Outsourcing, call centres, BPO (business process outsourcing), are words with which we are becoming increasingly familiar – even the man on the street. Across the Caribbean, and with regard to outsourcing, there has been the long held view of sweat shops and of flight by night establishments that set up and start operating one day, but suddenly and without notice shut down leaving employees and supplier in the lurch.

However, many Caribbean countries are banking on outsourcing to help them turn their economies around – by providing much-needed jobs to their educated, but unemployed youth population, along with stimulating the local business environment through the need for a broad range of goods and services, and providing revenue to Government through various taxes. As a result, many Caribbean governments have been actively positioning their countries as attractive locations for offshore outsourcing investment.

However, with Artificial Intelligence (AI) and robotics taking root in IT-enabled services, such as BPO, the outsourcing industry has been changing. Tasks traditionally filled by humans are not being assigned to robots, which are faster, more consistent, and even more accurate that their human counterparts. Additionally, the competition for foreign direct investment (FDI) is high. Developed and developing countries worldwide – not just in the Caribbean – are eager to attract such investment for all of the benefits that can result. In the face of all of this, can the Caribbean still make more inroads in the offshore outsourcing space?

The short answer is yes. As much as companies are excited about the impact of AI and robotics, outsourcing continues to be a strategic consideration, as it allows companies to focus on their core business, and get expert and cost-effective support for activities that do not need to be done in-house.

However, it must be emphasised that AI, robotics and automation have begun, and will continue, to change the game. The key is to try to be strategic and forward-looking in order to identify the tasks and segments in which human will still be required.

One of those areas is customer facing support. Although chat-bots, automation, along with a host of other digital tools, are already being in customer service, there still comes a point when human intervention is necessary. This is especially the case when cognitive thinking and discretionary decisions are required, such as when dealing with difficult problems or challenging complaints, for which the scripted approach will not resolve the issue.

Having said this, it must be emphasised that whilst there might always be the need for human intervention in customer facing situations, the number of humans needed is becoming fewer. Additionally, there will be an even greater requirement to possess exceptional reasoning, problem solving along with other cognitive skills, which would be developed through advanced study, and not at high school.

In summary, Caribbean countries ought to be realistic about the gains they can be realised in focussing on offshore outsourcing.  Our relatively small population size already puts us at a marked disadvantage when compared with other countries, such as those Latin America. Further, the days when the industry could be relied upon to absorb large number of the unemployed are coming to an end. There is a growing demand for well-developed (and even specialist) skills, which cannot be realised through just a few weeks or months of focussed training, but is developed over years of consistent schooling and learning.

It is thus important to manage expectations with respect to what we as countries can offer, versus our limitations, and the impact of the wider environment. Further, whilst offshore outsourcing can still be an avenue Caribbean countries pursue to secure much needed FDI, it should not be the only option upon which we are relying to drive our continued economic growth and development.

Image credit:  Richard Blank (flickr)

___________

In most countries, and especially in the Caribbean, our incomes have not kept pace with the increase cost of living. As a result, it can be difficult to make ends meet, and if we can, our incomes are just covering the basics. There little left over for discretionary spending (for the odd splurge!), investing, or saving.

Unfortunately, things are unlikely to get better anytime soon, and so the onus is on us to improve our situation. Although the most desirable option is to try to secure a better paying job, we are competing with everyone else, for which this is also their go-to option!  An alternative would be to secure a job on the side, to help improve our financial situation. We recommend five.

However, having worked at our main job, which might demand lengthy, or time-consuming, commutes and working for a fixed number of hours per day, or week, for the side hustles we are proposing, flexibility is a crucial consideration. The jobs can be executed from the comfort of your home, and to a considerable degree, we can control when, and at what times, they are performed.

1. Online tutor

Evidenced by the number of tutoring services available to help Caribbean students prepare for Common Entrance, the Grade Six Achievement Test, and the Caribbean Secondary Examination Certificate examinations, tutoring can be a lucrative business. Further, for people who are studying part-time or remotely, they might be eager for the added discipline and support that an online tutor can provide.

The sessions can be one-or-one, or for small groups, and may not require any sophisticated equipment or software. For example, a platform such as Skype could be used. However, even before advertising your services, it is important to be honest about your proficiency in the subject area in which you intend to offer your services.

2.  Virtual assistant

For entrepreneurs and small business owners, who frequently have more on their plate than just managing their business, and are continually juggling cost and resources, having a virtual assistant can be invaluable. A virtual assistant can help by taking over some of the administrative tasks that can be quite time-consuming, such as basic book-keeping, attending to simple correspondence, and schedule/calendar management, thereby freeing us the owners’ time for more important activities that will grow their business.

The virtual assistant can decide to joggle multiple clients, who pay for an agreed number of hours of service, such as four, eight or 10 hours a week. Hence depending on how the business is arranged, it is again possible to do it on a flexible schedule.

3. Freelance writer

With websites, blogs and social media continuing to be on the upsurge, businesses are struggling to keep up with the content they need to generate to keep those platforms current and relevant. As a result, the thrust has been to outsource those requirements to those who can better create effective content more efficiently.

To be clear, to seriously consider being a freelance writer, you ought to be a competent and experienced writer. It is also important to be clear about the types of content and/or subject areas on which you feel comfortable writing, so again, the content can be generated efficiently, and be relevant to the clients’ needs.

4.  Customer service representative

Similar to the virtual assistant sphere, and due to the fact that companies have been downsizing on their physical footprint, increasingly, they are embracing remote work, for which certain positions, such as customer service representatives, can be well suited.  Additionally, and depending on the industry, some businesses are looking for experienced or more mature individuals to provide the needed support services – not the usual 18 to 24 year olds who typically, end up working in call centres.

