Why Bitcoin Will Not Solve the Caribbean’s Financial Inclusion Woes

What is Bitcoin? Is it electronic money?

There’s a deluge of hype around Bitcoin and blockchain technologies right now, and policymakers and regulators in the Caribbean are doing their best to wrap their heads around the advantages and disadvantages of this virtual currency. Similar questions are being contemplated in the ICTs for development (ICT4D) community, taking into account that electronic money (e-money) platforms such as Safaricom’s M-PESA have essentially solved the financial inclusion quandary for millions of people in Kenya. The service has now even expanded to Eastern Europe, Afghanistan, and India.

Besides sharing the characteristic of being digital, how do Bitcoin and e-money compare, especially with regards to reaching individuals who have previously been unable to access traditional financial services? Presently, there appear to be more differences than similarities between the two, and it’s critical not to confuse virtual currency with e-money.

Blockchain, in brief, is a record of digital events, distributed across multiple participants. It can only be updated by consensus between participants in the system, and when new data is entered, it can never be erased. The blockchain contains a true and verifiable record of each and every transaction ever made in the system. Launched in 2009, Bitcoin is a virtual, private currency that uses blockchain as an underlying, immutable public ledger. Bitcoins are ‘mined’ using distributed processing power across a global network of volunteer software enthusiasts. The supply mechanism is designed to grow slowly and has an upper limit of 21 million units as determined by a built-in algorithm. There is no central authority that controls blockchain or Bitcoin. There are no central banks that can be politically manipulated; and no way to inflate the value of a national currency by simply printing more money. Economic libertarians are ecstatic at the very thought of this. However, competing virtual currencies can be created that could have the net effect of devaluing the original.

Contrastingly, e-money is not a separate currency and is overseen by the same national regulatory authority that governs the printing of fiat money – as is the case with M-PESA and the Central Bank of Kenya. It’s an extension of a national currency like Jamaican dollars or Netherland Antilles guilders for use over digital networks to reduce the costs associated with handling physical cash. More specifically, it’s a one-to-one electronic store of value pegged to the cash receipt of the equivalent amount. To mitigate against risks like money laundering, terrorist financing, consumer protection, etc., the cash against which e-money is issued most often has to be deposited with fully regulated financial institutions.

The issue of financial exclusion

The issue of financial exclusion can be summarized into two categories: unbanked and underbanked. Unbanked individuals do not have an account at a regulated financial institution, while underbanked individuals have accounts, but frequently use alternative or unregulated financial services.

Before elaborating on the key factors behind financial exclusion, it is important to detail the effects of being unbanked to illustrate the severity of the problem. Unbanked individuals are faced with a heavy economic burden when conducting even the most basic financial transactions. For example, cashing a cheque can cost the average person with full-time employment as much as USD$20,000 over his/her lifetime. Retailers, which several people use for check cashing, charge non-trivial fees. For example, charges can be as high as USD5$ for cashing a check. Other alternative financial services providers employ even more extortionary fee structures. Western Union, as an example, charges as much as USD$42 to send a USD$500 remittance to Barbados. ‘Underground’ alternative financial service providers levy as much as USD$10 on every USD$100 transferred. All in all, fees for conducting basic transactions can accrue large costs. And given that the majority of unbanked households are low- and medium-income families, this significantly reduces the monies available for daily consumption.

There are numerous interwoven reasons, both from the customer and supplier end, which contribute to the overall dilemma of financial exclusion. Fundamentally, the decision on whether or not to open a bank account can often be attributed to the volatility and quantity of the individual’s earnings. This means the more volatile a person’s income is, the higher the chance they are unbanked. Simply put, they are large numbers of Caribbean nationals who do not have enough money to maintain a bank account. As the majority of banks require a mandatory minimum deposit to open an account, as well as an average balance to avoid monthly services fees, an inadequate and/or inconsistent flow of income automatically serves as a barrier to using banking services for low-income earners who live paycheck to paycheck. Initially, this may seem paradoxical as alternative financial services are very expensive, yet they are primarily used by low-income individuals. Nonetheless, it must be acknowledged that alternative financial services do not have strict requirements for maintaining a consistent account balance, and consequently are easier to access up front. The high costs of alternative financial services accumulate due to prolonged usage, or at the conclusion of a lending agreement, whereby the interest rates are regularly double or triple of those offered by traditional banks. Basically, the cost of regular bank accounts is known in advance of setting up an account, whereas the true cost of alternative financial services emerges over time. This is a major reason that alternative financial services are more appealing to low-income households.

Another reason for unbanked individuals is attitudinal and behavioral; they really do not trust banks. A large percentage of them believe that banks are not in any way interested in serving their needs. This sentiment may not be all that unfounded, as a number of the banks across the Caribbean region have been reducing the teller services that unbanked individuals are familiar with and prefer, forcing more (non-technical) customers to online channels, or even more abhorrent (at least in the eyes of the common man), looking to divest their retail operations in favor of corporate banking and wealth management business units. Even though the commercial reasons may be legitimate, these types of actions are not improving the already unfavorable views of traditional banks.

