Tag: Cyber security

The Dangers of Relying on Security Theater

nielharper

In 2026, phrases like “We take security seriously” or “Your security is important to us” have become the ultimate red flags.

When companies lead with these lines in their PR, it often signals the opposite: Security Theater 🎭

As a global digital trust and corporate governance professional, I see this daily. Theater is easy; resilience is hard. Theater is about “checking a box” for a board mandate, audit finding, or customer requirement; resilience is about an internal ethos that guides every business decision.

How do you spot the actors? Here are 6 signs of a “Theatrical” security posture:

  • Non-Existent or Weak “Tone at the Top”: The attitude and commitment of the Board and C-suite dictates the security culture that governs every employee’s daily actions. When the tone at the top is weak, the security program in most every case fails.
  • Compliance as a Destination: Treating a SOC 2 or ISO certification as the finish line rather than the baseline. Attackers don’t care if you passed an audit; they care about your unpatched edge devices and unsecured cloud assets.
  • “Shadow IT” Amnesia: Bragging about a new “AI Policy” while employees are quietly feeding sensitive intellectual property into unmanaged non-enterprise LLMs, leveraging third-party code with no security gates or approvals, and using unapproved plugins or add-ons in browsers / IDEs / issue-tracking platforms that are vastly insecure.
  • The “Culture” Conundrum: Forcing employees through 10 minutes of outdated, boring video slides once a year and calling it a “Security Culture.” Real culture is when people believe in security and live it each day in their actions and decisions. This also goes for the businesses whose “developer culture” requires security leadership to be ‘flexible’ and to ignore heinous security practices by software developers.
  • MFA Mirage: Having Multi-Factor Authentication (MFA) enabled, but allowing so many “exceptions” for executives or legacy systems that the front door is essentially unlocked.
  • Asset and Configuration Management: No accurate inventories exist for hardware / software / data assets, the majority of enterprise devices aren’t running unified endpoint management (UEM) or endpoint protection, cloud assets and their configuration status are unknown, an embarassingly low number of critical assets have logging enabled, and hardening templates don’t exist across virtual servers / microservices / network devices.

Digital Trust isn’t a marketing slogan. It is a measurable KPI. In 2026, the market must shift to rewarding candor and specificity over “vague invulnerability.”

The companies that thrive won’t be the ones that never get hit – they’ll be the ones that had the integrity to build real defenses before the curtain went up.

Stop the performance. Start the protection.

Why the UK Government’s Loan Guarantee for JLR is a Cause for Concern

nielharper

A cyber-attack “severely disrupted” Jaguar Land Rover (JLR) vehicle production, particularly at its two main UK plants. JLR’s retail business was also significantly impacted for consumers ordering or taking delivery of new vehicles. To help the carmaker recover and protect jobs within its extensive supply chain, the UK government has decided to underwrite a £1.5 billion loan guarantee.

The government’s loan guarantee is concerning because it socializes corporate risk, essentially creating a taxpayer-funded safety net for private sector cybersecurity failures. While the goal of protecting 100,000 supply chain jobs is sympathetic, this decision undermines the core market incentive for all businesses to achieve robust security resilience.

1. Incentivizing Security Complacency

By being the first company to receive such significant government aid following a cyber-attack, JLR sets a worrisome precedent. It signals to other large, systemically important companies that serious investment in preemptive cyber-defenses is optional. If a major breach causes a costly production shutdown, the government may provide a financial parachute to protect the supply chain. This effectively lowers the cost of poor security planning for major corporations and shifts the financial burden of resilience onto the public purse.

2. Rewarding Inadequate Preparation

The scale of JLR’s shutdown (e.g., halting all production for weeks) suggests a critical failure in both cyber resilience and business continuity planning (BCP). Should a secure and resilient organization be able to isolate an attack and recover without weeks of total shutdown, minimizing impact on its supply chain? Do the loan guarantees reward the company for a recovery posture that was either slow, inadequate, or both? Is the public essentially paying for the gap between JLR’s security maturity and the highly disruptive level of the breach? Many questions arise and a deeper discourse is needed into whether or not the government should be bailing out private corporations for suboptimal cybersecurity posture.

