­sur­ance, oil and gas and re­tail.  

On what could have been done dif­fer­ent­ly with re­spect to the Telecom­mu­ni­ca­tions Ser­vices of Trinidad and To­ba­go (TSTT) cy­ber­breach the dig­i­tal an­thro­pol­o­gist said, based  on the in­ter­im re­port filed with the Par­lia­ment’s Joint Se­lect Com­mit­tee in­ves­ti­gat­ing TSTT’s han­dling of the breach, there are a few things to note:

• Pass­words to a user ac­count were not redact­ed when up­loaded to an ex­ter­nal plat­form. This ex­ter­nal plat­form (Git­Lab) seems to have been a key source of in­for­ma­tion that aid­ed in the hack­ers’ at­tempt to gain ac­cess to a TSTT file serv­er. Redact­ing pass­words or san­i­tiz­ing or re­moval of pass­words is of­ten a com­mon prac­tice when back­ing up or stor­ing doc­u­men­ta­tion or source code, par­tic­u­lar­ly on an ex­ter­nal or cloud-based provider;

• This user ac­count had el­e­vat­ed priv­i­leges and was used to ini­ti­ate a wider at­tack on TSTT’s sys­tems. While in­for­ma­tion is lim­it­ed about what sys­tems or ap­pli­ca­tions the ac­count was used to ac­cess, one pos­si­ble mit­i­ga­tion strat­e­gy would be to have alerts in the form of email mes­sages or be­ing writ­ten to a log (that is reg­u­lar­ly re­viewed) no­ti­fy­ing an ad­min or ac­count own­er when a cer­tain type of ac­tiv­i­ties is ex­e­cut­ed by that ac­count. In this case, it was re­port­ed that the ac­count at­tempt­ed to cre­ate mul­ti­ple rogue ac­counts on the net­work. This could have been one of the flags that could be used to alert oth­er ad­mins with­in TSTT, which could have led to pre­vent­ing or re­duc­ing the over­all im­pact of the breach; and

• Last­ly, it was al­so re­port­ed that an­oth­er user ac­count from a deal­er store may have at­tempt­ed to gain ac­cess to the Git­Lab repos­i­to­ry. Satel­lite lo­ca­tions may of­ten be left be­hind when it comes to the adop­tion of the core com­pa­ny cy­ber­se­cu­ri­ty poli­cies. If this is the case, then it would be the re­spon­si­bil­i­ty of TSTT to en­sure that all ‘ex­ter­nal’ ven­dors are forced to meet a min­i­mum cy­ber­se­cu­ri­ty pos­ture be­fore be­ing al­lowed to in­ter­act with the main com­pa­ny’s sys­tems.

With the cy­ber­at­tacks on the in­crease, Dho­ray was asked to es­ti­mate how much mon­ey was lost by the com­pa­nies preyed up­on. He said there isn’t a fig­ure that can be quot­ed which pro­vides a prop­er es­ti­mate to all com­pa­nies. But he said some re­cent stats which would help to pro­vide some in­sight in­clude in­ter­na­tion­al IBM Se­cu­ri­ty, which re­port­ed that the av­er­age cost of a da­ta breach glob­al­ly in 2020 was US$3.86 mil­lion. This would be most­ly at­trib­uted to phish­ing and ran­somware type of at­tacks.  

“The range for these types of breach­es is quite wide and varies by in­dus­try. Hack­ers of­ten do their home­work and know their vic­tims well enough to de­cide on what as­pect of their sys­tems or da­ta is most valu­able and al­so know well in ad­vance how much they think a client would be will­ing to pay to re­cov­er that da­ta,” he re­vealed.  

How­ev­er, he said this varies de­pend­ing on the in­dus­try and one ex­am­ple from the 2020 IBM Se­cu­ri­ty re­port high­light­ed Ama­zon.com which was down for just un­der an hour in 2020 due to a de­nial-of-ser­vice at­tack and lost some­where in the vicin­i­ty of US$75 mil­lion in sales.

Asked to pro­vide ad­vice to so­cial me­dia per­sons, com­pa­nies, and agen­cies to pro­tect them­selves from hacks, Dho­ray said: “Guard ac­cess to your on­line ac­counts in the same way you guard ac­cess to your phys­i­cal as­sets eg ve­hi­cle, apart­ment, or house. We would of­ten go to ex­tra lengths to en­sure our phys­i­cal safe­ty but of­ten just stay with the ba­sics when it comes to on­line safe­ty. No longer is just hav­ing a strong pass­word suf­fi­cient to stay safe on­line.”

He stat­ed in the same way peo­ple in­vest in se­cu­ri­ty cam­eras and re­mote mon­i­tor­ing ser­vices to pro­tect one’s home and per­sons.  

“Al­so, one needs to em­ploy ad­di­tion­al steps in pro­tect­ing their on­line as­sets. This would in­clude set­ting up mul­ti-fac­tor au­then­ti­ca­tion on all your on­line ac­counts. Hav­ing a pass­word re­fresh pol­i­cy means chang­ing your pass­word on a sched­uled ba­sis – for some types of ac­counts eg on­line bank­ing you may want to con­sid­er a quar­ter­ly re­fresh.

“Con­duct­ing se­cu­ri­ty au­dits on your ac­counts e.g. re­view lo­gin ac­tiv­i­ty and see if you no­tice any strange lo­gins. Re­view and lim­it ac­cess – this should no longer be based on con­ve­nience but on need. Back­ups and re­cov­ery ac­counts are crit­i­cal in the event any­thing goes wrong,” Dho­ray added.