However, it must be emphasized that the reasons for being unbanked are not restricted to consumers. The actions, or rather inaction, of private sector commercial banks play just as large of a role in the issue. The prior discussion of low-income households being unable to obtain bank accounts due to the high minimum balances highlights the unavailability of inexpensive banking options for this specific market segment. The commonly held belief is that banks lose too much money in servicing accounts for low-income individuals to make them a valuable market. Actually, one can forcefully contend that banks are pricing their products intentionally to keep these customers away. For example, as of June 2017, CIBC FirstCaribbean charges a $15 monthly service (in addition to various other transactional fees) and offers to waive the fee for customers who can maintain an average balance of $1,000. These types of pricing structures and expectations are difficult for poor people to meet.

Why Bitcoin isn’t a financial inclusion panacea

Bitcoin currently has no formal strategy or roadmap to guarantee, for instance, that even at its current rate of adoption, it can replace the variety of fiat currencies across the region. Investment is key to solving these types of problems. However, in quantitative terms, investment in the Internet at its nascent stages was several orders of magnitude greater by comparison.

There is a lot of controversy around attempts to regulate Bitcoin. It is not very clear to what social and economic areas and most importantly, to what extent the state or agencies will be admitted into the development process to design compliance into the system. One theoretical problem lies in the fact that blockchain’s main strengths (security, legitimacy, privacy, safety and availability) are patterned off a set of algorithms — math, cryptography and distributed computing.

Renowned writer and amateur cryptographer Edgar Allan Poe once stated “… it may be roundly asserted that human ingenuity cannot concoct a cipher which human ingenuity cannot resolve… Thus, what is encrypted by one person, can always be decrypted by another.” Similar thought processes have led many security experts to claim that Bitcoin is one major hack away from total failure (can anyone say ‘quantum computing’?). My concerns about Bitcoin’s future, and more importantly its status as a solution for financial inclusion, is nowhere close to being so ominous or skeptical. In the sections that follow, I will fully outline why I think Bitcoin has a long way to go before it solves the financial inclusion dilemma in the Caribbean region.

To obtain Bitcoin, you must already be “economically included” — both in terms of Internet and financial access. Let’s be very honest here; the average unbanked or underbanked individual is not mildly interested in the highly technical and costly process of mining Bitcoin. In terms of investing in Bitcoin, individuals participate based on trust in the private currency and at their own risk (speculative investment is usually not the realm of low- to medium-income earners). The exchange rate of Bitcoin to US dollars has fluctuated wildly in its short existence. Once you have discretionary income available and use debit or credit cards to purchase Bitcoins on a cryptocurrency exchange such as Coinbase or BitStamp, Bitcoin has two characteristics of traditional money: when you buy products or services at participating merchants, transactions are largely anonymous and irrevocable. Again, free market advocates love this, but it garners unnecessary attention from tax agencies and law enforcement.

Anonymity is a deliberate choice for the unbanked. Simply put, the unbanked live in a cash-driven economy. They prefer to remain anonymous for a bevy of reasons: immigration status, tax purposes, fear, or general mistrust of banks. One of the ways to remedy this is to overhaul the burdensome regulations linked to closed networks like Western Union and MoneyGram to permit the unbanked to utilize completely anonymous platforms. Onerous rules are stymying advancements in digital movement of money because they were developed for a bygone era. For the cloud over the industry to disappear, efforts need to be made to vanquish the idea that anonymous money sending is only for terrorists and criminals. Allowing $100 in cash to move anonymously helps a poor farmer a lot more than it does an ISIS jihadist. The belief of libertarians that money will become totally anonymous, absent of any oversight or intervention by government and regulators, is illusory. The ultimate objective is to deploy technology that empowers individuals, but in tandem we need common institutions like the judiciary and regulators that protect consumers and the integrity of the currency that drives the economy. At the end of the day, millions of people aren’t going to discard the existing financial system in favor of Bitcoin on faith alone.

Predatory businesses are convenient where the unbanked live. Rural areas like Trelawny, Jamaica or Mayaro, Trinidad are home to large swathes of unbanked households. Traditional banks don’t see a viable business cases for locating a branch or satellite office in such districts. This means that check cashing and money changing businesses that charge exorbitant rates are the only real means of conducting transactions. New concepts like human ATMs are popping up in locations such as Hong Kong where low-income individuals can send money home, and where several minor Bitcoin remittances players have been successful. However, like rural areas in the Caribbean, these are small markets that are in no way appealing to large banks or major investors. Kenya’s M-PESA succeeded because it leveraged an existing network of agents and vendors. Bitcoin does not preclude the need for extensive networks of agents in remote locations who can provide physical cash to those seeking remittances in a local currency. There are also questions about the viability of Bitcoin in countries with poor technology infrastructure (i.e. poor cellular coverage or lack of broadband Internet in rural areas).

