Above: Photo by gorodenkoff/123rf.com

BitDepth#1467 for July 15, 2024

For just over a month, the website of the Guyana Cricket Board has been quite visibly defaced by hackers who demanded US$1,000 in BitCoin.

The defacement took the form of a warning and demand, stating partly, “Your company was hacked due to major security issues and your documents, contracts, work correspondence ended up in our possession, we would love to forget this incident but we cannot, so your business partners should not suffer because of your negligence to security.”

It’s kind of weird when a definitive statement about the importance of cybersecurity comes from the people who broke into your digital house.

I’ve been trying to understand the studious calm that’s followed the TSTT breach. What collective noun to describe an industry wide gathering of potential victims ardently burrowing for good soil to stick their heads into.

So I’ve decided on apathy, as in an apathy of cybersecurity concerns.
Consider the Blue Waters breach in December 2023, which dropped 10GB of that company’s data on the dark web.

The circle of individuals affected by the public distribution of personally identifiable information in that breach was significantly smaller than hundreds of thousands affected by the TSTT data breach, so there was little cause for public concern.

Almost nobody would have been concerned about Mrs Hadeed’s company-related Amazon purchases or the appalling salary of the company’s lone IT employee, but Blue Waters should have been concerned, because what got dumped on the dark web in that breach was a financial and organisational blueprint of how the company does business.

If a competitor decided to create a rival company, say, Black and Blue Waters, they had a ready-made roadmap, from raw materials acquisition to distribution systems to work from.

And that’s probably one of the reasons why the government has sensibly decided to incentivise a national hardening of the TT digital presence through a tax allowance of $500,000.

In an amendment to the Corporation Tax Act in December, the government further clarified that the allowance would cover cybersecurity investments between January 01, 2024 and December 31, 2025 up to a maximum of $500,000 over the two year access window.

The allowance is a deduction on chargeable taxes allowable over the two-year period, and qualifying businesses can file multiple claims during that window of opportunity.

According to iGovTT, since the announcement was made, the agency has fielded questions from accountants responsible for the tax returns of multiple large business clients and questions from smaller businesses seeking a better understanding of how the allowance applies to them.

At a TTMA webinar on Tuesday, Charles Bobb-Semple, Deputy CEO of iGovTT explained other caveats.

Companies must be in full compliance with the Registrar General’s office and other necessities of doing business in TT to be eligible for the facility, and successful companies may be audited to ensure that the purchased products are actually deployed.

The facility does not cover services offered by individuals; so penetration testing is not covered. Products should meet international standards.

“Our focus is not on the product or the brand, it is not on who the vendor is,” explained Bobb-Semple.

“Does the thing that you’re purchasing abide by certain international standards? The spirit of the allowance is to defend the [cybersecurity] posture of the country.”

*The CITA application process, from Mr Bobb-Semple’s TTMA presentation.*

Regarding future incentives for improving cybersecurity, he said, “I am certain that the Minister of Finance and Minister of Digital Transformation will look at this as we progress, but I think what will encourage government is our uptake. So I’m really encouraging you to utilise it as much as possible.”

“The preferred position is implementation, so the overall posture that we have on the security side in terms of the software and infrastructure is really focused on retaliation against bad actors.”

“We want businesses to think about this the same way they plan for disaster preparedness,” said Nicole Greene, team lead for corporate communications at iGovTT in an interview.

“You want to plan and prepare in advance to reduce the impact of potential threats and have the fastest return to normalcy should the unthinkable happen.”

“Some don’t quite understand what constitutes a cybersecurity investment for a business of their size, or for their particular business. It’s not a practical thing for them.”

Still, there is a clear reluctance by iGovTT to offer even anonymised numbers of applicants for a programme that’s six months into a 24-month window of opportunity, even a month after the official application portal has been opened for a government-funded tax break worth half a million dollars.

It might just be early days for a country that loves its last minute rush but what if it isn’t?

“I don’t think people are even bothered much anymore,” said Shiva Parasram, an enterprise risk consultant specialising in cybersecurity and ransomware exposure.

“People don’t seem to care unless it affects services or their finances directly. As more people realise that these things happen globally, they’re not too bothered as long as it doesn’t affect them. [Companies seem to think], we have no legislation, so why are we bothering?”

“I think that’s the gist of things. They will just use it to their advantage and say, well, we did have a firewall, we tried our best, but you know these clever hackers; they have certain ways to get things done.”

“Cybersecurity is big money. When you look at the economy and forex [availability], you have many barriers out there.”