Cyber security audits required

There is a critical need for cyber security scrutiny of local merchants to a level comparable with audits of financial institutions in order to avoid or minimise data breaches which occur at third party transaction points.

This was one of the suggestions coming out of this year’s Domestic Financial Institution Conference on Wednesday, hosted by the Central Bank of Barbados and held under the Managing Cybersecurity Risk in the Financial Sector.

Panelists Ryan Greaves, Chief Technology Officer at the City of Bridgetown Cooperative Credit Union (COB) and Patricia Rowe-Seale, Director of Enterprise Security, Fraud and Supplier Risk Management at CIBC FirstCaribbean Bank, made the suggestion during a wide-ranging discussion, while calling for a national education campaign on the issue of cyber security.

They explained that a recent data breach, which occurred at merchant and affected several customers of financial institutions here, was an indication of the need for greater oversight at this level.

Greaves agreed that in light of the proliferation of mobile apps, online businesses and digital payment methods in recent times, the risk of cyber security breaches was heightened.

“I find in the financial sector we put all of our emphasis on auditing as it relates to accounting standards and we focus a lot on anti-money laundering and that type of stuff, but I don’t see the same level of emphasis being placed [on] cyber security,” he said.

“I think we need to emphasise that more. Just like how you have all the accounting audits yearly and you are asking staff to do the anti-money laundering training, I think cyber security has to be in there as well at that same level and I think we need to push that more,” he recommended.

Greaves acknowledged that not all organisations would be able to afford a penetration or cyber security audit test.

“We need to look into that because a lot of merchants would have gone and put up websites and doing online [business], but a lot of those in existence would have never done a penetration test. A lot of those organisations do not do a yearly cyber security audit.

“We have to insist on those organisations doing those type of things, not just the financial institutions because in this scenario the breach did not happen at a financial institution, it happened at a merchant. So we have to make sure that those institutions go through the same process of cyber security training, cyber security audits, penetration testing and stuff like that,” Greaves insisted.

At the end of April, leading logistics and e- commerce company Aeropost.com reported a data breach, which it said resulted in some customers’ credit cards being compromised. At that time, several residents in Barbados complained that their accounts were hacked, but the Barbados Bankers’ Association gave the assurance that the breach did not result in any unauthorised access to customers’ personal information held by the commercial banks.

Rowe-Seale said cyber security risks should be treated as another business risk, and she suggested that businesses could start by putting a comprehensive cyber security programme in place.

“While businesses are comfortable with managing credit risks, anti-money laundering risks, cyber risks must also be treated the same way,” said Rowe-Seale.

Outlining the steps involved in setting up a cyber security programme, she said it would require risk assessment and development of mitigation strategies based on the identified risks.

“There are a number of things that would go into your cyber security programme, but of course that depends on your organisation, the services that you offer and the sort of skill sets you have available to manage your cyber security programme,” said Rowe-Seale.

The panelists also urged residents to “take ownership” of their online safety and not share sensitive information online or click on links in suspicious emails.

At the same time, Rowe-Seale said while cyber security was nothing new, there was an increased need for “significant education” on the issue at every level.

“Within our companies we have to have standard education that is based not only on persons repeating the same thing annually, but it has to be continuous, it has to be focused and targeted based on, not only the individual’s role within the organisation, but you have to do simulations and based on that result . . . you have to do this level of training,” she said.

“I would say it has to move beyond companies and become a national position,” said Rowe- Seale.

“We have to have a campaign nationally to educate persons as to their responsibilities from a cyber security perspective.” (MM)