With the Barbados Revenue Agency recently experiencing a significant data breach, it is once again an opportunity to revisit our security posture. In this article, we recommend that Caribbean countries establish national cybersecurity standards or guidelines to help private and public sector stakeholders, including MSMEs, improve their security posture.
In today’s hyper-connected world, cybersecurity has emerged as a critical issue for nations worldwide. As governments, businesses, and individuals increasingly rely on digital infrastructure, they also expose themselves to growing risks from cyber threats.
Earlier this week, it was revealed that the Barbados Revenue Agency (BRA), which essentially is the country’s Inland Revenue Department, had been hacked and data stolen. Early reports indicated that 230 GB of uncompressed data including property tax records and vehicle owner’s registration records were being offered for sale, which alerted authorities to the breach. Further, the data sets included individuals’ full names, email addresses, phone numbers, passports and national identification numbers, and driver’s license numbers (Source: DataBreaches.Net).
This breach is devastating to Barbados, which, to some degree, is still grappling with the 2022 breach of the Queen Elizabeth Hospital. However, it is also a reminder to all of us of the need for continued vigilance and good practices to be integrated into organisations.
A glaring deficiency that is becoming increasingly evident in the Caribbean region is the absence of cybersecurity standards or guidelines. These structures can play a crucial role in safeguarding a country’s digital infrastructure and protecting its citizens from cyber threats
Why should the adoption of standards or guidelines be considered?
Generally, standards or guidelines tend to present the minimum acceptable principles or criteria that ought to be followed by stakeholders. In the case of cybersecurity, no guidance has been given to stakeholders. Instead, the focus has been on cybercrime: breaches of law and the punitive actions that would be taken after the fact.
However, stakeholders could benefit from having guidance on the measures they should implement, cognisant that cybersecurity is becoming increasingly complex and organisations, especially our micro, small and medium enterprises (MSMEs), may not have the resources to access the expertise or make the significant investments that governments and large corporates could consider.
Further, even if organisations can afford to invest in cybersecurity, the posture of the country could increase their risk profile. A good example is regarding cyber insurance. Currently, the Caribbean region is considered a high-risk area, which is resulting in organisations not being able to secure premium cyber insurance packages. In other words, the issue is not the price of the insurance premium but that the insurers are unwilling to provide the desired coverage due to the risk envisaged.
There is precedent for establishing standards
It is thus important to highlight that several countries have recognised the importance of cybersecurity and have already implemented national standards or guidelines. Below is a summary of some nations that are leading by example:
1. United States
The United States (US) National Institute of Standards and Technology (NIST) introduced its Cybersecurity Framework in 2014 and is widely used across sectors. This framework provides voluntary guidance to organisations on how to manage and reduce cybersecurity risk, and is structured around five key functions: Identify, Protect, Detect, Respond, and Recover. Further, many private and public organisations in the US and abroad have adopted this framework as a baseline for cybersecurity.
2. European Union
Enacted in 2016, the European Union’s Directive on Security of Network and Information Systems (NIS Directive) was the first EU-wide legislation on cybersecurity. The directive requires EU Member States to build national cybersecurity capabilities and report on cyber incidents affecting critical infrastructure. It also promotes cooperation between Member States to improve the overall level of cybersecurity across the EU. The recently updated NIS2 Directive further strengthens these regulations.
3. United Kingdom
The United Kingdom (UK) launched the National Cyber Security Strategy in 2016, the impetus for which was the need to protect critical infrastructure and support innovation in cybersecurity. The National Cyber Security Centre (NCSC) was also created to play a key role in managing cyber threats and advising organisations on implementing best practices.
4. Australia
Australia’s Cybersecurity Strategy 2023 focuses on strengthening the country’s defences against sophisticated cyber threats. The strategy encourages collaboration between government, businesses, and the public sector and promotes the adoption of the Australian Government Information Security Manual (ISM). The ISM outlines security controls that Australian organisations should implement to protect their information and systems from cyber threats.
5. Singapore
Singapore has established a Cybersecurity Strategy and the Cyber Security Agency of Singapore (CSA). The strategy focuses on protecting critical infrastructure, creating a safer cyberspace, and developing a robust cybersecurity ecosystem to drive innovation.
6. Japan
Japan has implemented its Cybersecurity Basic Act, which sets out guidelines for protecting critical infrastructure, encouraging collaboration between the public and private sectors, and fostering research in cybersecurity technologies. Further, it regularly updates its National Cybersecurity Strategy to adapt to emerging threats.
Going forward
The importance of national cybersecurity guidelines or standards cannot be overstated. Adopting these structures is essential to fostering greater awareness of the digital threats that exist to help stakeholders address those risks, enhance their digital resilience, encourage innovation, and ultimately secure the country’s future economic and social development.
Further, with Caribbean MSMEs accounting for between 70—85% of Caribbean businesses and contributing between 60—70% of the Gross Domestic Product and around 50% of total employment (Source: EU Reporter), they are vital to the national and regional economy. Hence, to the extent possible, they ought to be supported in strengthening their security posture in an increasingly digital economy.
Image credit: Freepik