Traditional banks need to come to the table. Traditional banks in the Caribbean have shown little to no interest in embracing Bitcoin or distributed ledger technologies. They see it as a threat to their monopoly over transaction-based services, instead of as an opportunity to revolutionize their operations. Globally, mobile banking is overtaking branch-centered activity more and more – for example, in Norway, 91% of the population use online banking channels. The explosion of fintech companies that are ‘unbundling’ traditional banking functions, added to the maturity of the first generation of Internet banking solutions, are hastening this trend. Consequently, the amalgamation of omni-channel banking, fintech platforms, and open APIs are obscuring the lines between traditional and alternative finance. New banking institutions such as Skandiabanken, are making strides towards accepting Bitcoin and its altcoins as trustworthy assets. If this trend is sustained, expect cryptocurrencies to become more firmly implanted in the evolving fintech landscape. Legislators will then be under tremendous pressure to develop comprehensive proposals for regulating a new asset class. It will also have the net effect of encouraging the development of the next generation of cryptocurrency-based services.

Bitcoin maybe better off as a back-office solution. The transparency and auditability features of distributed ledger technologies like Bitcoin could address a number of different challenges in the financial services industry. It could address the de-risking issues that are seriously impacting the Caribbean region. It could reduce compliance expenses, given that banks and other financial institutions need such personnel to ensure that regulatory requirements are being met or to respond to regulator audits. It serves up the potential of instantaneous movement and settlement of funds, which is appealing to merchants with regards to working capital requirements, given they presently have to wait 2-3 days for each payment. As it pertains to customer service costs, fraud reduction decreases the number of incoming calls, and improved auditability lends to faster responses to customer queries. For instance, utilizing Bitcoin at the core of a payment gateway that integrates with existing core banking applications to facilitate international wire transfers, would result in significant cost savings (it would also eliminate the need for correspondent banks and provide real competition for the monolith that is SWIFT). Combining these savings with others would allow financial institutions to better service lower income customers. Akin to the underlying protocols behind email, Bitcoin can drive common services, and users will never have to interface with it.

Smaller countries do not have Bitcoin liquidity. Many fintech startups have failed because emerging economies – especially small island developing states (SIDS) – have serious challenges with Bitcoin liquidity. For example, there are some realistic obstacles that weaken Bitcoin’s efficacy as an apparatus for remittances. Remittances demand that a liquid market exists between Bitcoin and the receiving nation’s currency. Liquid currency markets tend to be strongest in countries with robust market institutions and entrenched local intermediaries. Countries that depend on remittances usually don’t have such institutions for their national currency, far less a totally new virtual currency. This is why the leading mobile money players are focusing on airtime top-ups, bill payment, and peer-to-peer (P2P) transfers. These are alternative forms of value that can surface in countries lacking adequate infrastructure or access to cryptocurrencies and immediately help the poorest. Many of these applications can run on feature phones and use basic SMS technology to enable movement of digital value. It will take a long time before the really poor become familiar with Bitcoin, and even longer for them to actually care about it. Conversely, it ought to be the shining star in the constellation of financial inclusion, and fintech should be engaging in the heavy lifting to develop policies today that will positively impact everyone, not just the wealthy.

Financial inclusion is more than remittances. If I got a dollar for every Bitcoin enthusiast who waxes poetically about ‘Bitcoin’, ‘financial inclusion’ and ‘remittances’, I would be a wealthy man. The truth of the matter is that financial inclusion is a complex issue, difficult to evaluate due to the diverse viewpoints that have to be considered to understand and quantify it. While there is no de facto definition of financial inclusion, there are three elements that are most important: access, use, and quality of financial services. Moreover, besides remittances, financial inclusion also includes micro-credit, micro-insurance, cooperatives, peer-to-peer lending, rural/agricultural credit, mobile money, mobile vouchers, and a number of other alternative financial services. Financial inclusion is multi-faceted, and Bitcoin has yet to distinguish itself in any of the aforementioned categories. What it does is position itself as a potential alternative payments system, but it has yet to effectively demonstrate how it will deliver financial inclusion tangibly and comprehensively.

From the architecture and engineering perspectives, Bitcoin is not a ‘finished product.’ The cost of Bitcoin transactions depends on network demand and capacity at a given time. While the number of transactions employing Bitcoin have gradually risen in the last couple of years, the processing capacity of the network (that is, the volume of transactions that can be processed per second) has remained static. In layman’s terms: If transaction volumes continue on this steady trajectory without a corresponding increase in processing capacity, transaction fees will quite possibly surpass those of traditional banking services. Additionally, wait times for transactions to be completely processed have become increasingly unreliable. Contributing to these performance issues are the built-in limits on the number of transactions that can be processed at a given time. Bitcoin was not built to successfully scale, due to all their transactions and smart contracts existing on a single public blockchain, rather than on state channels. State channels are a two-way transaction channel between users or between machines. The problem of how to increase the processing capacity of the network, while simultaneously preserving its critical decentralized features, is one that needs a near-term resolution. These early ‘teething problems’ emphasize some of the important architecture and engineering decisions that have to be made before Bitcoin can be viewed as a reliable platform for the world’s poorest.

