Mailpac and Massy hacked
Stuart Hylton, senior manager, IT compliance and data privacy with Symptai Consulting Limited, and a member of The Information Systems Audit and Control Association (ISACA) indicates that data breaches in Caribbean territories continue to occur.
The expert made his presentation on the causes of company vulnerability during the Jamaica Bankers Association and the Jamaica Institute of Financial Services (JIFS) on July 14.
Companies, he indicates, remain vulnerable in the areas of improperly configured devices and systems; ineffective patch management controls; insufficient cryptography; inadequate or improper access controls; lack of data validation and sanitisation; inadequate or improper authentication controls; inadequate or improper auditing and logging controls; poor session management; and vulnerable API and web in addition to poor file and resource management.
Hylton shared that recent breaches in the Caribbean include Mailpac Express in April 2022, Massy stores in April 2022 and companies in Costa Rica in May 2022.
Vulnerabilities in the Caribbean
According to research from IBM and the Ponemon Institute (based on research for 500 data breaches over seven years years of research data), 17 countries and regions among 17 industries, US$4.24m average cost of data breach for companies surveyed. Meanwhile, 287 days is the average time for respondents to identify and contain a breach.
The expert stated that losses often result from increased customer turnover, lost revenue due to system downtime; the increasing cost of acquiring new business due to diminished reputation; reputational damages; regulatory fines; and exposure of highly confidential information.
Companies should understand, the expert advised, the scope of their cyber environment and strategic objectives, benchmarking against recognised frameworks and standards.
Procedures to contain risk should include expert assessment, recommendations to mitigate risks, remediation, verification that remediation activities have been completed as recommended and continuous checking on the effectiveness of controls. Managers should also be always alert for new risks, he stated.
Risk mitigation
Hylton said that measures to buttress risk mitigation include the use of strong passwords which is one with a minimum 10 characters consisting of uppercase, lowercase, numbers a and special characters (such as #, @, &).
The defence system would also include two-factor Authentication; also enabling multi-factor authentication (MFA) to ensure the only person who has access to your account is you.
Managers should also implement access control limitations and granting access to resources only on a need-to-know basis, for critical infrastructure.
Hylton advised that important files must be backed up regularly, encrypted and stored separately from the system being backed up. Meanwhile, it should be company wide practice to avoid opening suspicious e-mails or attachments.
Avoid clicking links in e-mails or text messages not expected or from unknown senders. Managers should also enable security tools; configure anti-malware or antivirus software and disk encryption on laptops and mobile devices; and also keep all devices up to date with the latest system updates and patches.
Also making their presentation at the seminar, PwC representatives warned, “Cybercrime has now become democratised. The rise of cybercrime-as-a-service (CaaS) is seen as a critical evolution in the cybercrime landscape. Analogous to cloud services in legitimate markets, like platform-as-a-service, CaaS enables criminal entrepreneurs to develop and manage their business without the complexity of building and maintaining all required expertise, infrastructure and tools themselves. CaaS providers on dark web and found that custom spyware.”
These experts recommended that the approach to containment should include identifying and assessing macro and micros risks and the prioritisation of strategic remediation initiatives.
Presenters on cyber treat intelligence from Hitachi at the JBA/JIFs seminar said that around half of all organisations (52 per cent) have been hit by ransomware attacks in the past three years.
Meanwhile, 39 per cent of those struck paid a ransom, with one in five companies spending US$500,000 or more. It was noted that it takes on average three to four days for businesses to detect attacks following an incident disclosure.