3. Moral Hazard and Unintended Consequences

This action creates a significant moral hazard. The government is protecting the ultimate parent company, India’s Tata Motors, from the full financial consequences of the attack by backstopping a commercial loan via the Export Development Guarantee (EDG). Taxpayers assume the risk of JLR defaulting, shielding the multinational owner from a major cyber-loss event. This is especially controversial given that JLR’s massive profits would normally imply responsibility for maintaining its own cyber insurance and resilience fund.

In short, while the loan guarantee offers necessary short-term relief to small suppliers facing collapse, there is the potential long-term cost of the erosion of market pressure on large corporations to treat cybersecurity as a non-negotiable, self-funded business continuity imperative.

Mismanagement of the BRA Breach: Incompetence is Expensive

nielharper

In this year’s budget, the Ministry of Finance, Economic Affairs, and Investment is asking for $36.9 million to cover the costs associated with managing last year’s data breach at the Barbados Revenue Authority (BRA). Given that the average cost of responding to a data breach in 2024 was USD $4.88 million (BBD$9.94 million), this quoted figure is exceptionally high and warrants a detailed examination.

Here’s my breakdown of why such an amount is considered excessive:

1. Financial Strain:

  • Depletion of Public Funds: $36.9 million is a substantial amount that severely depletes the country’s financial resources at a time the nation is struggling with heavy debt obligations and underperformance in key sectors. It more than likely will require budget cuts in other critical areas, halt planned projects, or even threaten the country’s ability to service existing debts or meet its overall financial needs.
  • Opportunity Cost: The money spent on data breach response could be better used for investments in economic growth, innovation, social services, workforce development, or other strategic initiatives that contribute to Barbados’ long-term success.
  • Citizen Impact: This is at its core an erosion of trust in government’s effectiveness in managing cybersecurity and data protection, and can have a knock-on negative impact in terms of reduced quality and investment in citizen services (e.g., education, healthcare, transportation, sewage, housing, etc.), increased public debt, additional taxes, and hindered development.

2. Cost-Benefit Analysis:

  • Value of Data: It’s essential to compare the recovery cost with the actual value of the compromised data. I am certain no quantitative assessment was performed by the government to determine the cost of the data. In this case, the data might not be worth $36.9 million, making the recovery expenditure disproportionate.
  • Potential Losses: While data breaches can lead to financial losses, including regulatory fines, legal fees, and compensation to individuals harmed by their data being misused or abused, it’s crucial to estimate these potential losses accurately. A $36.9 million recovery cost in my opinion exceeds the estimated losses the government would have otherwise incurred.

3. Inefficiencies and Overcharging:

  • Vendor Pricing: Given my experience managing data breaches over the last 20+ years, unscrupulous vendors usually exploit the urgency and panic surrounding a breach to inflate their prices. This appears to be the case in this instance (given that the government has limited cybersecurity capabilities and little to no experience responding to breaches).
  • Scope Creep: Recovery efforts can sometimes expand beyond the initial scope, leading to unnecessary expenses. There’s no doubt in my mind that the government did not have defined security incident response procedures or objectives, which led to the recovery scope being too wide and unconstrained to avoid cost overruns.
  • Ineffective Strategies: The chosen security incident response strategies were poorly defined and inefficient, leading to prolonged recovery times and increased costs.

4. Failure of Prevention:

  • Security Gaps: As I have said numerous times, the government does not have the capabilities in place to secure the technologies that they have implemented, and this $36.9 million bill confirms these significant weaknesses in their cybersecurity infrastructure and practices. It raises questions about why they have failed to implement the numerous detailed security strategies provided to them over the last decade by the European Union (a project which I led), International Telecommunications Union (ITU), Organisation of American States (OAS), and others.
  • Missed Opportunities: Investing in robust cybersecurity measures, such as firewalls, intrusion detection systems, personnel training, and regular security audits, could have prevented the breach or minimized its impact, potentially saving millions of dollars in recovery costs. And while investments have been made in some of these areas, the implementation of the solutions have left a lot to be desired.