5. Graphic designer and website developer

Similar to freelance writing, you ought to possess the skills to market yourself as a graphic designer and/or a website developer, and be clear about your areas of expertise. Further, you would need to have access to the requisite software and platforms, in order to execute the projects secured.

Again, there is a lot of work available, as more businesses and individuals seek to establish a presence online, and develop graphics that represent their brand. Additionally, many businesses cannot afford to hire website and graphic designers full time; hence this an area that is frequently outsourced to freelancers, who in turn can pick the projects they want to work on, set their hours, and their price.

Image credit:  Negative Space (Pexels)

_________

It happens quite innocently. You register for a specific offering, which you might have done online, or in person at a particular event,  Soon thereafter, you start receiving regular emails and you really do not know why. Initially, you might just delete the emails, but over time, they are just bothersome to receive, and are of no interest to you, so for a peaceful life, you want to unsubscribe from the mailing list.

You scroll to the bottom of the email, but there is no ‘unsubscribe’ instruction, although the format suggests that an email automation platform has been used. Do you send an email with ‘unsubscribe’ in the subject line, or in the body of an email? When you do, is it successful?

As trivial as such a scenario might appear, far too many of us experience it on an almost daily basis. Our inboxes are inundated with countless messages, many of which come from the fact that have subscribed to a number of online platforms, such as Amazon, Expedia and Twitter, to name a few.  As a result, we often have to wade through the deluge of messages we receive, and may even miss some important and time-sensitive ones in the process.

Although the onus would be on you, the user, to manage your emails and subscriptions, the task becomes far more difficult when it is unclear how to unsubscribe from those email lists. For those generated by automated email services, such as MailChimp and Constant Contact, the provision to unsubscribe is usually present towards the bottom of an email. However, there are several others, such as those frequently generated by Caribbean businesses, that do not allow (unwitting) subscribers no opt-out.

Email lists are very valuable

Although in digital marketing circles much is made about social media, for those in the know, email marketing is considered a more powerful approach. The backbone of any email marketing strategy is the email list. The larger the list of email addresses, the greater the reach, and the greater the ability to directly message the recipients and to drive action.

It is therefore not surprising that businesses, and Caribbean businesses in particular, essentially add every email address they receive with (i) little thought to the source, and/or (ii) whether or not the email address owner wants to be further (and indiscriminately!) engaged by the organisation, such as via email. Unless the organisation is communicating information that its recipients continually want to receive, it is likely that – eventually and for a broad range of reasons – some of them will want to cut ties with organisation.

It is not illegal

One of main the reasons platforms such as MailChimp and Constant Contact make it easy for individuals to unsubscribe from mailing lists is that countries, such as the United States (US) and Canada, and regions, such as Europe, have established laws that govern commercial email messages. Whilst in Canada and Europe users must explicitly opt-in to receive email messages, that is not required in the US. However, all three require every message to include opt-out instructions (Source:  L-Soft).

Currently, very few Caribbean countries, if any, have laws that address the behaviour associated with commercial email messages. As a result, Caribbean organisations can essentially hold your email address hostage, and not provide to recipients a clear way for them to remove themselves from mailing lists.

Summary

In summary, although a substantial email list can be an asset to an organisation, it should not to be maintained at any cost, or without regard to the members of the list. Individuals who find their email addresses on such lists should be have the ability – and the courtesy should be extended for them – to unsubscribe, or opt-out as and when they choose, and not feel as if they are at the mercy of the organisation that possesses their details.

Image credit:  GotCredit (flickr)

___________

It would not be an exaggeration to say that electronic (e-)commerce is firmly entrenched to today’s society. To varying degrees, most of us have, at one point or another, paid for goods and/or services online; whilst some of us do so on a regular basis. It was thus interesting that a recent article in the Jamaica Observer was on the subject of e-commerce and its impact on local businesses in Jamaica.

Essentially, the article sought to highlight the fact that thanks to e-commerce, the Jamaican business landscape, and particularly retail, has changed – to the point where business owners are struggling to remain viable. In an example highlighted in the article, a longstanding and popular jewellery store recently closed its doors, due to poor sales, and in its place, the owners opened a restaurant.

Another contributor to the change in the landscape has been increased online activity by local shoppers. Consumers do not want to be limited by geographic boundaries, and are eager to access the wider variety and more cost-effective options available internationally, which can still work out cheaper than buying locally – even after importation costs are factored in.

The scenario outlined above is not unique to Jamaica. Across the Caribbean, many businesses have been having similar experiences, which not only has been damaging to their bottom line, but also threatens their continued survival. Having said this, is e-commerce really to blame? Below are some points to consider.

E-commerce is not an overnight phenomenon

First, it is important to acknowledge that e-commerce did not emerge overnight. Currently, it is over 20 years old. Hence Caribbean business owners and consumers have had more than enough time to get used to it, and to appreciate its impact on commerce generally, and its the implications for their own individual markets.

Caribbean business models have not evolved

Following from the previous point, and to an appreciable degree Caribbean businesses have not evolved from how they operated five, 10, or even 20 years ago. Although they might have introduced technology into their operations, at the core, the business model with which the business was started, is the very same one that is still being used today. Frequently, it means that they are not aligned with the attitudes and behaviour of today’s consumers, or other important trends in the marketplace, which are much broader than just e-commerce.

For example, should any business today automatically limit itself to serving its local market? One of the consequences of today’s technology is the collapsing of borders and the fact that, thanks to the Internet, any business can serve the global market – if it so chooses. However, it does mean that the business model that one would implement to serve a local market is vastly different from that needed when thinking globally.

Caribbean businesses have been handicapped

Unfortunately, the underdevelopment of e-commerce framework in the region means that Caribbean businesses are at a distinct disadvantage when compared with similar businesses in more developed countries. Although elaborate and modern websites can be developed, in the region, it is still tedious and expensive to secure online merchant accounts to facilitate payment, and ultimately, many ventures never truly achieve their full potential.  