The Caribbean region has serious online trust issues. Trust is a social, economic and political binding instrument. When trust is absent, all kinds of societal afflictions unfold – including paralyzing risk-aversion. In 2016, OAS and IDB published a report titled, ‘Cybersecurity: Are We Ready in Latin America and the Caribbean?’ Researchers conducted assessments of 13 Caribbean nations, including Bahamas, Barbados, Jamaica, and Trinidad & Tobago. The methodological framework covered ‘Culture & Society’, and one of the key findings that emerged was the extremely low levels of online trust in the region. More specifically, very high percentages of the populations in the countries surveyed did not trust the Internet as a whole. When you drill down into the data, the findings are even more alarming: Caribbean people do not trust that their online activities aren’t being monitored, they do not trust their service providers, they do not trust social networks, they do not trust their search engine provider, they do not trust companies to keep their personal data safe and secure, and most relevant — they do not trust online and mobile banking platforms. Culture is extremely difficult to change; it comprises an interlocking set of goals, roles, processes, values, practices, attitudes and assumptions. It is essentially the DNA of a country. Tossing all other issues aside, getting the residents of Caribbean nations to trust in Bitcoin may be the hardest obstacle to overcome.

Conclusion

History has shown that two factors affect how a foundational technology and its commercial applications evolve. The first is novelty – the extent to which any technological use case is new to a market or to the world at-large. The more novel it is, the more effort needs to be expended on ensuring that consumers understand what problems it realistically solves. The second is complexity, characterized by the amount of ecosystem coordination required – the quantity and diversity of actors and stakeholders that must collaborate to create value with the technology. For example, a social network with a single member is useless; its value increases only when your friends, family, colleagues, etc. have signed up. Other users of the application must be ‘converted’ to generate value for all involved. The same holds true for distributed ledger technologies like Bitcoin. And, as the scale and impact of such applications increase, large scale uptake will necessitate major social, legal, and political change.

Virtual currencies must be perceived as simple, instinctive, and easy to use even in the most functionally and financially illiterate parts of the world. Talking heads often promote financial literacy and educational programs as the lynchpin in transitioning poor people to technology-based money. But the most effective adoptions happen when people learn by imitation. So, to truly demonstrate its value, Bitcoin must become ubiquitous. People should observe its use by rich and poor alike, and in developed and developing countries, in really similar ways. No one offered Internet literacy classes or programs when the technology was introduced 30 or so years ago, but Internet usage skyrocketed as the costs fell sufficiently low. Now more people use the Internet than any other technology ever known to man. Along the same vein, Bitcoin is likely to grow when middle-class consumers start using it regularly, even when transacting with the poor. My fear is that Bitcoin and its value chain are not up to the task.

Bitcoin is a commercial application or use case, but blockchain is the foundational technology (like TCP/IP which is at the core of the Internet). And similar to the Internet in the late 1990s, we have no clue how the blockchain will evolve, but I am certain that it will. Much like the Internet, blockchain must also be permitted to grow without restrictions. This will require awareness, competency, and recognition that the core technology and the applications that run on it are not the same. TCP/IP enables several financial applications that are regulated, but TCP/IP is not regulated as a financial instrument. Blockchain should be treated similarly. While the most popular and pervasive use case for blockchain today is Bitcoin, this will not be the case in a couple of years. Had Internet regulation been heavy-handed in the initial stages, humanity would have been deprived of many innovations that have become embedded in our daily existence. Blockchain is no different. Disruptive technologies seldom fit neatly into the confining spaces of regulatory oversight, but inflexible regulatory frameworks have continually stifled innovation. Chances are that innovations in distributed ledger technologies will outpace legislation. Let’s not retard their progress.

The State of Cybersecurity 2017 – Simplicity 2.0 Podcast

“Cybersecurity is a constant challenge for businesses. Niel Harper, Managing Director of Octave Consulting Group, shares tips to protect your company’s infrastructure from security threats, and offers ways to stay a step ahead of malware, hacking, and other attacks.”

I recently sat down with the Economist Group and Laserfiche (Simplicity 2.0 Podcast) to discuss the management of cybersecurity risks. These types of interviews tend to get very abstract, so I purposely wanted to touch on topics that would resonate with both corporations and end users.

The podcast in its entirety can be found here.

6 Tips for Protecting Against Ransomware

The Internet Society has been closely monitoring the ransomware cyber-attacks that have been occurring over the last couple of days. The malware, which has gone by multiple names, including WannaCry, WannaDecryptor, and WannaCrypt, exploits a flaw in Microsoft Windows that was first reportedly discovered by the National Security Agency (NSA). A group of hackers leaked the code for exploiting this vulnerability earlier this year, and a fix or patch was available as far back as March 2017. Since Friday, 200,000 computers in 150 countries have been compromised using this exploit. The numbers are expected to grow exponentially as people settle back into their work routines and regular use of computer systems this week. As part of our continuing work in online trust and security, there are some key takeaways from this incident that we want to leave with our community.

Firstly, we want to highlight the extremely negative effects which government stockpiling of vulnerabilities and zero day attacks has on the overall security of the Internet. With over 60 countries known to be developing growing arsenals of cyber weapons, and with many of these exploits leaking into the public domain, the potential for widespread damage is a massive cause for concern. The impact is not only economic in terms of financial loss, but social in terms of how it impacts end user trust, and most importantly human in terms of loss of life (especially given that ransomware attacks have been focusing on hospitals). And with critical infrastructure like power plants, dams, and transportation systems being targeted in nation state cyber offensives, the threat to human life increases exponentially.