5. Reputation Damage:

  • Public Perception: While the financial cost is significant, the reputation damage from the BRA data breach doesn’t seem to be substantial. While the breach was severe, involved sensitive data, and came on the heels of the cyber-attacks against the Queen Elizabeth Hospital and many other government departments, there are many residents who still don’t seem to understand how dire the government’s cybersecurity situation really is.
  • Public Trust: The constant data breaches impacting public services and citizens’ data have a detrimental effect on public trust (which is already low). This will prevent the uptake of digital services being implemented by the government as well as reduce the confidence in e-commerce as a whole. Basically, it jeopardises the entire digital transformation agenda of this administration and the ability of Barbadians to reap the associated benefits.

In conclusion, while data breach recovery is a necessary expense, $36.9 million is an exorbitant amount that warrants careful scrutiny. It’s crucial that the Public Accounts Committee (PAC) and the Office of the Auditor General conduct a thorough investigation, evaluating vendor pricing, identifying inefficiencies, and addressing underlying security vulnerabilities to ensure that recovery efforts in the future are effective and cost-efficient.

Dispelling the Myths of Defense-Grade Cybersecurity

nielharper

Defense-grade cybersecurity solutions are specifically designed to provide advanced protection against sophisticated threats but there are many misunderstandings about this level of protection. 

Sectors like finance, healthcare and critical infrastructure can use battle hardened defense-grade cybersecurity to tackle today’s cyber threats.  

In this webinar hosted by Infosecurity Magazine, I joined an expert group of panelists to uncover the truth behind common misconceptions about defense-grade cybersecurity, demonstrating its relevance, affordability, adaptability and effectiveness for organizations beyond the military or government.

We tackled myths such as, “defense-grade cybersecurity can’t stop APTs”, “it’s only for the government” and “it’s too complex and difficult to deploy”, providing insights into how modern defense-grade measures are accessible, scalable and essential for critical sectors.

We also discussed real-world applications of defense-grade principles, explaining how these solutions address today’s advanced threats.

Register to watch the on-demand recording at this link.

Essential skills for today’s threat analysts

nielharper

“Skilled threat hunters can play a dual role for organizations, hunting for threat actors as well as ensuring budget is directed at tools and technology that will bolster the hunting capabilities, according to the SANS 2023 Threat Hunting survey. However, a lack of skilled staff is hampering the success of threat hunting efforts, according to the global survey of 564 respondents drawn from SOC analysts, security managers and administrators.

Adding to the task, threat hunters themselves are seeking more training, education, and support from management, the survey has found. As CISOs look ahead to 2024 and the cybersecurity challenges it will bring, what do they need from threat hunting teams and how should threat hunters themselves look to strengthen their skill set?”

Threat analysts play crucial roles in cybersecurity. Without them, it is near impossible to obtain actionable intelligence on potential threats, and other security professionals like security architects and security engineers have no way to effectively focus their efforts.

Demand for threat analysts is also growing and many enterprises have decidedly made threat analysis one of their top security priorities.

It was great speaking to Rosalyn Page about the critical skills that threat analysts need to be successful. She asks the most probing questions and has brought together the insights of several professionals into a solid article.

Check out Rosalyn’s article here.

6 Tips for Protecting Against Ransomware

nielharper

The Internet Society has been closely monitoring the ransomware cyber-attacks that have been occurring over the last couple of days. The malware, which has gone by multiple names, including WannaCry, WannaDecryptor, and WannaCrypt, exploits a flaw in Microsoft Windows that was first reportedly discovered by the National Security Agency (NSA). A group of hackers leaked the code for exploiting this vulnerability earlier this year, and a fix or patch was available as far back as March 2017. Since Friday, 200,000 computers in 150 countries have been compromised using this exploit. The numbers are expected to grow exponentially as people settle back into their work routines and regular use of computer systems this week. As part of our continuing work in online trust and security, there are some key takeaways from this incident that we want to leave with our community.

