Above: Photo by gorodenkoff/123rf.com
BitDepth#1467 for July 15, 2024
For just over a month, the website of the Guyana Cricket Board has been quite visibly defaced by hackers who demanded US$1,000 in BitCoin.
The defacement took the form of a warning and demand, stating partly, “Your company was hacked due to major security issues and your documents, contracts, work correspondence ended up in our possession, we would love to forget this incident but we cannot, so your business partners should not suffer because of your negligence to security.”
It’s kind of weird when a definitive statement about the importance of cybersecurity comes from the people who broke into your digital house.
I’ve been trying to understand the studious calm that’s followed the TSTT breach. What collective noun to describe an industry wide gathering of potential victims ardently burrowing for good soil to stick their heads into.
So I’ve decided on apathy, as in an apathy of cybersecurity concerns.
Consider the Blue Waters breach in December 2023, which dropped 10GB of that company’s data on the dark web.
The circle of individuals affected by the public distribution of personally identifiable information in that breach was significantly smaller than hundreds of thousands affected by the TSTT data breach, so there was little cause for public concern.
Almost nobody would have been concerned about Mrs Hadeed’s company-related Amazon purchases or the appalling salary of the company’s lone IT employee, but Blue Waters should have been concerned, because what got dumped on the dark web in that breach was a financial and organisational blueprint of how the company does business.
If a competitor decided to create a rival company, say, Black and Blue Waters, they had a ready-made roadmap, from raw materials acquisition to distribution systems to work from.
And that’s probably one of the reasons why the government has sensibly decided to incentivise a national hardening of the TT digital presence through a tax allowance of $500,000.
In an amendment to the Corporation Tax Act in December, the government further clarified that the allowance would cover cybersecurity investments between January 01, 2024 and December 31, 2025 up to a maximum of $500,000 over the two year access window.
The allowance is a deduction on chargeable taxes allowable over the two-year period, and qualifying businesses can file multiple claims during that window of opportunity.
According to iGovTT, since the announcement was made, the agency has fielded questions from accountants responsible for the tax returns of multiple large business clients and questions from smaller businesses seeking a better understanding of how the allowance applies to them.
At a TTMA webinar on Tuesday, Charles Bobb-Semple, Deputy CEO of iGovTT explained other caveats.
Companies must be in full compliance with the Registrar General’s office and other necessities of doing business in TT to be eligible for the facility, and successful companies may be audited to ensure that the purchased products are actually deployed.
The facility does not cover services offered by individuals; so penetration testing is not covered. Products should meet international standards.
“Our focus is not on the product or the brand, it is not on who the vendor is,” explained Bobb-Semple.
“Does the thing that you’re purchasing abide by certain international standards? The spirit of the allowance is to defend the [cybersecurity] posture of the country.”
Regarding future incentives for improving cybersecurity, he said, “I am certain that the Minister of Finance and Minister of Digital Transformation will look at this as we progress, but I think what will encourage government is our uptake. So I’m really encouraging you to utilise it as much as possible.”
“The preferred position is implementation, so the overall posture that we have on the security side in terms of the software and infrastructure is really focused on retaliation against bad actors.”
“We want businesses to think about this the same way they plan for disaster preparedness,” said Nicole Greene, team lead for corporate communications at iGovTT in an interview.
“You want to plan and prepare in advance to reduce the impact of potential threats and have the fastest return to normalcy should the unthinkable happen.”
“Some don’t quite understand what constitutes a cybersecurity investment for a business of their size, or for their particular business. It’s not a practical thing for them.”
Still, there is a clear reluctance by iGovTT to offer even anonymised numbers of applicants for a programme that’s six months into a 24-month window of opportunity, even a month after the official application portal has been opened for a government-funded tax break worth half a million dollars.
It might just be early days for a country that loves its last minute rush but what if it isn’t?
“I don’t think people are even bothered much anymore,” said Shiva Parasram, an enterprise risk consultant specialising in cybersecurity and ransomware exposure.
“People don’t seem to care unless it affects services or their finances directly. As more people realise that these things happen globally, they’re not too bothered as long as it doesn’t affect them. [Companies seem to think], we have no legislation, so why are we bothering?”
“I think that’s the gist of things. They will just use it to their advantage and say, well, we did have a firewall, we tried our best, but you know these clever hackers; they have certain ways to get things done.”
“Cybersecurity is big money. When you look at the economy and forex [availability], you have many barriers out there.”
What keeps regional cybersecurity experts awake...
December 16, 2024
Where hackers begin
December 9, 2024
Blue skies for microblogging?
December 2, 2024
The apps that thrive in Apple’s...
November 25, 2024
America’s open mic moment
November 18, 2024
The press and the president-elect
November 11, 2024
All washed up
November 4, 2024
The state of Caribbean digital transformation
October 28, 2024
The WordPress War
October 21, 2024
A budget of concrete and asphalt
October 14, 2024
Arima’s first step toward becoming a...
October 7, 2024
Now hear this!
September 30, 2024
A taxing time for all
September 23, 2024
Mobile devices, a war of increments
September 16, 2024
Why cash is king in Trinidad...
September 9, 2024
I shopped at Temu!
September 2, 2024
What’s needed to make e-Governance happen?
August 25, 2024
Changing the education conversation
August 19, 2024
Practical steps to reducing cybersecurity risks
August 12, 2024
The consequences of careless code
August 5, 2024
Dear Mark,
Yes, we are pathetic!
Without legislation to make companies liable for data loss, no one in T&T is going to take this seriously.
I’ve had the experience of going with the managing director of a company to the Fraud Squad to make a report on an email attempt to defraud that company of US$290,000.00. The detective in the Fraud Squad scribbled notes on a yellow notepad while the only computer in the room stood in a corner, turned off and ignored.
I’m pretty sure those scribblings ended up in File 13.
But the thing that shocked me was, that as we were leaving, about to cross the road, I suggested to the managing director that, perhaps now would be a good time to review our IT security policy, which was dismissed with, “Nah, you just do whatever you feel is ok”.
Unless and until data privacy is a constitutional right of citizens of T&T, and both government and the private sector are criminally liable, nothing will change. I’ve been involved in IT for over 40 years and have yet to see any company (except to be fair, Amalgated Security) take any interest in this area.
People think computers are entertainment and not to be taken seriously. Company directors, when they think about IT at all, consider it an annoyance, not a benefit. They treat it like the plumbing, ignored until it breaks, spewing confusion all over the place.
We need legislation with teeth now! Where is the blessed Data Ombudsman we were promised?
[…] Caribbean – For just over a month, the website of the Guyana Cricket Board has been quite visibly defaced by hackers who demanded US$1,000 in BitCoin… more […]