Secondly, it would appear that some hospitals are easy targets for ransomware attackers. Their systems house data that is critical to patient care and management, and many of these institutions don’t have the IT resources to support critical process areas like vulnerability management, patch management, business continuity management, etc. In general, hospitals are also now adapting to digital realities and a number of them are playing catchup with regards to cyber readiness. However, the aforementioned challenges are not unique to hospitals, and are faced by many small and medium enterprises (SMEs), and in several instances, large corporations. Individual users are also targeted based on their generally poor Internet hygiene or lack of security awareness.

We want to take this opportunity to emphasize the importance of good online security practices when accessing the Internet. So here are 6 basic tips for protecting against ransomware:

1. Employ strong, multi-layered endpoint security – Using endpoint security that can protect web browsing, control outbound traffic, protect system settings, proactively stop phishing attacks and continuously monitor for anomalous system behavior will allow for better protection of servers, laptops, tablets, and mobile devices.

2. Maintain regular backups of your critical data – Backups can help you to protect your data from more than just ransomware. Other risk events such as malware, theft, fire, flood or accidental deletion can all render your data unavailable. Be certain to encrypt your backed-up data so it can be effectively restored. Backups should also be stored at an offsite location isolated from the local network.

3. Do not open unsolicited emails or messages from unknown senders – Many ransomware variants are distributed through phishing attacks or email attachments. Increased mindfulness when handling ‘suspect’ emails can be effective in combating ransomware.

4. Patch your systems regularly – Patching your systems for vulnerabilities reduces the opportunities for hackers to infect you with ransomware. The fact that a patch was available for the WannaCrypt vulnerability since March highlights the somewhat lax attitude by organizations and individuals to keeping their system patches up to date. That being said, patch management is a complex activity and can impact the availability of key systems. Hence, thorough testing must be conducted to avoid unplanned downtime.

5. Disable macros if possible – Many forms of ransomware are distributed in Microsoft Office documents that attempt to trick users into enabling macros. There are a number of tools available that can limit to functionality of macros my preventing them from being enabled on files downloaded from the Internet.

6. Be aware and vigilant – For individuals, don’t assume that only techies need to know about all the recent malware and trends in online attacks. Subscribe to mailing lists that provide information on common vulnerabilities and exposures. In the case of organizations, developing an information security awareness program is an integral part of improving overall security posture.

Finally, we want to touch on the important work being done by the Online Trust Alliance (OTA), the Internet Society’s newest initiative. The OTA’s mission is to enhance online trust, user empowerment and innovation through convening multi-stakeholder initiatives, developing and promoting best practices, ethical privacy practices and data stewardship. With regards to preventing ransomware attacks, OTA has developed a number of industry best practices that address key threat areas such as email authentication and incident response. These are as follows:

Email Authentication: https://otalliance.org/resources/email-security

Domain-based Message Authentication, Reporting & Conformance (DMARC):https://otalliance.org/dmarc

Cyber Incident & Breach Response: https://otalliance.org/resources/cyber-incident-breach-response

Additional OTA best practices, resources and guidance to help enhance online safety, data security, privacy and brand protection can be found here.

The Spam Toolkit developed by the Internet Society also provides some guidance on addressing online threats.

The Internet Society is committed to the enhancement of online trust, and our work along this vein spans multiple areas. Our goal is to continue to provide our individual members, organizational members, chapters, partners, and other constituents with timely and relevant information and resources that equip and empower them to act.

My original blog article was published on the Internet Society website at: http://bit.ly/2qMuQ4U

8 Reasons Why Cybersecurity Strategy and Business Operations are Inseparable

In modern society, there is one fact that is unquestionable: The hyper-connectivity of the digital economy is inescapable. A financial institution without an online presence or omni-channel strategy will cease to be competitive. Universities (for-profit or non-profit) must develop and continuously evolve their online learning capabilities if they are to stay relevant. Online retailers are quickly outpacing and rendering their ‘brick-and-mortar’ counterparts irrelevant. Travel agents have been largely relegated to dinosaur status in this era of online travel search aggregators and booking portals. A payments ecosystem mostly dominated by major card networks and processors now includes closed loop systems such as Apple Pay, Google Wallet and others. When we add the Internet of Things (IoT), robotics and artificial intelligence (AI) to the mix, the networked society has become a monolith that we simply cannot ignore.

What is most concerning about the ubiquity of technology is the multitude of cyber threats which organizations and individuals have to contend with. While the risks to individuals are relatively high as it relates to invasion of privacy, identity theft and financial loss, cyber-attacks can have a particularly critical impact on businesses. Depending on market and jurisdictional realities, the consequences can include heavy regulatory penalties, plummeting stock prices, lawsuits or mass layoffs — The effect on a company’s bottom line can be catastrophic.