Firstly, we want to highlight the extremely negative effects which government stockpiling of vulnerabilities and zero day attacks has on the overall security of the Internet. With over 60 countries known to be developing growing arsenals of cyber weapons, and with many of these exploits leaking into the public domain, the potential for widespread damage is a massive cause for concern. The impact is not only economic in terms of financial loss, but social in terms of how it impacts end user trust, and most importantly human in terms of loss of life (especially given that ransomware attacks have been focusing on hospitals). And with critical infrastructure like power plants, dams, and transportation systems being targeted in nation state cyber offensives, the threat to human life increases exponentially.

Secondly, it would appear that some hospitals are easy targets for ransomware attackers. Their systems house data that is critical to patient care and management, and many of these institutions don’t have the IT resources to support critical process areas like vulnerability management, patch management, business continuity management, etc. In general, hospitals are also now adapting to digital realities and a number of them are playing catchup with regards to cyber readiness. However, the aforementioned challenges are not unique to hospitals, and are faced by many small and medium enterprises (SMEs), and in several instances, large corporations. Individual users are also targeted based on their generally poor Internet hygiene or lack of security awareness.

We want to take this opportunity to emphasize the importance of good online security practices when accessing the Internet. So here are 6 basic tips for protecting against ransomware:

1. Employ strong, multi-layered endpoint security – Using endpoint security that can protect web browsing, control outbound traffic, protect system settings, proactively stop phishing attacks and continuously monitor for anomalous system behavior will allow for better protection of servers, laptops, tablets, and mobile devices.

2. Maintain regular backups of your critical data – Backups can help you to protect your data from more than just ransomware. Other risk events such as malware, theft, fire, flood or accidental deletion can all render your data unavailable. Be certain to encrypt your backed-up data so it can be effectively restored. Backups should also be stored at an offsite location isolated from the local network.

3. Do not open unsolicited emails or messages from unknown senders – Many ransomware variants are distributed through phishing attacks or email attachments. Increased mindfulness when handling ‘suspect’ emails can be effective in combating ransomware.

4. Patch your systems regularly – Patching your systems for vulnerabilities reduces the opportunities for hackers to infect you with ransomware. The fact that a patch was available for the WannaCrypt vulnerability since March highlights the somewhat lax attitude by organizations and individuals to keeping their system patches up to date. That being said, patch management is a complex activity and can impact the availability of key systems. Hence, thorough testing must be conducted to avoid unplanned downtime.

5. Disable macros if possible – Many forms of ransomware are distributed in Microsoft Office documents that attempt to trick users into enabling macros. There are a number of tools available that can limit to functionality of macros my preventing them from being enabled on files downloaded from the Internet.

6. Be aware and vigilant – For individuals, don’t assume that only techies need to know about all the recent malware and trends in online attacks. Subscribe to mailing lists that provide information on common vulnerabilities and exposures. In the case of organizations, developing an information security awareness program is an integral part of improving overall security posture.

Finally, we want to touch on the important work being done by the Online Trust Alliance (OTA), the Internet Society’s newest initiative. The OTA’s mission is to enhance online trust, user empowerment and innovation through convening multi-stakeholder initiatives, developing and promoting best practices, ethical privacy practices and data stewardship. With regards to preventing ransomware attacks, OTA has developed a number of industry best practices that address key threat areas such as email authentication and incident response. These are as follows:

Email Authentication: https://otalliance.org/resources/email-security

Domain-based Message Authentication, Reporting & Conformance (DMARC):https://otalliance.org/dmarc

Cyber Incident & Breach Response: https://otalliance.org/resources/cyber-incident-breach-response

Additional OTA best practices, resources and guidance to help enhance online safety, data security, privacy and brand protection can be found here.

The Spam Toolkit developed by the Internet Society also provides some guidance on addressing online threats.

The Internet Society is committed to the enhancement of online trust, and our work along this vein spans multiple areas. Our goal is to continue to provide our individual members, organizational members, chapters, partners, and other constituents with timely and relevant information and resources that equip and empower them to act.

