According to a Deloitte report, ransomware attacks have reached epidemic levels across the globe. There was more ransomware attacks in the first half of 2016 than in the previous five years combined, and experts estimate that this trend will continue even in the future. In early 2017, the world was hit by the largest ransomware attack thus far, the WannaCry attack, affecting a multitude of organizations across the globe. Businesses and organizations in the Caribbean region first became targets of ransomware attacks in 2013, and this relatively recent cyber threat now ranks among the top three biggest cybersecurity concerns of organizations in the Caribbean and Bermuda.
Bruce Scott, Regional Risk Assurance Leader for PricewaterhouseCoopers (PwC) Caribbean Region Network, believes that firms in the region are not paying enough attention to assessing and mitigating the risks posed by ransomware. “I think operational risk, the stuff that has to do with your people and processes, doesn’t get the attention as much as the banking and the liquidity and loan financing. A lot of focus is placed on financial risks, but where we struggle is in the operations,” Scott told online newspaper Barbados Today.
Niel Harper, the Founder and Managing Director of Octave Consulting Group, a boutique advisory firm specializing in CIO advisory, cyber security, IT assurance, and information risk management services, agrees. “On a regional (and global) scale, ransomware has continued to be the most persistent business model for cybercriminals,” Harper said in an interview for ICT Pulse.
In the interview, Harper highlighted the lack of mandatory breach notifications or transparency obligations in the various jurisdictions in the region as one of the main reasons why it’s difficult to quantify or qualify the number and types of cyber incidents that occur in the Caribbean. In the United States, all entities that have been subjected to a data breach are required by law to notify their customers and other parties about the breach. These laws vary from state to state, with each state having the freedom to define what’s considered to be a data breach and how breaches should be handled.
According to Deloitte, ransomware attacks in the Caribbean have been targeting mostly hospitals, educational institutions, government systems, financial services, and small-to-medium enterprises with insufficient cyber defenses—the same type of targets as we see in North America and Europe. Given that 60 percent of data backups are incomplete and 96 percent of all business workstations are not being backed up at all, it’s easy to see why companies and organizations often agree to pay the demanded ransom, despite not having any guarantee that the attackers will send encryption keys in return.
Harper advised that Caribbean businesses and organizations should do an assessment of how vulnerable they are by seeking the help of white-hat hackers. “Then, once they see the vulnerabilities, they need to get the budget to close [them] down… You can’t go out of business just because you don’t want to be attacked. So, you just accept that this is reality and you move towards your goals, but you manage your risks while you are still trying to make profits, and give your employees a good experience,” he added.
In 2017, ransomware remains a growing threat in the Caribbean region and across the globe. Ransomware authors are releasing increasingly capable strains of ransomware and targeting brand-new categories of internet-connected devices. Just like other cyber threats, ransomware should be of concern to Caribbean businesses and organizations who want to remain relevant in the digital era. Fortunately, it’s already possible to greatly strengthen one’s defenses against ransomware by embracing basic security practices and using modern security solutions.
For more information on protecting your organization from security threats please contact Cloud Carib at +1 242 603 1270