This difficulty in completing electronic transactions in turn limits Caribbean businesses to their local markets, especially when goods are involved.  It also means that businesses that have been conceptualised to operate solely online, effectively, cannot be the norm in the region, and if they do exist, their transactions are managed outside the region.

More importantly, the diversity and sophistication of the Caribbean marketplace is limited. This narrow ecosystem is likely to remain unless, or until, the requisite frameworks, such as to support e-commerce, are implemented to move the region more fully into the 21st century.

Image credit:  Robbert Noordzij (flickr)

___________

It should be no surprise to anyone that over the past several years, the business landscape – regardless of the field or sector – has become more demanding. In the increasingly competitive  private sector, efficiency, effectiveness, innovation and profitability are crucial considerations for most organisations; whilst in the public sector the focus tends to be on concepts such as, efficiency, effectiveness, accountability and transparency. Regardless of the organisation, there has been a growing expectation that they will become even more responsive to their customers and clients, in order to be considered successful in their particular field.

However, although many Caribbean organisations have all of the trappings of operating in the digital age, to a considerable degree, the mindset and corresponding approach has not changed over the past 20-plus years – and is also the case with more recently established businesses. Below, we discuss some changes businesses can make to become more agile, which has become a critical element to be successful in today’s market.

1.  Nurture a mindset that embraces change

Without a doubt, and change is occurring at an increasingly faster rate. This is the case in business, but also in our personal lives. Gone are the days when an organisation could implement a plan of action, and it does not have to be changed or tweaked for several months, or even years. This in no longer the case.

In today’s workplace, an organisation can no longer take years (or even months) to implement a strategy, as the environment itself is continually changing. As a result, the organisation must have culture that understand the current dynamic and encourages responsiveness and agility. Having said this, an organisation does not have to be impulsive, in order to be agile. It is crucial that proposed initiatives still receive sufficient oversight and careful scrutiny to manage risk and ensure that they are consistent with corporate needs and imperatives.

2.  Do not place all the eggs in one basket

In keeping with the previous point, and noting that changing and multi-layered dynamic that tends to exist in business and in the corporate world, organisations may be better maximise their gains if they adopt and implement multiple operating models. Typically, although firms may have a key focus or goal, it is underpinned by several targets and objectives. However, each of those targets and objectives may require its own unique strategy and ecosystem – operating model – for successful realisation. Although the operating models might be connected, they ought to be considered and managed on their own merit, and coordinated as and when needed.

3.  Become more customer-centric

In today’s business landscape, and in the heightened social media space, the customer is king. They can make or break a business. Accordingly, their needs ought to be a top priority. Although this point might be obvious, it is amazing how many organisations are not as customer-centric as they should be. It is still more about management, the Board, or even the shareholders, who, although important considerations, do not wield the power that customers do in realising, and maintaining a successful business. A change in culture, but also in its processes and approach, are crucial in fostering a more customer-centric organisation..

4.  Make IT a product that is managed

All too frequently, we, as individuals, but also organisations, can become too enamoured with technology. We appreciate its efficiency, but also are chuffed by the prestige associated with certain types or brands of devices. Consequently, it is easy to overlook the fact that technology is a tool to help us achieve specific goals.

It therefore means that the IT (Information Technology) an organisation employs must be satisfy its needs. In the past, the organisation would seek to work around whatever IT it had. To a considerable degree, that is no longer necessary, as there are now numerous vendors, multiple solutions, and scope for extensive customisation. IT can now work for the organisation, and can be changed and adjusted as needed.

Image credit:  Pexels

______________________

If there is anything that has become ubiquitous these days – even in the Caribbean – it is social media. Although it is widely popular among individuals, who have a wide range of platforms to enjoy, including, Facebook, Twitter, Instagram, LinkedIn, Snapchat and YouTube, organisations are also being encouraged to develop and nurture their social media presence.

One of the much touted benefits of social media to businesses is that it is facilitates direct and immediate contact between a business and its customers, and so is an excellent and affordable means of driving sales. It is also acknowledged that those online communities can be especially useful to secure feedback and to manage complaints.

However, although organisations might pride themselves on the number of followers they have on a particular social network, frequently it does not readily mean increased sales (or lead conversions, for example) eventuate. Many social media platforms have configured their algorithms to encourage more paid advertising, which to an appreciable extent, is their largest revenue stream. Hence, increasingly, businesses need to pay in order to get a decent number of eyeballs viewing their content, without having to go direct to their account page.

Further, and perhaps more importantly, some experts have been observed that generally, the interaction and participation of followers is not what it used to be. However, there could several reasons, such as:

• the organisation’s posts are not longer getting into a large proportion of their followers’ news stream;
• the followers, themselves, are being inundated with so much content that the organisation’s posts are being overlooked; or although they might see the posts, and
• even if they do see the posts, they are not motivated enough to engage them.

Ultimately, and under those circumstances, it may be prudent to ask whether social media is still effective for sales, which is what spurred many businesses to join in the first place?

Increasingly, experts are of the view that the benefits of social media to businesses are more along the lines of engaging an audience, and building brand awareness and loyalty – which are important elements in marketing. However, it also means that organisations may need to revisit their social media strategies, especially if sales/lead conversions, for example, were critical goals.

One of the things that must be emphasised is that building a social network is time consuming, and requires considerable effort. The same can apply when implementing a social media campaign, as it can several weeks or months to have meaningful results. Hence organisations ought to clear about the extent to which the resources and efforts social media demands – to do it right – along with the returns likely from such investments.