My original blog article was published on the Internet Society website at: http://bit.ly/2qMuQ4U

ICT PULSE: Cyber Threats and Security in the Caribbean 2016 Update – Interview with Niel Harper

nielharper

cyber security

ICT Pulse: Niel, it has been two years since our last Expert Insights Series, give us a quick recap of what have been the most prevalent incidents in Barbados and/or in the Caribbean region since 2014?

Niel Harper: Over the last 2 years, various government web sites in Barbados have been compromised and defaced by hackers. Websites included the Barbados Government Information Service (BGIS), Barbados Stock Exchange (BSE), Barbados Revenue Authority (BRA), Royal Barbados Police Force, and the Barbados Supreme Court, to name a few. Private websites such as the Barbados Advocate were hacked as well. There are still no data protection laws in the country, so due to absence of mandatory breach notifications, the few reported incidents are only the tip of the iceberg.

The prevalence of ATM skimming attacks have also increased. However, because the marketplace is dominated by mostly Canadian banks, Sarbanes-Oxley regulatory requirements have led to stronger controls, and many of the skimming attacks have resulted in arrests.

In the wider Caribbean, there have been similar trends of government websites being compromised. A number of organizations in St. Vincent, Grenada, St. Kitts & Nevis and other countries have been subject to malicious online attacks. One of the major commonalities across the region is that organizations with limited resources and untrained personnel have been the targets of successful attacks. This is a key reason why capacity building is critical to improving the region’s overall cyber response capabilities.

ICTP: How has the threat landscape changed over the past two years? Are there any particular areas of concern that you have for Caribbean organizations?

NH: The smartphone footprint continues to grow and with it the attack surface of mobile devices. That being said, many device manufacturers are focusing their efforts on enhanced security as a product differentiator. Still, end user education is necessary as an additional layer of protection against malicious threats.

Given the increased hardening of operating systems and applications, attackers are focusing on areas lower down the ‘stack’ such as BIOS, firmware, and graphics chipsets. Controls such as boot security, trusted execution, and active memory protecting are making these attacks more difficult, but I expect these types of threat vectors to increase.

Newer technologies such as IoT (Internet of Things), M2M (machine-to-machine) communication, Network Functions Virtualization (NFV), and Software Defined Networks (SDN) are growing in terms of their deployment base. But this also introduces significant challenges in terms of security: single points of failure, open source software, and complexity. The fact that commonly used items such as televisions, refrigerators, and even automobiles, are now accessible through the Internet has vastly changed the threat landscape, and should force manufacturers and end users alike to focus more on cybersecurity.

The explosion of cloud computing, the increasing popularity of crypto-currencies, and the emergence of mobile payments (e.g. Apple Pay, Google Wallet, etc.) are also areas for concern with regard to an expanding threat surface.

All of these areas are of particular concerns for Caribbean organizations, especially those who are seeking to be on the cutting edge […]

The entire interview can be found on the ICT Pulse website at: http://bit.ly/1T9iMQv

How Secure is Barbados’ New Centralized Healthcare Information System?

nielharper

health

Think about the following scenario for a minute:

A Caribbean government deploys a health information system (HIS) with the goal of improving the quality and coordination of patient care in the public service. For all intents and purposes, expert consultants from Europe and the USA are brought down to implement the system and to ensure that best practices for securing and protecting sensitive clinical data are used. The project is successfully completed, the consultants leave, and hand off day-to-day management of the system to the government’s IT staff.

The government has no overall IT security policies, procedures and guidelines to ensure that the system and the data housed in it continue to be secure and protected from malicious threats. There are no trained or experienced IT security experts on the government’s payroll. There are no data security standards enforced by the government. There is no data protection legislation in place to provide a control framework for protecting highly confidential healthcare data from being stolen by hackers or to prevent data from being accidentally lost or leaked.

Eventually, all these weaknesses together result in persistent compromises of the system by hackers, and all the private clinical data of the citizens of the country are posted on the Internet or otherwise made available for the world to see.

Does the above scenario make you shudder? I know it scares me to death.

The rest of this article will demonstrate how close to reality this is in the Caribbean region.