But how are corporations responding to this ever-evolving threat landscape? The resulting strategies fall mostly into the following categories. There are the large organizations which employ the ‘3 lines of defense’ approach where an IT department owns and manages cyber risks, the operational risk and/or compliance departments specialize in risk management (including cyber), and the internal audit function provides independent assurance that cyber risks are being effectively managed. This approach is resource intensive and demands highly specialized (and costly) personnel. There are the generally under-staffed companies that limp along from day-to-day reacting to cyber-attack after cyber-attack, many of them not even aware that their systems and networks have been compromised. And finally, there are the SMEs that basically stick their heads in the sand and pretend that their operation is too small or insignificant to be the target of cyber criminals.

More often than not, business leaders across the board fail to recognize that cybersecurity is no longer the domain of the IT organization. Cybersecurity strategy is now business strategy, and the response to cyber threats is the responsibility of every individual that works for or runs a company. And here are 8 key reasons why this is undeniably the case:

  1. Corporate governance – A 2016 survey by Goldsmiths that included responses from 1,530 non-executive directors and C-level executives in the United States, United Kingdom, Germany, Japan and Nordic countries showed that 90% of respondents admitted to not being able to read a cybersecurity report and were not prepared to respond to a major attack. Even more worrisome was the fact that over 40% of executives did not feel that cybersecurity or protection of customer data was their responsibility. Let that sink in for a moment. This is why ensuring that cybersecurity is a running topic at executive and board level meetings is imperative for organizations. Even more, greater ownership should be ascribed to all levels of personnel for cyber risks. Cybersecurity culture is a collective effort that starts at the top and works its way down through the organization.
  2. Regulatory and legal compliance – Certain industries like banking, healthcare and energy are subjected to heavy regulatory burdens. And many of these regulations include requirements pertaining to privacy, data protection, and network security. In the US there are HIPAA, Gramm-Leach-Bliley, and FISMA. The EU has the NIS Directive and the GDPR. To address cross-border data flows between the EU and the US, there is Privacy Shield. To comply with this multitude of regulations, deep cyber and risk management capabilities must be embedded across organizations. Failure to do so can affect a company’s ability to stay in business. Period.
  3. Competitive advantage – Developing robust and effective internal controls to safeguard against cyber-attacks can equate to market leadership, brand strengthening, and product / service differentiation. For example, as more businesses look to AI, IoT and robotics to streamline processes and improve business performance, ensuring that these technologies are secure can increase revenues and drive bottom-line performance. In this respect, shareholders must not only expect cyber excellence, they should demand it.
  4. Financial management – There is clearly a direct correlation between cyber-related risk events (e.g. reputation damage, business disruption, fines, etc.) and financial loss. The severity and impact of such risks can be mitigated by integrating business strategy with cybersecurity strategy. The importance here is even more pronounced given the global economic downturn and depressed profits being experienced by several businesses.
  5. Public safety – An increasing number of companies are delivering products/services in the areas of smart grids, smart cities, automated public transit, power installations, autonomous vehicles, etc. Possessing core expertise in the alignment of cybersecurity and business operations will set these organizations apart in their respective market environments in terms of public safety. There are also distinct national security implications when we think of these technologies in the context of potential threats to human life.
  6. Business development – In 2004, the global cybersecurity market was valued at $3.5 billion. In 2017, it is now estimated to be worth $120 billion. But this value is primarily based on the number of products and services delivered. And while there is huge growth potential within the existing paradigm, there is a massive economic opportunity in fostering a commercial ecosystem built on online trust. Take for example the growing popularity of global trust audit and scoring offerings. Increasingly, more and more organizations are developing solutions to combat the proliferation of fake news. As it relates to IoT, consortiums are being formed to fill the security gaps in product design (i.e. Existing markets can be strengthened through collaboration and coordination). And these are just a few examples of the emergent market for Trust-as-a-Service (TaaS).
  7. Corporate social responsibility – There are numerous benefits to CSR programs, ranging from enhancing brand loyalty to securing and retaining investors to attracting/retaining engaged and productive employees. So along that vein, social responsibility investment in cyber-related areas such as child online protection, secure coding for women, hackathons and cybersecurity research is a savvy approach to cementing market position. As a result, companies can promote good security as a selling point for their products and services, create a pipeline for the best cybersecurity talent, and leverage their cyber-specific supply chains to build consumer trust.
  8. Mergers & acquisitions – Businesses must recognize the importance of cybersecurity due diligence in the M&A process. Due to a low standard for due diligence, several corporations find out about major cyber incidents only after an acquisition deal has gone through. In actuality, serious cybersecurity issues around compliance, data breaches, poor security architecture or the absence of incident response processes should be uncovered before finalizing a transaction. In the case of Verizon’s acquisition of Yahoo!, the final offer was cut by almost $400 million due to revelations about cybersecurity incidents. A 2016 survey by the NYSE indicated that over 50% of respondents regarded major security vulnerabilities as a ‘show stopper’ for a merger or acquisition.

