BitDepth#1381

MARK LYNDERSAY

BETWEEN November 1 and 3, the American Chamber of Commerce held its annual HSSE awards, but in a room off to the side of the main health and safety conversations and awards, a small group of IT professionals talked cybersecurity.

This parallel elevation of data safety to danger-management levels wasn't as out of place as it might seem.

A growing awareness of the threat of data breaches to both business continuity and to personal safety, as hackers steal and distribute deep caches of personally identifiable information (PII), was sensibly raised by Amcham to top-level corporate concern.

The numbers are staggering.

According to Sem Ponnambalam, CEO and founder of cybersecurity company xahive, software supply chain attacks hit three out of five companies in 2021.

The SolarWinds software supply chain attack affected 18,000 companies.

There was a ransomware attack launched against a company every 11 seconds in 2021. By 2030, the frequency of those attacks is expected to come every two seconds. And even these intimidating numbers may be underestimated.

"A lot of the time, the incidents are not reported," Ponnambalam said.

"While the default position is to refuse paying to release data encrypted in a ransomware attack," said Marcelo Ardiles, cybersecurity consultant at Hitatchi Systems, "globally, 38 per cent of organisations who suffered such attacks paid up."

Of those who paid, 61 per cent did so to avoid downtime. Another 53 per cent paid to avoid reputation damage and 53 per cent paid from ransomware insurance.

The average payout since Q3 in 2021 is US$322,000. Companies are targeted according to their revenue and crypto crimes are estimated to cost $30 billion in losses by 2025.

Angus Smith, manager of the TT Cybersecurity Incident Response Team (TTCSIRT), noted that the agency, convened in 2010 and brought into operation in 2017, is essentially hamstrung by the lack of effective legislation.

Without passage and effective proclamation of the Cybercrime Bill of 2017 (which ran into issues with media practitioners who objected to wording that limited the practice of journalism) and the Cyber Security Agency Bill, there can be no effective governance and co-ordinated incident management of cybersecurity breaches.

Under current law, it's not even clear if some modern security breaches are even recognised as crimes by the wording of existing law, the 12-year-old Computer Misuse Act, a relic of ancient expectations of computer technology abuse.

Current government strategy is to amend this act to align with the second protocol of the Budapest Convention, which harmonises baseline computer-crime legislation across different nations to reduce the jurisdictional issues that don't stop hackers.

No data commissioner has been appointed in Trinidad and Tobago, so many crucial elements of the country's cybersecurity response can't be implemented and the creation of the proposed National Cybersecurity Policy Framework seems ever more remote.

The framework is s