Image credits:  Mark Kens (flickr)

__________

Although it may not seem to be the case, the ICT/tech space in the Caribbean region is awash with opportunities. There is considerable potential for innovation and wealth creation, and to position of the region as a force to be reckoned with on the global stage. However, it requires all our citizens – men and especially women – to be engaged and participate in the process.

Over the past five years or so, there have been a growing number of initiatives to highlight and nurture innovation and entrepreneurship in the tech space. Some that readily come to mind are Kingston BETA and Startup Weekend Jamaica, organised by Ingrid Riley of the Connectimass in Jamaica, the OECS Business Solutions Think Tank and Hackathon, led by Telojo Valerie Onu, Startup Weekend Trinidad and Tobago, the Caribbean Open Data Conference and code sprint, and the CANTO (Caribbean Association of National Telecommunications Organisations) Hackathon.

In addition to Riley and Onu, there are only a few women such as, Bernadette Lewis, Secretary General of the Caribbean Telecommunications Union, and Dr. Kim Mallalieu, of the University of the West Indies, St. Augustine, who have some regional visibility as women in ICT. However, I am not yet sure whether a larger crop of younger women who will be joining our ranks to leverage the opportunities that should emerge in the ICT/tech space.

It all starts in the classroom

Although I had not given it much thought before, upon a quick review of the evidence to date and even to some extent my own experience, being a woman in the ICT field might not be for the faint of heart. For many of us, and to a fair degree, it has been a solitary, but exhilarating, journey. In my undergraduate engineering class, out of 100 students, a handful, no more than 10, were female. By the time I pursued postgraduate studies, and in a class of 10, I was the only one.

Throughout most of my schooling, including my undergraduate studies, a girl was either the top of class or among the top three, which, without a doubt supports the view that girls have the same aptitude as guys for STEM (Science, Technology, Engineering and Mathematics) subjects. However, a challenge to which young girls might be subject, is the still lingering notion that ICT or technology-related jobs are technician roles that require physicality and strength, and so should remain the purview of males. In fact, the technology field is so broad that while there might be jobs that do require heavy lifting, playing to men’s physical strength, there are scores of others, such as in the design, programming, analytics and engineering spheres, for which, at the very least, women are equally capable.

To its credit, today’s Caribbean society does not castigate girls and women who pursue careers in ICT. Due to international initiatives, such as “Girls in ICT Day”, which is held annually on 27 April, there is a growing awareness and effort to try to get more girls interested in that field. For us women, who are in ICT, generally, people are surprised that we work in that field, but nevertheless have expectations of “great things” from us.  That attention/reaction can be intimidating to many, who want to fly under the radar and not draw undue attention to themselves.

The hardworking wallflower often get overlooked

Frequently, this modesty in the workplace is a result of the way in which girls have been, and are still being, socialised. In the immortal words of Sheryl Sandberg, Chief Operating Officer of Facebook, women tend not to ‘lean in’ at the office. Hence we are happy to be part of a team; we are reluctant to lead; and though we hope someone will recognise our effort, we are prepared to let others take the credit for our blood, sweat and tears. While this behaviour might be useful in the family – in our roles as sisters, wives and mothers – all too often we carry it into our professional lives, where inherently, the rules are different.

Having said this, being a woman in a male-dominated field can be a distinct benefit, as it does allow us to stand out against all of that testosterone(!). The odds are that at meetings or among a group, a woman will be remembered, especially if she is prepared to participate in the discussions and network. Ultimately, it is about leveraging our current scarcity – as women in the tech industry– to our advantage.

Time and again, many techies, the majority of whom are men, are pleasantly surprised that I, a woman, am the Publisher of ICT Pulse. They tend to be generous with their praise of the quality of work being done and the value it is adding to the local and regional tech knowledgebase.

Among a team primarily comprising men, being a woman can also be an advantage. We tend to bring different insights to the table, many of which are borne out of the fact that women analyse and process information differently from men. This does not mean that we offer “girlie” or frivolous suggestions; rather we tend to offer practical and nuanced thoughts and ideas, or introduce additional dimensions that had not been initially considered, but may be valuable to the situation at hand.

Women can strike out on their own… and thrive!

Similarly, in the entrepreneurial sphere, women offering tech/ICT based products and services, is unusual, but again we possess some distinct strengths that arguably, might increase our chances of success.  Although the way we have been socialised, as girls, can be a millstone around our necks, we also tend to be more careful and responsible. Thus, we likely to be more surefooted about our proposed venture, and not prepared to plunge headfirst with just a vague idea.  Having said this, we can also be highly risk averse, which can cause us to stifle the growth and expansion of our businesses, which in some instances, could lead to their demise.

Notwithstanding, in being women and in having a somewhat different perspective from men, the businesses of successful female tech entrepreneurs tend to innovative. Their projects might not necessarily be flashy or sexy, but tend to offer practical solutions for real life problems, and thus very lucrative.

Parting thoughts…

In summary, girls, who might still be intimidated by the tech space, have only to look at areas such as medicine, law and accounting that traditionally had been male-dominated, to see what is possible when women are prepared to break down barriers. The same can happen with ICT. However, our current crop of female students will most likely have to go beyond their own perceptions of themselves, and of the professions open to women, in order to tap into the potential, and the courage, that we already know they possess.

Image credit:  Pexels

_____________

Sean Slattery is founder and CTO of Caribbean Solutions Lab – a cybersecurity service provider that helps businesses throughout the Caribbean and North America to defend and protect themselves from cyber threats. Based in Cayman for nearly 20 years, Sean has spent the last nine years focused purely on cybersecurity, holds a US Government Secret security clearance, is an FBI Infragard member and regularly delivers cybersecurity presentations. Sean was also a McAfee instructor for five years.

