The Tribune

By ANNELIA NIXON

anixon@tribunemedia.net

The Central Bank yesterday said it is preparing for all possibilities after successfully fighting off a cyber attack last week.

Luther Smith, the regulator’s chief information security officer, told the CyberTek Bahamas Cybersecurity Summit that while the distributed denial of service (DDoS) attack was unsuccessful “we tend to want to be proactive as opposed to reactive”.

He added: “I think it was about a week ago we were the subject of a DDoS attack. But, of course, luckily they were not successful in their attempts. A DDoS attack is a denial of service attack - distributed denial of service attack.

“So, at the end of the day, the objective is to render a website unavailable.Typically it affects availability. It’s not one of those attacks where they look to compromise data and information, but it typically focuses on availability of the resource.

“Any time we see instances of that, we would obviously have a heightened posture with respect to what we may be facing. So, naturally, we would have mobilised all of our resources to ensure that there isn’t a more imminent threat that is pending,” Mr Smith said.

“So we tend to want to be proactive as opposed to reactive. So, again, in this instance we were able to avert what the threat actor was attempting to do. But, at the same time, we don’t necessarily look at that as a one off. We’re going to prepare ourselves for anything else that they may potentially throw at us.”

Mr Smith added that “user awareness training” should be increased, and it should be taught in Bahamian schools given that technology is now such a large part of daily life.

“I think where we need to go further now is to increase our user awareness training,” he said. “As a corporation, we’re doing it, but I think at the same time that needs to be incorporated into our curriculums in the schools. Students need to understand now what the risks are with cyber security. They’re growing up in an age where a computer is their tool.”

Mr Smith added that “information sharing” is vital to help increase protection among everyone. “User awareness, training, information sharing, I think those are big,” he said. “And information sharing from the standpoint that in this age of cyber, I don’t need to be the victim of the same attack that you were the victim of.

“I think I can learn from what you would have went through. If we’re willing to share that information, then we can do what we need to do on our end to protect ourselves against that same threat actor.” Another important factor to consider is reputation. The reputational impact a cyber attack on a business can be great. However, according to Mr Smith, transparency may actually save a company’s reputation.

“We’re always concerned about reputational impact,” Mr Smith said. “That is something that is paramount. But, at the end of the day, we take confidence in the fact that the attack was not successful and thereby our brand strength is maintained. But, again, going beyond that, you may have an instance when an attack is successful.

“But, again, how you respond to that also gives an indication and also can help to protect your brand and its reputation. Because what you don’t want to do is you don’t want to put your head in the sand. What you want to do is you want to engage, you want to do the public consultation when needed, so that persons understand and are aware of what the fall-out is, if any. And I think that transparency, that accountability is also what helps to drive confidence from your constituents or consumers, if you’re a business.”

Ken Won, founder and chief executive of DragonTek International, a cyber security and managed services provider, ranked The Bahamas among the leaders in the Caribbean on cyber security but, compared to the rest of the world, it does not rank so high.

“In the Caribbean, The Bahamas is up there,” he said. “If I was to compare across the Caribbean between The Bahamas, St Maarten and Jamaica, Bahamas is there, but compared to the world it’s not. And that’s the concern because the world is growing so fast on cyber security standards that the whole world has to stay in law. If we don’t, the hackers are always going to go to the lower common denominator and affect our businesses here on the island.”

During a panel discussion at the summit, Matt Woegens, DragonTek’s director of IT, spoke on the need to be careful when using public Wi-Fi networks, noting that sometimes they come with security and privacy dangers.

“If you’re on free Wi-fi, expect that there’s no privacy,” Mr Woegens said. “Do not enter passwords that are relevant to your life, even at Baha Mar. I can log in on the guest WI-Fi and I don’t know anything about the network because I don’t operate in the back end.

“But you can enter any e-mail you want; you’re going to get on the guest WI-Fi. It’s not tied to anything. So never should you have an expectation of privacy, no matter where you are, and only do general web browsing. If you’re entering any information that’s private, disconnect that Wi-fi. Don’t even entertain that phone because that’s where things go wrong.”