In the past week or so, the Government of Barbados informed the public of the launch of their Med Data healthcare information system (HIS) and electronic medical records (EMR) scheme. Let me first commend the government on this much-needed initiative to drive efficiency and improved standards of care in public healthcare. However, I have a number of grave concerns about the manner in which this project has been undertaken.

Data Protection Legislation

First of all, no data protection legislation has been discussed, ratified, and implemented through Parliament. Simply put, healthcare data must be processed fairly and with the consent of individuals, especially as it pertains to whom data is shared with and in what context. Legislation should address key areas such as mandatory data breach notifications, heightened enforcement, heavy penalties for breaches, and expanded patient rights. Moreover, any data protection legislation should have a broader scope and include the management and protection of data in areas outside of healthcare, namely banking, insurance and law enforcement.

In essence, data protection legislation would hold both private and public institutions accountable and liable for damages in the event of a security breach. It would also make it mandatory that all breaches are reported to the public so that data owners can take steps to protect their identities. And finally, it allows for heavy fines to be levied on any institution that fails to maintain strong security controls for data.

Data Security Standards

Secondly, there has been no development of data security standards to accompany the legislation and to provide best practice guidance for accessing, exchanging, transmitting, and storing healthcare data in a secure manner. On a broader scale, the Government has no risk management framework, no IT governance processes, and from an operational perspective, no procedures for responding to IT security incidents. There has been an initiative in play for some time now to create a Computer Security Incident Response Team (CSIRT), but it has stalled due to lack of resources (human and financial).

Given the number of security incidents that have occurred in the public sector over the last couple of years, one would think that government officials would be taking data privacy and security more seriously. Key systems at the Royal Barbados Police Force, Inland Revenue, and the Ministry of Foreign Affairs have been hacked in the last couple of years (and these are only the ones that have been made public or that the government are aware of).

But enough criticism of the government; let’s talk about solutions. There is no doubt that IT governance, risk and control (GRC) is an area that requires major attention from the Government of Barbados. The question is: How do we address these deficiencies?

Recommendations

For one, I would suggest that public officials engage local groups such as the Caribbean Cyber Security Center, Information Systems Security Association (ISSA) Barbados Chapter, Institute of Internal Auditors (IIA) Barbados Chapter, and the Barbados IT Professionals Association (BIPA) to assist them in building the necessary competences to improve the control framework and information security posture of the public sector.

Additionally, an online register of consultants should be established to allow the government to create a repository of world-class professionals — not only in IT, but across disciplines — who can assist them in delivering critical initiatives such as the Med Data project. All the expertise does not reside in Europe or North America. We have talent pools (of awesome individuals) across the Caribbean region that remain untapped.

Another area for improvement is around developing policy and legislation. There needs to be greater engagement of the general public and other interested parties in such processes — effective dialogue is constructive. Mechanisms such as e-participation or crowdsourcing can provide the government with a better understanding of the inherent risks, latent issues or knowledge gaps that may exist in program management and project delivery.

Finally, organizational management and intellectual capital development should be foremost on the minds of public officials. The leaders that we have elected need to think more strategic and create organizational structures that are agile and can respond expediently to the needs and demands of the people and address the key risks that the country is faced with. Centralized strategic planning and oversight of the tactical and operational aspects of IT are needed. Key positions such as the Chief Information Officer and Chief Information Security Officer must be defined and filled appropriately. Government employees have to be trained in disciplines such as project management, risk management, IT service management, business continuity, and cybersecurity.

The aforementioned recommendations are not meant to be a panacea. They are basic parts of a maturity model; one that will permit the government’s risk response mechanisms to evolve to better defend against the threats that exist and emerge. But more importantly, they are of critical importance to building trust in the e-government systems that the public are expected to use. They hopefully should also foster a risk-oriented philosophy that pervades throughout the public sector.

Navigating the cloud: SMEs and cloud services

nielharper

Cloud-Computing-cap
More and more small businesses are migrating to the cloud and reaping significant benefits like never before. With cloud services, small businesses no longer need to install physical infrastructure like e-mail servers and storage systems, or purchase software applications with exorbitant annual license fees. The “on-demand” availability of cloud solutions means seamless and simple collaboration with customers, business partners, and staff members using nothing more than a web browser. Cloud services also provide entrepreneurs and home-based businesses with access to advanced technology without the requirement to hire a full-time IT specialist.