ICT Pulse:   Sean, give us a quick recap of what have been the most prevalent types of incidents in  the Cayman Islands and/or in the Caribbean region over the past year or so? How has the threat landscape changed?

Sean Slattery:  Ransomware is still the most well known and headline-making malware threat. While phishing remains the preferred delivery method, we have also seen a noticeable increase in mobile based and targeted threats. With respect to phishing and mobile threats, the bad guys are definitely improving their skills notably in language. It is now rare to receive an email in broken english. The messages and sites are well crafted, very targeted and nearly indiscernible from a legitimate one. Consistent user training, security awareness and developing a distrust for the Internet communications remain the best countermeasures. The latter being the most difficult for the Caribbean as we are inherently quite trusting due to our smaller communities. The targeting of financial institutions continues to be popular in the cybercrime playbook. Many in the Caribbean believe that we aren’t targeted. I have first-hand evidence that we are indeed targeted. Also, we have been able to compare data with our US and European peers and see that regional activity, campaigns and attacks match theirs. Not only are we targeted but we are also enjoy the benefits of being associated with the larger jurisdictions. In the end, a bank account, credential, computer is valuable to cybercriminals regardless of location. The Internet is a great leveler in that regard.

ICTP:  Over the past year, ransomware incidents appeared to have been quite plentiful across the region. Are they still as huge a threat?

SS:  Yes, ransomware is still quite prevalent, simply because it works. The reality is that ransomware pays very well – an estimated $1 billion and 400 new variants in 2016 alone. Understand that cybercrime is a business, a big business in fact. If no one paid the ransoms the business model would fail. Clearly people are paying the ransoms.

ICTP:  What are some of the new and emerging threats of which we should be more aware? And are there any particular areas of concern that you have for Caribbean organisations?

SS:  There is a natural evolution to the industry. As the saying goes, when you build better mousetraps, you will get smarter mice – wash, rinse and repeat. In addition to the improving existing techniques, a few things come to mind. Fileless malware is a particularly interesting threat. This type runs completely in memory and leaves virtually no trace for a traditional antivirus to detect and action. firmware attacks. We are also seeing improved automation used by cybercriminals to generate malware. Let’s not go into the nuances of AI (Artificial Intelligence), mathematical modeling and machine learning but suffice it to say, that the bad guys are taking a page out of our own playbooks and using it against us. Another emerging type threat, on our radar, is based in firmware. We’re referring to the software that sits inside of the hardware chips that run our computers, home audio/visual equipment, cars, etc – the Internet of Things – IoT. Face it, everything is or has a computer now. Being able to validate, prove and continuously monitor the integrity of that new server, firewall or router you purchased is increasingly important.

ICTP:  At the CARICOM/regional level, there has been a growing awareness of cybercrime and cybersecurity, and calls by leaders for something be done. In your opinion, has there been any improvement in the cybersecurity-associated resources or support structures in the Cayman Islands, and/or perhaps regionally? What might still be missing?

SS:  I agree that regional awareness is improving but is only part of the battle. An impacted business’ customers will care more about action than awareness. Locally, the Cayman Islands government has embraced cybersecurity and is driving adoption of the NIST framework from the top down. We continue to have success with a threat sharing network of local organizations. When a member is targeted or experiences a threat, pertinent information is quickly shared to the benefit of others not yet targeted or impacted. In a way, the more the group is targeted the safer it becomes. The biggest challenge we see with organizations is the propensity to consider cybersecurity an IT problem. Cybersecurity is a business problem that affects the board, shareholders, legal, compliance, HR to name a few non-IT areas. Only a handful of organizations have recognized this and taken action by establishing cybersecurity departments or teams. From a technical perspective, a cybersecurity group or team needs to include endpoint (desktop/server), network, and application stakeholders. Often these might actually be outsourced positions or fulfilled by service providers and that is OK too.

ICTP:  Does it even make sense for small companies to send their network administrators to security training courses when security is not their full-time job, and given the pace at which the security landscape is changing? Or should such companies just accept the fact that they need to outsource this function?

SS:  Where possible, SMB’s should definitely invest in cybersecurity training for their staff. There are many affordable online or computer based training resources. It should be a matter of HR policy to conduct annual security awareness training for all staff. Outsourcing can be a bad word for small businesses. Supplementing security from, partnering or teaming with a cybersecurity provider can be a more palatable term! Seeking help or external expertise is not a sign of weakness. It is actually a sign of maturity. Organizations should seek to work with cybersecurity providers or IT providers with dedicated cybersecurity teams. Simply outsourcing security to an all-purpose IT provider is insufficient – jack of all trades, master of none.s with any physical skills, mental skills must be regularly practiced or risk atrophy. Cybersecurity is no different in the context of general IT.

ICTP:  Do you agree that user naiveté is the number one security threat facing organisations? If not, what do you think is the most significant threat?

SS:  User naivete is certainly a major factor but a larger issue is business naivete, particularly at senior/board levels. In addition to the previously mentioned notion of security being an IT problem, users including board-level ones often fail to recognize the importance of cybersecurity to the business. A user only has to not receive their pay following a ransomware attack they inadvertantly caused by opening a file to recognize the business impact. Another area of significant naivete is the outdated notion that having a firewall, antivirus, web and email security systems is sufficient. You can be sure that in every headlining breach or attack, every one of those organizations had those tools in place, and yet they were still impacted. Insanity is doing the same thing over and over and expecting a different result. Please let’s stop the insanity!

ICTP:  Should any organisation still be using tapes for data backup purposes?