Considering that end users are generally regarded as the weakest points in cyber defenses, logic dictates that cybersecurity should begin with the individual. Every single employee must be engaged and involved in defending the organization from online threats. It is they who most often access enterprise applications, networks and devices, and will undoubtedly serve as the first line of protection against hackers. Executives and board members are targeted due to their access to key digital assets; and because of the traditional fortification of the network perimeter, line workers are the focus of threat agents seeking to gain entry into the network or escalate their privileges to access sensitive information. Indeed, both executives and employees represent vectors to the same ultimate objective – the compromise of internal systems and access to critical data. Hence, development of an effective cybersecurity strategy must involve tight coupling of security practices with business operations to bolster an organization’s overall security posture. The most damaging misstep organizations can make – and often do – is relegating this function to an understaffed and underfunded IT department.

ICT PULSE: Cyber threats and security in the Caribbean 2017 update – Interview with Niel Harper

ICT Pulse: Niel, give us a quick recap of what have been the most prevalent types of incidents in Barbados and/or in the Caribbean region over the past year or so? How has the threat landscape changed?

Niel Harper: Michele, it’s always difficult to quantify or qualify the number and types of cyber incidents that occur in the Caribbean because there are no mandatory breach notifications or transparency obligations in the various jurisdictions across the region. As such, public and private sector organizations do not notify the general public or individual data subjects when networks or personal data stores are compromised (yes I have said this a number of times, but it is still relevant and quite important). That being said, ransomware attacks have been quite prevalent across the region, and particularly targeting hospitals, educational institutions, government systems, financial services, and small-to-medium enterprises with insufficient resources to adequately respond to cyber threats.

ICTP: Over the past year, ransomware incidents appeared to have been quite plentiful across the region. Are they still as huge a threat?

NH: On a regional (and global) scale, ransomware has continued to be the most persistent business model for cybercriminals. One of the key reasons that ransomware has remained a major threat is because the tools used to initiate attacks are being continuously evolved and improved. For example, there was an over 150% increase in new ransomware variants in the first half of 2016. Moreover, cybercriminals are now operating Ransomware-as-a-Service (RaaS) with lower buy-in costs that allow less tech-savvy perpetrators to distribute ransomware. And the success of ransomware attacks is high because related exploit kits have been popping up more and more on legitimate websites.

ICTP: What are some of the new and emerging threats of which we should be more aware? And are there any particular areas of concern that you have for Caribbean organizations?

NH: One of my biggest concerns with regards to new and emerging threats is that nation states are increasingly developing offensive cyber capabilities, essentially weaponizing exploits and actively eroding trust online through disproportionate mass surveillance, targeted attacks, and information manipulation (fake news). On the other hand, threat actors are ramping up attacks against hardware and firmware vulnerabilities in processors, DRAM technologies, BIOS, and in firmware on devices such as USB, chargers, and external hard drives. IoT malware is on the rise and threatening individual privacy via regular household appliances and consumer devices. In 2017, ransomware continues to grow, and malware authors are focusing their efforts on mobile devices — attacking data repositories both on devices and in the cloud. ‘Dronejacking’ has become a growing threat with a noticeable increase in attacks due to consumer drones shipping with weak protection mechanisms. While not necessarily a new or emerging threats, the pervasive insecurity of IoT devices is fueling the perpetual threat of DDoS attacks, especially against ISPs with unsecured services such as DNS and BGP. All of these threat areas should be of concern to Caribbean organizations and individuals due to increased use of Internet-enabled devices at home and in the workplace.

ICTP: At the CARICOM/regional level, there has been a growing awareness of cybercrime and cybersecurity, and calls by leaders for something be done. In your opinion, has there been any improvement in the cybersecurity-associated resources or support structures in Barbados, and/or perhaps regionally? What might still be missing?

NH: I think the challenges with regards to cybercrime and cybersecurity are pretty constant across the Caribbean region — so I won’t just focus on Barbados. While I think that awareness is increasing, I am deeply concerned that the response to these issues across CARICOM and the broader region is (still) severely lacking. For one, the vast majority of the countries in the Caribbean do not have a national cyber crime strategy. This includes legislative reform (e.g. computer misuse, data protection, privacy, e-commerce, etc.), incident response capabilities, threat intelligence sharing, cybersecurity education & training, and other important elements. The HIPCAR project to harmonize regional cyber legislation ended around 2012, and most countries have still not updated their national laws. That being said, this may actually be an opportunity as the final outputs from the project were largely inadequate, and regional leaders should now be looking towards options like signing on to the Budapest Convention and/or modeling new data protection laws on the EU’s General Data Protection Regulations (GDPR).

ICTP: Does it even make sense for small companies to send their network administrators to security training courses when security is not their full-time job, and given the pace at which the security landscape is changing? Or should such companies just accept the fact that they need to outsource this function?

NH: This is a very good question. A network administrator is employed to oversee the smooth and effective running of the company’s system environment. However, this individual cannot successfully meet the demands of their job if the environment is not adequately secured. Hence, in my opinion, a top-tier network administrator should be trained on security to properly round off his/her capabilities and deliver real value to the organization. However, the tricky aspect is that small businesses generally can’t afford to hire network administrators with such a diverse skill set or to finance security-related training, so outsourcing then becomes the only viable alternative. But then outsourcing of such a sensitive role may not be cost-effective and bring with it an entire new set of risks. It’s somewhat of a Catch 22.