But what exactly is this “cloud”?

Cloud computing is an overarching term which encompasses a number of different categories. Software-as-a-Service (SaaS) is where a particular application or service is provided to a business or individual as a subscription. Google Drive, QuickBooks Online Plus, and BaseCamp are all popular examples of SaaS.

Using Platform-as-a-Service (PaaS), businesses are provided with a platform on which they can build, install, and maintain customized apps, databases and integrated business unit services. Widely used PaaS include Windows Azure, SharePoint Online, and Google App Engine.

Infrastructure-as-a-Service (IaaS) allows businesses to outsource infrastructure in the form of virtual resources. Components include servers, storage, networking and more. IaaS providers include Rackspace, HP Converged Infrastructure, and Amazon Web Services.

Most small businesses generally don’t need much more than SaaS to meet their operational needs. SaaS provides them with the capabilities to deliver a myriad of IT services that would otherwise be expensive and resource intensive to administer as localized, on-site solutions.

It must however be emphasized that cloud services bring with them a number of security, stability, and data control issues. That is why it is critically important that small businesses stay informed and strictly require that cloud providers furnish them with detailed business continuity plans and security controls to remediate outages and protect sensitive data.

What to do when your cloud brings the rain?

There are a plethora of reasons why cloud computing is popular. It gives small businesses the technology that enables them to be lean, agile, and competitive. But as is quite evident, trusting your information assets to a single entity whose equipment is stored in a centralized location, means that you’re extremely vulnerable to whatever outages, security compromises, or natural disasters that they are exposed to.

So what are small business owners to do? Here are some recommendations that can allow you to better manage the risks associated with cloud providers.

Fine Tune Your SLA: Service level agreements (SLA) should codify the exact parameters and minimum levels of service required by the business, as well as compensation when those service levels are not met. It should assert the ownership of the business’ data stored on the cloud platform, and outline all rights to retaining ownership. It should include the infrastructure and security standards to be adhered to, along with a right to audit for compliance. It should also specify the cost and rights around continuing/discontinuing use of the cloud service.

Keep Critical Data Local: Decide which business processes require maximum uptime, and keep them on-site. Avoiding the cloud totally for specific mission-critical applications, small businesses can minimize data unavailability as well as security and privacy issues. Most definitely some businesses have regulatory requirements to meet, and this ought to be a key consideration when deciding not to ship your data offshore.

Two-Factor Authentication: More and more providers are offering two-factor authentication (2FA) as a means of securing access to cloud services. Two-factor authentication adds a second layer of authentication to user logon credentials. When you have to enter only your username and one password, that’s considered as single-factor authentication. 2FA mandates that users have 2 out of 3 types of credentials before access to cloud resources are granted.

Deploy A Hybrid Configuration: Maintaining a hybrid implementation of cloud and local services is a best practice approach for protecting company data. Replication or archiving solutions often deliver a service with both a local appliance at the customer’s premises and cloud storage too. This type of on-premise-to-cloud replication strategy ensures that you have local copies of the data you transmit to the cloud. Actively seek out cloud providers that can configure this kind of scenario.

Availability, integrity and confidentiality issues will always exist when using IT systems. And when a business employs cloud-based computing, these challenges are even more pronounced. Be extremely meticulous when searching for cloud providers, and question them about their security controls and disaster recovery options. Even though you outsource the processing of your business data; there’s no reason why you should lose control.

Cyber Threats and Security in the Caribbean 2014 Update

nielharper

Lock background

[Exert from a recent interview I did with ICT Pulse on the state of cybersecurity in the Caribbean]

ICT Pulse: Niel, give us a quick recap of what were the most prevalent incidents in Barbados and/or in the region in 2013?
Niel Harper: In 2013, Barbados was subjected to attacks from a number of different threat vectors. Several government agencies, financial institutions and private businesses were the focus of targeted website compromises. Some of the techniques used were distributed denial-of-service (DDoS), cross-site scripting (XSS), and SQL injection attacks. There was also a sophisticated ATM skimming campaign that was perpetrated by Eastern Europeans whereby several commercial banks were targeted. I would like to emphasize that these are the known issues. I am pretty certain that the occurrences and complexity of the attacks were much higher, but as there is no legal requirement to report breaches, we will simply never know.