SS:  Great question and yes! With technology advances in hard drive and cloud-based storage, it is easy to overlook the value of offline backups – tapes still being the most cost effective. Tapes are easy to transport, offer high capacities and  difficult to infect with malware such as ransomware. Do not forget to regularly test your backup systems! In the words of Andrew Tanenbaum, “Never underestimate the bandwidth of a station wagon full of tapes hurtling down the freeway.” Sometimes sending a few terabytes of tapes by FedEx is more efficient than sending that same data across the network or Internet. Disaster recovery and business continuity do not change in response to the event. That event might be a hurricane, plumbing leak, disgruntled employee or major ransomware attack. Online or near-line backups are great tools but you can never have too many copies of your critical data. Do not forget to regularly test your recovery procedures. In the Caribbean, we are used to practicing for hurricane season, but the more often this is practiced the faster the recovery process will run in the event of an actual disaster. In general, I recommend that all organizations be able to recover minimal core functions within 24 hours and secondary functions within 48 hours.

ICTP:  And finally, what are the top three (3) things businesses should be doing this year to improve your network/IT security?

SS:  Hmm, picking just three is tough! Let’s go beyond the usual angles of board-level/business awareness, establishing policy and user training.

First, let’s accept that every organization will suffer a breach or significant cybersecurity event sooner or later. Short of gross negligence it isn’t going to be anyone’s fault – it just is. As a potential customer of said organization, I accept that. However, I would want assurance that the event was quickly detected, contained and mitigated. It is paramount to learn from the event to help prevent a similar recurrence. Ensuring cybersecurity staff/groups/teams are regularly informed and stay abreast of the industry trends is the key here.

Second, let’s finally accept that firewalls, antivirus, web and email systems are insufficient. Firewalls and antivirus were invented over 25 years ago to address problems from 25 years ago. Just as we cannot expect a delivery service today to run on horse and carriage, we cannot expect yesterday’s tools to protect against tomorrow’s or even today’s threats. Organizations should look to invest in complementary and advanced tools that not only provide additional layers of security but can do so in a way that is easy to use and can even save time. Look for terms like AI, machine learning, and mathematics. This can be endpoint, network or even cloud based. Partnering with a cybersecurity service provider for these tools is also beneficial due to the potential for threat sharing.

Third, organizations should seek local and regional networking opportunities for cybersecurity. This can be at levels such as board members developing policies or technical level for security staff to interact with peers. Perhaps the most important networking aspect is for threat sharing. Obviously most organizations cannot disclose details about a breach or tools employed, but there is a middle ground somewhere. This is often through a trusted third party such as common cybersecurity provider. It may be simply a matter of allowing the transmission of a new malware file or phishing email/url. To more people know about a threat, the better the chances of prevention. An ounce of prevention is worth a pound of cure.

Lastly, I will leave readers with a few bullet points that can help guide them. An organization that can accurately and consistently answer the following questions will be in a very good position to address cybersecurity issues and concerns.

• What or who is connected to your organization?
• What applications or processes are running in your organization ?
• Who has administrative rights?
• How are you continuously monitoring your organization?
• How are your tools working together to correlate, integrate and automate threat detection/prevention/containment?

As a side, note may I suggest that ICT-Pulse also start referring to cybersecurity as its own discipline – beyond a network/IT function? While seemingly a trivial detail it is an important one and change has to start somewhere. Why not have it start with the readers of ICT-Pulse?

Do you have any questions for Sean? Do you agree with his views? Let us know in the Comments section below. 

Image credit:  Yuri Samoilov (flickr); S. Slattery

_____________

In this the second in our Expert insights series for 2017 on cyber threats and security in the Caribbean, we are thrilled, once again, to have Hector Diaz of Cylance, a cybersecurity products and services company, who is based in the Dominican Republic. Previously, Hector was Regional Account Manager, Caribbean, at Intel Security (formerly known as McAfee). He has extensive experience in the IT security space, and possesses a diverse skills set, which includes a strong technical background in infrastructure and security.

ICT Pulse:  Hector, give us a quick recap of what have been the most prevalent types of incidents in the Dominican Republic and/or in the Caribbean region over the past year or so? How has the threat landscape changed?

Hector Diaz:   Hi Michele, thanks for having me as part of the series once again in 2017. The threat landscape in Caribbean region has evolved to incorporate new techniques and to cover a wider spectrum of targets. Every year more and more companies and consumers are depending on technology for pretty much each process from CRM systems to an individual purchasing some goods on the web. Per the 2016 Verizon Data Breach Report, and I quote “in a [whopping] 93% of the cases they analyzed, systems were compromised in minutes or less and data exfiltration happened within minutes in 28% of cases. But even where exfiltration took days, the criminals didn’t need to worry. In 83% of cases, victims didn’t find out they’d been breached for weeks or more”.

If we add to this the growing and visible threat of ransomware, I think we still have a lot of room for improvement in the region in the adoption of proper policies and user education which should be complemented also with technologies that can coexist with the user and provide protection without interfering with business processes or the actual user computing experience.

In terms of providing real/objective data about incidents in the region, it is almost impossible to get our hands in some reliable data other than telemetry that vendors can collect to identify the origin of a threat or the number of detections that occur in a region, other than that, the region still lacks of regulations that obligate them to disclose IT security incidents.

ICTP:  Over the past year, ransomware incidents appeared to have been quite plentiful across the region. Are they still as huge a threat?

HD:  Ransomware continues to be the most prevalent and visible threat and it has evolved from our last conversation on this topic, criminal campaigns today are more advanced compared to what we have seen in the past, with the added problem that samples and toolkits can be easily obtained and used successfully by criminals that have little to no hacking skills, often referred to as Ransomware as a Service (RaaS) and there are plenty of examples of this “business model” where cybercriminals even provide Service Level Agreements (SLA) and Technical support to their “customers” massifying this problem to exponential levels, these ransomware-as-a-service (Raas) offerings are being released more and more frequently. Only three years ago, we would see maybe three or four legitimate RaaS offerings appear every year. Now, we see far more, often several per month.

