The Tribune

By YOURI KEMP

Tribune Business Reporter

ykemp@tribunemedia.net

A cyber security specialist yesterday said urged companies to identify gaps in their information technology (IT) defence after seeing a "tremendous uptick" in attacks on Bahamian networks.

Philip Darville, SolveIT Bahamas' managing director, told Tribune Business: "For the last few years there has been a tremendous uptick in not only the frequency, but the severity, of cyber crime and cyber security-related issues. It is something we have been trying to push and promote more to not only our clients, but this is happening more at a government level.

"Both private sector and public sector are fully exposed. If you have heard about all of the things like the Panama Leaks and other announcements that have been coming out, you would find that a lot of the information that has been stored in government has been leaked or compromised. There was just an article I read this year where the Registrar General's office would have been compromised."

Earlier this month, the Attorney General's Office confirmed that the digital database at the Registrar General's department had been hacked in January. Its contents have been published online, mirroring a similar incident several years ago, but on both occasions only information that is publicly available was disclosed.

Mr Darville, though, added: "There are a tremendous amount of gaps that exist in the way agencies and the private sector approach cyber security, and it is more like a sleeping giant waiting to happen. There are a couple of different layers to the gaps that exist in cyber security.

"First, it starts with recognising there is a level of exposure, and that is accomplished through an identification of what's happening in your business and having an assessment or audit on what level of information can be compromised."

He continued: "Second, we can look at the human element. You can make all of the effort in your business, but if your resources, talent and employees are not fully adept at what needs to be done, or how they can mitigate those risks to your business, then they are exposing your company.

"Standard training exercises that should happen in your business; regular inspections from external companies; investment in technology mitigate these point-to-point risks. A lot of the larger companies, especially, are using more remote work staff, so people are using laptops to work and working remotely from home, especially during this time.

"You have to make sure that these are indeed secure environments. So you have to mitigate the risk of people compromising this. Somebody may go ahead and use a public computer, as an example, to connect to your corporate network, not knowing that that public computer is exposed or has some level of malicious coding or content on it.

"There are numerous risks involved in the whole process, but we have to look at it as the key layer of business contingency planning. It has to start with not only looking at things like hurricanes and pandemics, but security in data is number one. Once you leave that security of data, then your brand has a reputational compromise."

Warning people about "phishing scams", Mr Darville said: "You get these e-mails that look legitimate from agencies like FedEx or DHL, or you may see e-mails from local companies like Cable Bahamas. That's how the levels of these things work. You may get an email that says PayPal, and the logo says PayPal, but you already know that you don't use PayPal, so it doesn't apply.

"So what hackers are now doing is localising their phishing scams within the demographic. So if you get an e-mail from Cable Bahamas, one out of every three people may have services from Cable Bahamas or REV TV and they click on the link and go to a website, and the website mimics exactly what Cable Bahamas looks like, so that's the extent to which these hackers go through to compromise your company."

Explaining the consequences of so-called phishing scams, Mr Darville said: "On a personal level it turns into all of your personal accounts being compromised, all of your e-mails being compromised, all of your banking information is set to your accounts, so they are able to reset all of your passwords. So it is an entire network.

"But on the public sector level and on the enterprise level, the risks are extremely high and it is something I am hoping to press with the relevant agencies to really grab the bull by the horns with this."

Mr Darville also warned that hackers do not always need their victim to click a link or open up a suspicious e-mail. He said: "Risks can also come through your corporate network, especially if it is a multi-national company that has a connection between the US and The Bahamas.

"All of that level of exposure can happen at a network level, so it doesn't necessarily mean that you have to click on something to get hacked or to be exposed. You have servers and routers that are connected to a wide network that are also susceptible.

"You just don't need to have somebody click on a link to become exposed. You can become exposed through receiving a malicious PDF file or through an XLS file, and they can also mimic e-mail addresses of persons that work for your company and send you important company files on XLS. You don't think anything about it and you click it, and you won't even know when it happens," Mr Darville continued.

"For example, every device, once it connects to a network, it is issued an IP address that is equivalent to a post office box. One day you can go to your PO Box and realise that somebody tore it open by just manually ripping the door off of the box. It's the same thing as a network; a network is sitting in this entire universe of systems, and it is just sitting there and communicating information back and forth.

"So what happens is hackers search out these networks, and they are able to find what companies are exposed. These may be companies that may not have invested in IT maintenance. They are running either servers or routers that are older versions of operating systems, or firmware on the hardware, so there is a wide spectrum, but at the end of the day it starts and ends with understanding how exposed are you as a business through either the hardware that you have or the software that you have, and whether your human resource element is adequately trained."