ROSE HALL, St James — CEO of a leading cybersecurity firm in the region has suggested the need for government policy that will push companies to take the steps needed to protect themselves and their data.

“The Caribbean is in a state where we need to change our policies to ensure that we understand what we need to be doing to protect our environment and protect the data that sits on the environment,” stated the CEO of Simply Secure Group, Kevin Gordon.

Simply Secure is a Fort Lauderdale-based Caribbean-owned company that has artificial intelligence among the items in its toolkit. It provides cutting-edge Federal Bureau of Investigation (FBI)-approved service.

Gordon was speaking with the Jamaica Observer on the sidelines of the sixth staging of TechBeach Retreat at Iberostar Rose Hall Beach in St James. The three-day annual event which ended on Saturday is said to be the premier gathering for tech enthusiasts, innovators, and industry leaders.

“We have stopped over $69 billion in cyber threats across the Caribbean, Latin America, and North America. The Caribbean has $38 billion of those [threats] that we have stopped, and a lot of those companies would not have recovered if we were not there,” revealed Gordon.

“We have the systems and we have the tools in place. With a small change in policy and a small change in your team and a small change, immaterial change, in terms of the cost to your systems and tools, you could prevent 90 per cent of ransomware attacks. We thank God that we have not lost one customer in the last four and a half years to any ransomware threats or to a data breach,” the cyber security firm CEO added.

According to Gordon, data from independent German organisation AV Institute indicates that there are almost 300,000 cyber threats being created across the world daily.

“Unfortunately, of those 282,000, none of them have any signature or can be identified on any threat intelligence database. The challenge here is that because they cannot be identified a lot of those companies are going to be infected,” cautioned Gordon.

He pointed out that these breaches sometimes go undetected for as much as two years, but by then the damage has already been done. By the time a hacker makes a demand for payment they would have long burrowed inside a company’s database.

“A lot of those companies have been infected for six months and the data was stolen before the ransomware attack is present on those systems,” Gordon said.

He argued that for some companies “something has to be there to drive them to actually put those policies” in place.

He said many of them are not prepared for the implementation of the Data Protection Act, which came into effect on December 1.

“Some companies are trying to figure themselves out when they should have already done that months ago. Nevertheless, it is essential that everyone understands that you have to start first with a policy. You need to have a cyber security plan in place. You need to have a playbook for your incident response in place. You need to ensure that you have those controls and a proper communication plan, a proper legal plan, proper documentation that speaks to how you respond when there is a crisis and then ensure that you move from policy to your people,” the CEO urged.

Each company, he said, needs to have a clear plan in place.

“What we are trying to do is ensure that every company understands that you have a collective responsibility, internally, to develop your own internal cyber security controls and policies. Those policies need to speak to the individuals who are responsible for the systems, the tools, and the data within your environment. They also need to speak about, potentially, who has access to them and what you do with them. But more importantly, if there is a crisis, if there is a ransomware attack, something happened today, what do you do?” he asked.

“Who takes point in the communication process? Who takes point from a legal standpoint? Who do you communicate with when there is a ransomware attack? What actions do you take from an IT perspective when an attack happens? How do you communicate with your customers? Do you have a template for your internal staff? What do you do when something happens?” continued Gordon.

He noted that most companies do not proactively prepare for cyber threats.

“We do business content disaster recovery when there is a hurricane, [but] nobody puts something in place for that critical point when they are attacked. And, unfortunately, it is not a matter of if you will be attacked, it is when you will be attacked,” he warned.

“We find the companies that respond the best and are able to recover are the ones that have, first, policies that define what they do when something happens,” stated Gordon.