Andrea Perez-Sobers
Senior Reporter
andrea.perez-sobers@guardian.co.tt
Cyber threat activities in this country have climbed from 35 incidents in 2021 to 52 in 2023, an increase of 48.5 per cent.
That’s according to data provided by the Trinidad and Tobago Cybersecurity Incident Response Team (TTCSIRT).
In an interview with the Business Guardian cyber expert and senior manager at Ernest & Young (EY), Jeremy Naipaul, said the data provided by the TTCSIRT, illustrates a clear escalation in cyber threat activity.
Analysis of the data from 2019 to 2023, he noted, revealed that phishing emerged as the most common form of attack, with 68 reported incidents. This was closely trailed by instances of system compromise/data breaches, which stood at 47, and website defacement or denial-of-service attacks, totalling 39 incidents in the same timeframe.
Naipaul said this not only highlights that cybercriminals are paying more attention to the region but also the need for stronger cybersecurity controls.
Both the private and public sectors are aware of the risks posed by these threats and in response, Naipaul said companies have attempted to strengthen their technical and non-technical cybersecurity controls via additional investments.
For example, he said companies are onboarding service providers to perform periodic security testing to validate that their implemented security solutions are working as intended.
Looking at the expenditure side, Naipaul indicated that granular statistics on local cybersecurity expenditure may not be available as organisations are not formally required to disclose their annual spending on cybersecurity nor the costs incurred due to a successful cybersecurity attack.
However, he said EY has worked with organisations that have developed dedicated cybersecurity strategies along with clear budget allocations to drive a multifaceted approach to cybersecurity.
Asked what more needs to be done by the Government and companies to safeguard data, the cyber expert said organisations traditionally added technology and privacy safeguards only in response to problems, without a proactive plan that includes their whole tech environment and those who use it.
“We are now seeing more governments in the region introduce laws that control how personal data is used, pushing businesses towards tighter data security practices. Barbados and Jamaica, for example, have recently put new data protection laws in place. Trinidad is also working on its own law, but it is still in the works.”
At the company level, he noted protecting data means having a mix of security steps and this includes technical things like encryption and constant security checks, along with making sure staff know how crucial it is to handle sensitive data carefully . These steps should be part of a larger cybersecurity plan, led by respective experts in the organisation
Naipaul highlighted to incentivise local organisations, the T&T Government is encouraging companies to invest further in cybersecurity solutions by granting a Cybersecurity Tax Investment Allowance (affectionately termed “CITA”) of up to TT$500,000 for expenditures related to investments in cybersecurity software and network security monitoring equipment.
“This is available to all local organisations and applicable within the period January 1, 2024, to December 31, 2025. This will further encourage investments in stronger technical protection measures in the short and medium term.”
How to protect against breaches
Last November, majority state-owned Telecommunications Services of T&T (TSTT) was hit with a ransomware attack which led to the breach of thousands of customers’ data including that of Prime Minister Dr Keith Rowley. When asked how companies can ensure it does not fall prey to hackers, Naipaul stated there have been similar cybersecurity challenges seen across the Caribbean.
“Notably, there has been a consistent uptick in phishing—cyber-attacks where people are deceived into disclosing sensitive information or executing harmful actions, often through deceptive emails. In 2023 alone, TTCSIRT reported 18 phishing attacks that successfully breached systems. We have seen cases where front-line staff have received emails from attackers prompting them to open attached documents whereby, upon opening, specially crafted malware is triggered. This resulted in ransomware being installed on their system and spread autonomously to key systems within the organisation’s network within a matter of minutes,” Naipaul detailed.
Additionally, as companies continue to grow, the cyber expert pointed out that they are not adequately scaling their security measures to address the emerging risks that come with the adoption of new technologies. For example, he said local companies are increasingly using cloud platforms to store company and individual information. However, in some cases the components that the company is in control of are not appropriately configured, allowing cyber attackers or ‘hackers’ to easily find and exploit weaknesses. This results in a system compromise which severely damages the company’s reputation and ultimately incurs financial losses.
“TTCSIRT data indicates 47 system compromises and data breaches affected various sectors from 2019 to 2023, and unreported cases would likely increase this figure.”
Naipaul advised that organisations should implement educational initiatives designed to teach about the risks associated with digital activities and the best practices for safeguarding against cyber threats, as these should aim to promote the understanding of common cyber risks like phishing, malware, and data breaches, and to teach behaviors that contribute to a secure online environment.
Also, he said organisations should consider their wider technology ecosystem and implement strong technical controls to harden their defenses and reduce the likelihood of successful cyber-attacks.
“Should an attack be successful, an organisation should have a strong cyber-incident response plan that will enable them to quickly and appropriately respond to a cyber incident and recover within a reasonable period whilst keeping all relevant stakeholders informed,” he mentioned.
Emails an easy target
On why emails represent a major cybersecurity concern due to their role, Naipaul said this is due to emails being used for both personal and professional communication, making them a popular target for hackers.
“Through social engineering tactics like phishing, attackers trick recipients into divulging sensitive information or unknowingly installing malware via links or attachments contained in seemingly harmless emails.”
“In many organisations, including those in Trinidad, emails serve as a key mechanism for sharing confidential information (such as personal and financial data) and for facilitating important business decisions before they become official company records. Unauthorised access to email communications can lead to data breaches, where sensitive details are exploited for malicious purposes,” Naipaul emphasised.
“Such statistics highlight the emerging trend of increasing cyberattacks year on year, positioning the Caribbean, including Trinidad, as a growing target for cybercriminals. This upward trend emphasises the urgent need for heightened cybersecurity awareness and robust protective measures across both the public and private sectors in the region, he added.