ICTP: Although we are still early in 2014, how is the threat landscape changing? Are there any particular areas of concerns that you have for Caribbean organisations this year?
NH: The Caribbean will be facing the same evolving threat landscape as the rest of the world. For one, as more companies and individuals in the region move their information to the cloud, we should expect to see more focused attacks on corporate and personal data stored on cloud services. Secondly, we will witness greater adoption of advanced persistent threat (APT) techniques to be used in the distribution of traditional malware. There will be growth in the amount of Android and iOS malware, and the burgeoning use of mobile apps for enterprise applications coupled with increased social media usage will broaden the overall attack surface. Given that Windows XP is still widely deployed across enterprises and on personal computers, the platform will become a huge target for attackers as Microsoft ends support activities. And finally, spam is evolving to a point where it is being employed more and more for malware payloads.

ICTP: At the CARICOM level, there appears to be a growing awareness of cybercrime and calls by leaders that something be done. In your opinion, have there been any improvements in the cyber security-associated resources or support structures in Barbados, and/or perhaps regionally? What might still be missing?
NH: The Government of Barbados has signed a MOU with the ITU to setup a Computer Incident Response Team (CIRT) within the framework of the ITU-IMPACT initiative on strengthening cybersecurity. I believe that this step is a signal of intent by government to improve cyber response capabilities in the country. However, my concern is that the accompanying cybersecurity legislation and the necessary capacity building for personnel is not being addressed in as robust a manner as it needs to be. Jamaica has expanded the capabilities of the Communication Forensic and Cybercrime Unit (CFCU) of the Jamaica Constabulary Force, and has also taken steps to establish a national computer security incident response team (CSIRT). A National Cybersecurity Task Force was also established in 2012. However, what have been missing in Jamaica are large-scale cybersecurity awareness programs to educate key at-risk groups. The Caribbean Telecommunications Union (CTU) has also been doing its part to combat cybercrime region-wide, but there are still a plethora of challenges in numerous countries in terms of adequate resources and funding for cyber security response. Moreover, there is little to no coordination among the cybersecurity entities in place across the CARICOM footprint. This prevents the region as a whole from jointly benefitting from crucial activities such as threat information sharing, critical infrastructure protection, active defense and incident preparedness.

ICTP: Are you observing any real evidence of a greater willingness among organisations to take cyber/network security more seriously? How is that awareness (or lack thereof) being manifested?
NH: I think there are generally two types of organizations across the CARICOM region: 1) Organizations that by the very nature of their business and the operational and regulatory requirements they are subject to, are compelled to take cybersecurity serious and invest heavily in a strong control framework to effectively mitigate the risks they are confronted with; and 2) Firms or institutions whose management simply does not recognise or understand the high risks which they are faced with as it pertains to cyber attacks and online crime. So what you now have is a situation where there are a handful of companies with very strong cybersecurity capabilities (mostly financial institutions), and a large amount with weak controls as it relates to cyber resilience. All in all, many Caribbean organizations are still facing serious financial constraints, and budgetary planning cycles regularly do not include large expenditures on things like IT security. Monies are spent on more seemingly important corporate interests, although this will likely change as cyber-risks increasingly pose threats to human, social and economic well being and stability.

ICTP: Are there any key areas businesses should be investing their network security/IT dollars this year?
NH: Businesses need to invest their money in personnel with specialized knowledge and expertise in implementing technical solutions, enhancing operational practices and developing effective cybersecurity-related policies. Governments as well as corporations also need to invest in awareness-raising programs around cybersecurity. And more dollars also have to be spent on research, monitoring, reporting, and coordination of responses to cybersecurity incidents.

The full article and interview can be found at: http://tinyurl.com/mlssfll