Some of the features that some of these ransomware as a service “subscriptions” include:

• Full interactive technical support, with an SLA of 24 or 48 hours on complex issues 
• Full C2 functionality for tracking and managing infected hosts
• The ability to generate multiple binaries (the actual ransomware). The system appears to require between 5-10 minutes between requests
• The ability to create multiple, unique campaigns, and assign binary generation to those campaigns
• The ability to interact and chat with infected clients (a feature rooted in PadCrypt – more on that soon)
• Ransom amounts that can be altered per binary or per campaign

In addition to that, we are seeing ransomware being used for much more than just the typical ransoms.

Our Cylance SPEAR research team have seen it used as a diversion; first harvesting credentials for later use, and then encrypting the drive to keep IT staff occupied while the attacker covers their tracks and accomplishes even more nefarious objectives. And more recently, we are seeing highly opportunistic campaigns that encrypt entire networks in an organization and delete host backups prior to encryption, leaving the entire organization held hostage and unable to operate.

Another problem with Ransomware’s proliferation is how easy is for an attacker to create a new variant of a known piece of malware making it invisible for most Antivirus solutions that rely on signatures or file hashes to provide protection, that’s why we have seen so many cases where a user or company gets infected a ransomware, they report the situation to their provider and despite the fact that they generate a signature to protect from this threat, maybe a couple of weeks after, the person or company gets affected again by the same problem. That makes evident that a new approach is needed to provide an appropriate level of protection and we have seen how many innovators are now exploring and developing new and innovative ways to tackle this problem, some of them from an endpoint detection and response perspective and some others, like Cylance, from a prevention standpoint.

ICTP:  What are some of the new and emerging threats of which we should be more aware? And are there any areas of concern that you have for Caribbean organisations?

HD:  At Cylance, we focused on how threats evolve to adapt to security products and still evade security controls, we have seen several areas where threats have evolved in a special manner and we have written extensive blogs and research papers on the following areas, some of this are not new but attackers are still using the same methods, they just adapt them to evade security solutions, some of these are:

• Universal Unhooking: a very technical threat to explain in this interview, but in a nutshell, Code hooking is a technique used for redirecting a computer’s execution flow to modify software. Essentially, a ‘hook’ is something that will allow the developer to see, view, and interact with something that is already going on in the system. Code hooks can perform a wide variety of functionality both innocent and nefarious, including:
  •  Patching a bug
  • Performance monitoring
  • Disabling digital rights management systems
  • Capturing keystrokes (AKA keylogging)
    
  • Hiding processes and files (rootkits)

The antivirus (AV) industry uses code hooking to monitor processes for potentially malicious behavior, protect applications by injecting anti-exploitation checks, and isolate processes by sandboxing or virtualization. The technique can also be used by the bad actors, for instance to implement a rootkit to hide processes and network connections from the end-user and security software. Cylance has done extensive research on how attackers are using these techniques to evade traditional endpoint security solutions and become invisible in the victim’s machine.

• POS Malware: Point-of-Sale Malware is nothing new in the region, but we have seen how attackers are modifying existing pieces of POS malware to create new samples that are again, invisible to traditional security solutions. A couple of examples we have seen in the wild are:
  • RAWPoS Malware: where attackers have even removed functionality from their programs to create new variants and obfuscate the code to make it difficult to identify by signature-based solutions or file hash lookups having a big impact on companies that rely on POS systems to conduct business.
  • Flokibot POS Malware: this is a piece of malware that uses RAM scraping to search for and collect credit card information that is exposed briefly during a PoS transaction. After a period, this data is then exfiltrated off-site to an attacker-controlled server. Flokibot, like most PoS malware, attempts to gains access to PoS devices via phishing attempts, stolen credentials, or a rogue insider. We have seen many cases of this malware attacking not only POS systems but ATMs as well in the region.

• Social Engineering: This is still one the biggest problems in achieving a good level of security in companies of all sizes and at Cylance we consider this as the second most dangerous problem after malware execution, when attackers are not able to execute a piece of malware, they jump into social engineering techniques to try to get information about the user’s identity so they can later utilize this in more elaborated attacks. We have written some blog entries on this problem, identifying campaigns on popular social media websites such as Linkedin: https://www.cylance.com/en_us/blog/social-engineers-target-linkedin-how-to-protect-your-organization.html and also one effective technique that hackers commonly use which is to drop usb’s around the building and wait for someone to connect it on a company’s computer: https://www.cylance.com/en_us/blog/social-engineering-beware-strangers-with-candy.html we think education is the only way to strengthen security against this threat.

ICTP:  At the CARICOM/regional level, there has been a growing awareness of cybercrime and cybersecurity, and calls by leaders for something be done. In your opinion, has there been any improvement in the cybersecurity-associated resources or support structures in the Dominican Republic, and/or perhaps regionally? What might still be missing?

HD:  The Caribbean region’s awareness on cybersecurity is growing, we see more and more efforts from governments across the region to take this issue seriously. We have seen an increased participation of security professionals in multiple conferences representing their respective countries to advance the conversations around the implementation of cybersecurity laws and best practices.

We have seen also the creation of multiple regulations and guidelines for public entities to follow and implement those which is a dramatic advancement in the way public institutions are dealing with cybersecurity.

In my personal case, I’ve been invited to meetings where the CIOs of multiple Caribbean countries have outlined their plans and policies and it’s been good to see cybersecurity as a big part of their general Information technology frameworks.

The region lacks of orchestration and/or regional guidelines on how to tackle the cybersecurity problems and the level of maturity varies from country to country.