ICTP: Do you agree that user naiveté is the number one security threat facing organizations? If not, what do you think is the most significant threat?

NH: I strongly contend that end users remain one of the biggest threats to online security due to their lack of awareness, poor judgement and carelessness with password management, sharing devices with others, accessing unprotected and open public networks, downloading files and apps from untrusted sources, visiting unknown websites and clicking on fraudulent links. However… An increasingly connected society, coupled with a highly complex and constantly evolving threat environment, makes it extremely difficult for an inexperienced end user not to be the weakest link in the chain of trust. This is why end user awareness and training programs are so critical in combating cyber threats.

ICTP: Should any organization still be using tapes for data backup purposes?

NH: I totally understand why this question would be asked, especially given the widespread availability and popularity of alternatives like cloud backups, disk-to-disk backups, low-cost NAS backups, and others. However, I still think that tape backups should be used for a number of reasons. Firstly, newer LTO technologies are allowing for higher capacity, greater transfer rates, and lower total cost of ownership — SMEs generally can’t afford the large Internet pipes or expensive hardware/software required to support cloud and disk-to-disk backups. Tapes also have better reliability (error-rate) and longevity than disks. Additionally, tapes are highly portable with regards to moving them offsite to support disaster recovery. Tapes can also be combined with disk-to-disk or cloud backups to increase the robustness of disaster recover solutions (e.g. when Internet connectivity is unavailable or data center locations are inaccessible due to a major incidents). Other areas where tapes are superior to disks are scalability and backward compatibility.

ICTP: And finally, what are the top three (3) things businesses should be doing this year to improve their network/IT security?

NH: An important undertaking for organizations in 2017 should be to hire someone who has a strong skill set in the area of risk evaluation and management — an expert who can take a holistic look at the business to identify and qualify/quantify risk exposures and impacts, decide which risks can be accepted, and develop mitigating actions for those that can’t.

Secondly, businesses need to implement a toolset that provides them with greater visibility into security events and information throughout their IT environment. This should include logs and events from firewalls, intrusion detection/prevention systems, endpoint security, operating systems, network devices, databases, file integrity checkers, and data loss prevention or digital rights management solutions. IT personnel need to be able to identify anomalies across the organization, and proactively address intrusions before they occur or effectively detect and respond to those that have already happened.

Thirdly, businesses should rationalize and implement a cloud strategy (if they haven’t done so already). Cloud-based solutions provide a more affordable solution to traditional on-premise systems. And while they have their own distinct set of associated risks, cloud-based services have become increasingly more secure and reliable over the last couple of years. To ensure that they are well protected when migrating to cloud services, business must focus concerted attention on the service level requirements which their cloud partners must adhere to. Key areas such as jurisdiction, data ownership, security standards, availability, performance, data portability, right to audit, exit clauses, change management and problem management should not be neglected. A robust service level agreement (SLA) is pretty much an insurance policy when entering into a cloud services partnership.

The original interview can be found on the ICT Pulse website at: http://bit.ly/2oCxMzM

From Fragmentation to Integration to Harmonization: Outlining the Requirements for Effective Cyber Legislation Approach Across CARICOM States

internet-law

The Caribbean Community (CARICOM) is comprised of 15 Member States. Its chief purposes are to promote economic integration and cooperation among its members, to ensure that the benefits of integration are equitably shared, and to coordinate foreign policy. As it relates to cybersecurity, there are several programmatic deficiencies and significant fragmentation of efforts across Members states, primarily with regards to legislation.

There has been limited research exploring the regional harmonization of cyber laws across CARICOM. For example, some authors have touched on cyber-readiness at a high level, examining the cyber response capabilities of a few countries in the Caribbean region. However, these academic works have not provided an in-depth analysis of cyber legislation or enunciated the key requirements for legal reform. Others have broadened the scope of their cyber-readiness research to include Latin America and the Caribbean. However, lumping the Caribbean together with Latin America with regards to harmonized cyber legislation can be problematic due to factors such as history, language, traditionally weak political and commercial ties, size of countries, and disparate economic scenarios. In general, it must also be mentioned that cyber-readiness indicators don’t actually translate into a successful legislative framework or adequate protections against threat actors. Studies also fall short in articulating why harmonization is necessary for CARICOM Member States, and how the region compares to the likes of Europe, Asia-Pacific, and Africa with regards to a harmonized cybersecurity legal framework.

The scholarly justification for this paper is to challenge the effectiveness of the existing fragmented approach by first explaining why a harmonized cybersecurity legislative framework is important. I will then discuss some of the legal challenges associated with such an undertaking. Next, I will perform a comparative legal analysis with other regions that have taken similar steps, and use this as a lead-in to a SWOT analysis of CARICOM’s present cybersecurity posture. And finally, I will propose a legal framework that enables stakeholders in CARICOM Members States to more capably respond to transnational cybercrime.

Keywords: Cybersecurity, Cybercrime, Harmonization, Fragmentation, Integration, Cooperation, Cyber legislation

Read the full academic paper at: http://bit.ly/2mu30IT