Tag: AI

Mismanagement of the BRA Breach: Incompetence is Expensive

nielharper

In this year’s budget, the Ministry of Finance, Economic Affairs, and Investment is asking for $36.9 million to cover the costs associated with managing last year’s data breach at the Barbados Revenue Authority (BRA). Given that the average cost of responding to a data breach in 2024 was USD $4.88 million (BBD$9.94 million), this quoted figure is exceptionally high and warrants a detailed examination.

Here’s my breakdown of why such an amount is considered excessive:

1. Financial Strain:

  • Depletion of Public Funds: $36.9 million is a substantial amount that severely depletes the country’s financial resources at a time the nation is struggling with heavy debt obligations and underperformance in key sectors. It more than likely will require budget cuts in other critical areas, halt planned projects, or even threaten the country’s ability to service existing debts or meet its overall financial needs.
  • Opportunity Cost: The money spent on data breach response could be better used for investments in economic growth, innovation, social services, workforce development, or other strategic initiatives that contribute to Barbados’ long-term success.
  • Citizen Impact: This is at its core an erosion of trust in government’s effectiveness in managing cybersecurity and data protection, and can have a knock-on negative impact in terms of reduced quality and investment in citizen services (e.g., education, healthcare, transportation, sewage, housing, etc.), increased public debt, additional taxes, and hindered development.

2. Cost-Benefit Analysis:

  • Value of Data: It’s essential to compare the recovery cost with the actual value of the compromised data. I am certain no quantitative assessment was performed by the government to determine the cost of the data. In this case, the data might not be worth $36.9 million, making the recovery expenditure disproportionate.
  • Potential Losses: While data breaches can lead to financial losses, including regulatory fines, legal fees, and compensation to individuals harmed by their data being misused or abused, it’s crucial to estimate these potential losses accurately. A $36.9 million recovery cost in my opinion exceeds the estimated losses the government would have otherwise incurred.

3. Inefficiencies and Overcharging:

  • Vendor Pricing: Given my experience managing data breaches over the last 20+ years, unscrupulous vendors usually exploit the urgency and panic surrounding a breach to inflate their prices. This appears to be the case in this instance (given that the government has limited cybersecurity capabilities and little to no experience responding to breaches).
  • Scope Creep: Recovery efforts can sometimes expand beyond the initial scope, leading to unnecessary expenses. There’s no doubt in my mind that the government did not have defined security incident response procedures or objectives, which led to the recovery scope being too wide and unconstrained to avoid cost overruns.
  • Ineffective Strategies: The chosen security incident response strategies were poorly defined and inefficient, leading to prolonged recovery times and increased costs.

4. Failure of Prevention:

  • Security Gaps: As I have said numerous times, the government does not have the capabilities in place to secure the technologies that they have implemented, and this $36.9 million bill confirms these significant weaknesses in their cybersecurity infrastructure and practices. It raises questions about why they have failed to implement the numerous detailed security strategies provided to them over the last decade by the European Union (a project which I led), International Telecommunications Union (ITU), Organisation of American States (OAS), and others.
  • Missed Opportunities: Investing in robust cybersecurity measures, such as firewalls, intrusion detection systems, personnel training, and regular security audits, could have prevented the breach or minimized its impact, potentially saving millions of dollars in recovery costs. And while investments have been made in some of these areas, the implementation of the solutions have left a lot to be desired.

5. Reputation Damage:

  • Public Perception: While the financial cost is significant, the reputation damage from the BRA data breach doesn’t seem to be substantial. While the breach was severe, involved sensitive data, and came on the heels of the cyber-attacks against the Queen Elizabeth Hospital and many other government departments, there are many residents who still don’t seem to understand how dire the government’s cybersecurity situation really is.
  • Public Trust: The constant data breaches impacting public services and citizens’ data have a detrimental effect on public trust (which is already low). This will prevent the uptake of digital services being implemented by the government as well as reduce the confidence in e-commerce as a whole. Basically, it jeopardises the entire digital transformation agenda of this administration and the ability of Barbadians to reap the associated benefits.

In conclusion, while data breach recovery is a necessary expense, $36.9 million is an exorbitant amount that warrants careful scrutiny. It’s crucial that the Public Accounts Committee (PAC) and the Office of the Auditor General conduct a thorough investigation, evaluating vendor pricing, identifying inefficiencies, and addressing underlying security vulnerabilities to ensure that recovery efforts in the future are effective and cost-efficient.

New ISACA Research: 63 Percent of Privacy Professionals Find Their Jobs More Stressful Now Than Five Years Ago

nielharper

The ISACA State of Privacy 2025 survey report, which gathered responses from over 1,600 privacy professionals globally, revealed that 63% of these professionals find their roles more stressful than they were five years ago, with 34% reporting a significant increase in stress levels. The primary sources of stress identified in the survey were the rapid pace of technological advancements (63%), difficulties with compliance (61%), and a lack of resources (59%).

“In an increasingly complex international regulatory environment, often with lacklustre resources, it is understandable that many privacy professionals are feeling strain from their efforts to stay compliant and keep their organizations’ data safe. Addressing these challenges and getting practitioners the support they need will be vital to not only ensure a healthy privacy workforce, but also to maintain data integrity and security, and avoid potential harm to data subjects.” I made these comments via BusinessWire on the report to emphasize not only the challenges associated with implementing privacy programs, but also the importance of organizations demonstrating their commitment to data governance, data ethics, privacy rights, and overall digital trust.

With AI, the privacy landscape has changed dramatically, including the regulatory burdens for companies. Continued leadership in the boardroom, at the executive level, as well as embedding privacy principles in organizational values is integral to nurturing the trust relationship between enterprises, their customers, and society at large.

Dispelling the Myths of Defense-Grade Cybersecurity

nielharper

Defense-grade cybersecurity solutions are specifically designed to provide advanced protection against sophisticated threats but there are many misunderstandings about this level of protection. 

Sectors like finance, healthcare and critical infrastructure can use battle hardened defense-grade cybersecurity to tackle today’s cyber threats.  

In this webinar hosted by Infosecurity Magazine, I joined an expert group of panelists to uncover the truth behind common misconceptions about defense-grade cybersecurity, demonstrating its relevance, affordability, adaptability and effectiveness for organizations beyond the military or government.

We tackled myths such as, “defense-grade cybersecurity can’t stop APTs”, “it’s only for the government” and “it’s too complex and difficult to deploy”, providing insights into how modern defense-grade measures are accessible, scalable and essential for critical sectors.

We also discussed real-world applications of defense-grade principles, explaining how these solutions address today’s advanced threats.

Register to watch the on-demand recording at this link.