You can see more information around the state of cybersecurity laws and regulations on this report from OAS: https://publications.iadb.org/bitstream/handle/11319/7449/Cybersecurity-Are-We-Prepared-in-Latin-America-and-the-Caribbean.pdf?sequence=1

ICTP:  Does it even make sense for small companies to send their network administrators to security training courses when security is not their full-time job, and given the pace at which the security landscape is changing? Or should such companies just accept the fact that they need to outsource this function?

HD:  I think the problem lately has been the focus on learning about point products (which is also important) and not necessarily an investment in cybersecurity knowledge, this is also changing, we have seen an increase in the number of certified security administrators in multiple certifications in variety of contexts from risk management to actual penetration testing as well security awareness training for the general employees.

Per ISACA, 82 percent of organizations expected to experience a cyberattack. But, they felt they were relying on a workforce that was not qualified to handle complex threats and on average, 59 percent of enterprises got at least five applicants for each open cyber security position, but most of these applicants are unqualified.

When asked how long it takes for an enterprise to fill a cyber security position, only six percent of respondents indicate that they cannot fill open positions, 55 percent of respondents indicate that open positions take at least three months to fill.

This gives you an idea on how important is to prepare a training strategy for cybersecurity responders against this reality of more and more advanced threats targeting business processes.

ICTP:  Do you agree that user naiveté is the number one security threat facing organisations? If not, what do you think is the most significant threat?

HD:  I think social engineering and user dependence on technology for virtually everything is one of the main threats, but we need to understand that for the regular user, cybersecurity is not their domain, it is not what they do for a living or an important part of their day to day task list. Over the years, the security industry has built several complex solutions increasing what we call “control friction” which is how much we affect the user experience for the sake of security.

At Cylance we believe that the industry should focus on providing a decent level of security while reducing that friction, making security solutions effective and also making them easy to use for the regular user and also to make the lives of cybersecurity responders more focused on prevention, control and prediction.

ICTP:  Should any organisation still be using tapes for data backup purposes?

HD:  In this case I will say that backup is still a big part of an incident response and disaster recovery plan, the way companies store this information is beyond the scope of my experience and I know some folks at backup companies that can comment with much more authority in this portion of the interview, but again, backup is VERY important and staying on top the latest advancements in this area is something that every CISO should be paying attention to.

ICTP:  And finally, what are the top three (3) things businesses should be doing this year to improve your network/IT security?

HD:  

• Reassess their security strategy to reduce control friction and increase the preventative and predictive capabilities of that control strategy.

• Invest in consulting services and education

• Participate in associations, communities and professional groups to exchange information about best practices, trends and overall security awareness

• Align Cybersecurity with the Business, we cannot continue to be a technology division, a Cybersecurity strategy most consist of having all the key areas of a company, together to enhance the way we address and also understand security risk because today everything is connected and we depend on technology for pretty much every process in a modern business.

Do you have any questions for Hector, or views you would like to share? Please leave them in the Comments section below. 

Image credits:  Rihards (flickr);  H Diaz

____________

Although many of us might pride ourselves on owning or working in tech-savvy organisations, it does not necessarily mean that the organisation thinks digitally. Thinking digitally is not solely about the technology that is being used; or how tech savvy a firm or its employees are. Essentially, it boils down to the ethos that has been established, which hopefully will permeate throughout and guide the approach that the team uses across a broad range of situations. Below, we outline five things an organisation can do to think more digitally.    

1.  Focus on outcomes

Frequently, and in the work setting, individuals tend to focus on a product, process, service or experience, and rarely the impact of those elements. Instead, the true emphasis should be on the outcome, and therefore whether or not, and thereafter how, a particular product, process, service or experience will improve a customer’s life. It should be noted that the customer could be either internal (within the organisation) or external, as the same principle – to focus on outcomes – should apply .

2.  Measure everything

Thanks to technology, we live in an age where, to a considerable degree, we do not always have to guess – to fill in the gaps because the required information does not exist. There is the potential to make more informed decisions, by accessing and applying the needed data. However, data does not exist, or is available for us to use because we want it. The requisite systems must be implemented to not only generate that data, but also to collect it, analyse it, and ultimately produce outputs that are of value to the various teams within an organisation.

3.  Focus on the experience

In today’s market, there is a growing trend towards ultra-customisation. Products and services are being designed so that customers can have their own unique experience based on their preferences and personality. Many of us take it for granted, but it is evident in the recommendations made when we are on Amazon, YouTube, or even Netflix, to name a few. However, it means that that organisations must continue to recognise that “experience is the currency of digital commerce, the one with the best experience wins” (Source: Accenture}.

In order to become more customer experience-focussed, data must be collected, as emphasised in the previous point. Organisations must implement the requisite systems to collect relevant data, and process it to produce meaningful results. However, the systems and processes must also be complemented with the appropriate mindset and culture that truly wants to foster the customer’s experience.

Foster teamwork

Interestingly, in a more digital organisations, the culture that is promoted is not one of being isolated – that individuals are just staring at their computer screens all day. Instead, the emphasis tends to be on openness, connecting and collaboration, Hence nurturing teams, especially multidisciplinary teams – to benefit from a broad range of expertise and perspectives – has become increasingly important. These types of teams not only drive the creative process, for example for product development, but are also crucial in stress-testing concepts, quality assurance, and can be important in contributors to the strategic direction of an organisation

KISS – keep it simple, stupid

Finally, and in competitive markets that now exist worldwide, organisations can no longer languish in their product (or service) development processes. Consumers’ attention spans are getting shorter, novelty is in, and so shorter product (or service) release cycles have become the norm. It therefore means that today’s business ought to be leaner – to be more agile and responsive to the market and to consumers. However, it also implies that internally, the organisation is trying to keeping its processes simple, in order to avoid needless costs and complexity, and to increase its competitiveness and its longer term viability.

Image credit: Pexels

________________