Business leaders in T&T are not investing enough to protect themselves from potential cyberattacks and this could impact negatively on their financial performance.
This is the view of managing director of Architects of Caribbean Enterprise Strategic Solutions, Ricardo Fraser who spoke to Sunday Business about the latest trends in cybersecurity and the consequences for companies that do not protect themselves.
Fraser is also the vice president of the International Information System Security Certification Consortium (ISC2) Caribbean and Latin American chapter. This is a non-profit organisation which specialises in training and certification of cybersecurity professionals. It has been described as the world’s largest IT security organisation.
He said criminals who carry out cyberattacks are motivated by money and many operate outside of the Caribbean region.
Cyberattacks can result in credit card fraud and identity theft where the hackers steal customers’ accounts.
He gave examples of different sizes of businesses and what their needs might be.
For a small business with a few employees or a professional working from home, their is need for anti-virus software and a firewall for their home network and personal computer devices. They also need spam filters to protect emails, and if it is a bigger company, they need a detection and response software systems.
Fraser said in T&T, some cybersecurity service providers offer services that cost TT$1,000 monthly that will protect a professional with a laptop who works from home. However, for larger companies it can cost thousands of dollars in US currency.
If a company wants to do a vulnerability and penetration test to determine how vulnerable its network is, the cost can be TT$50,000 a year.
“In T&T and the Caribbean, companies are of a small size and these services can run into thousands of US dollars. They can cost up to US$30,000 annually. Many small businesses may not be in a position to put out or pay US$30,000 annually. It all depends on their revenue.
“If a company generates US$1 million annually in revenue and it has a significant profit margin, it may be wise to invest in cybersecurity systems. Companies are using more technologies globally and they will have to be protected. In order to remain competitive, businesses must use the technology.”
Cybersecurity breaches have caught the attention of the public over the last few months, with the most prominent example being the cyberattack on the Telecommunications Services of Trinidad and Tobago (TSTT) last year.
The breach took place on October 9, but the public was only informed on October 27 via India-based technology security company Falcon Feeds. Taking to its X social media account, Falcon Feeds said ransomware group RansomExx added TSTT to its victim list claiming to have stolen six gigabytes of data.
On October 30, TSTT issued a statement which said that customers’ data was not compromised during the leak. However, days later, on November 5, the Minister of Public Utilities Marvin Gonzales retracted his previous comments, confirming that TSTT was hit by a cyberattack, and ordering an independent investigation.
On November 15, TSTT announced that CEO Lisa Agard had been replaced by Kent Western. Prior to his appointment, Western was TSTT’s general manager, Customer Experience and Marketing.
There have also been media reports of other large companies like Courts, PriceSmart and statutory corporations like TTPost that were hit by cyberattacks recently.
Brain drain
Fraser admitted that setting up systems to protect companies and businesses is not cheap and he lamented that some business owners are reluctant to spend the money to protect their businesses.
He also said there is a brain drain in T&T as cybersecurity professionals are leaving for the US, UK and Canada where they are paid much higher wages.
According to some of the examples he gave, some cybersecurity professionals in T&T are offered wages as low as $5,000 monthly.
“We have skilled people in T&T that have been taking their skills abroad, providing services to international organisations and even migrating. They perceive that it is better to go out there and earn wages.
“The problem right now in the local business community is that there needs to be an increased cybersecurity awareness by decisionmakers so that they will understand the investment required to implement cybersecurity protective measures.
“It begins with an understanding of the impact on their businesses in terms of dollars and cents. Currently we are not seeing the sort of penetration in the cybersecurity market and that stems from a lack of awareness of how at risk companies are,” said Fraser.
Impact on businesses
Fraser said that cyberattacks are increasing and it is even more important for businesses to protect themselves.
“We have seen an increasing number of cyberattacks. In the last quarter of 2023, I would say there have been 20 attacks. TSTT is a major one but as people would recall, according to media reports, there were other major ones like Courts, PriceSmart and Massy Technologies. These attacks have been increasing and we expect them to increase steadily in the coming months. These attacks are not random and the attackers probe weaknesses. At least 60 per cent of organisations in T&T are vulnerable.”
He defines cybersecurity as the practice of helping organisations protect their digital systems from threats that may impact their business objectives.
“The goal of it is to decrease the likelihood or the impact of a threat because a cybersecurity threat affects the confidentiality, availability or integrity of data. A cybersecurity threat, while it may affect an information system meaning people, processes, data, technology of a system, it really has real world business impact because it affects the operations of an organization. It affects the ability of an organisation to generate revenue. The organisation has to incur expenses to alleviate these cyber-attacks.”
He spoke about serious consequences that businesses suffer after a cyberattacks.
“There is the reputational damage. In some organisations reputational damage can lead to a lack of customer confidence. If the organisation is publicly traded it can lead to decreased share prices.”
He said once there is a breach of a company’s systems, a forensic analysis will have to done which is looking for indicators of compromise after the breach.
“That is even more costly than putting these protections in place. What some service providers are doing is trying to develop an all-in-one solution that protects organisations and mitigates the chances of that sort of cyberattack from taking place and even if the cyberattack has taken place it really eases the return to normal operations.”
He concluded by offering solutions.
“One of the things to drive change that will encourage organisations to adopt cybersecurity tools and technologies would be regulations and laws. We have seen much success in the banking sector as their cybersecurity programmes are typically regulated by the central banks throughout the region.
“The central banks play a regulatory role to protect the cybersecurity programmes of financial institutions.
What we need is more regulation for critical industries across the Caribbean like public utilities. Imagine if a public utility goes down because of cyberattacks, what will be the effects of civil society and businesses.
“We need regulation pertaining to forcing a minimum standard of cybersecurity programmes. There are the ISO standards for cybersecurity and there is the importance of complying with those.”
