Disclaimer: The views and opinions expressed by the author(s) do not represent the official position of Barbados TODAY.
By Steven Williams
A few months back, someone asked me about the most probable method to compromise the cybersecurity defences of local entities, particularly in Barbados’ financial sector. After a moment’s thought, I was reminded of the saying, “You’re only as strong as your weakest link.”
The digital defences of most institutions are quite robust. Many leading businesses have implemented next-generation firewalls, and some have augmented their security measures with Endpoint Detection and Response (EDR) solutions. EDR is a cybersecurity technology designed for continuous monitoring and responding to advanced threats at endpoints like laptops, desktops, and mobile devices.
Given these robust security measures, it’s clear that the human element remains the most vulnerable. Financial institutions are diligently training their staff as a compliance requirement to identify online threats. So, the question arises: where is the weakness? Primarily, it lies with business partners like lawyers or small business vendors, who have built trusted relationships with key members of the institution’s staff.
Although these third-party organisations are trusted, they might not prioritise cybersecurity as highly. There could be a lack of significant investment in digital defences or insufficient training for their staff to effectively protect their organisations; consequently, posing a considerable threat to their clients, potentially emerging as a weak link in the security chain.
The original query, which focused on the cybersecurity of financial institutions, extends its relevance to government agencies responsible for critical infrastructure, a well, such as the National Insurance and Social Security Service, Barbados Water Authority, and the National Petroleum Corporation. The heightened concern for these agencies arises from their interactions with a large number of customers/data subjects and their extensive engagement with numerous vendors. This complex network of interactions and dependencies creates a broad landscape of cybersecurity vulnerabilities.
Addressing these vulnerabilities effectively necessitates the implementation of some type of Cybersecurity Maturity Model. A framework that is instrumental in elevating an organisation’s cybersecurity posture by providing a structured assortment of practices and various levels of maturity. When an organisation adopts such a model, it can accurately determine the level of risk or exposure its vendors might pose to its business operations.
This systematic evaluation is crucial not only for identifying security gaps but also for strategically developing and enhancing defence mechanisms over time. Such a proactive approach is essential in strengthening the cybersecurity infrastructure against potential threats and vulnerabilities, ensuring the protection of critical data and the continuity of essential services.
Regarding Cybersecurity Maturity Models, options like the US National Institute of Standards and Technology (NIST) Cybersecurity Framework and the Capability Maturity Model Integration (CMMI) for Cybersecurity stand out. These models are extensively used by organisations to evaluate and strengthen their cybersecurity practices. In Barbados, where resources, particularly for small businesses, might be constrained, adopting, and implementing the NIST framework could be a more viable option. Its practicality is underscored by its current usage by a few critical infrastructure agencies in Barbados already, indicating its suitability and effectiveness within the local setting.
Although gathering and providing empirical evidence on the impact of cybersecurity on the economy in Barbados or the wider region can be challenging, global trends offer insightful perspectives. A 2023 report by SecurityScorecard and the Cyentia Institute reveals that 98 per cent of organisations worldwide are connected to at least one third-party vendor that has experienced a breach in the past two years. This finding highlights the elevated risk posed by third-party vendors, who are five times more likely to demonstrate weak security. The report also notes that half of the organisations have indirect connections to about 200 fourth-party vendors that have previously been breached, underscoring the extensive network of risk exposure through vendor relationships.
As Barbados continues to deepen its reliance on information technology, the importance of advancing cybersecurity maturity alongside this growth is unmistakably clear. Expanding technological infrastructure without parallel enhancements in cybersecurity measures could lead to an ongoing state of vulnerability. It’s essential to look beyond addressing current challenges and to focus on building a robust defence against evolving digital threats. This calls for the implementation of strong security frameworks, continuous risk assessments, and cultivating a culture of security awareness, all vital for safeguarding against the dynamic threats of the digital world.
Steven Williams is the executive director of Sunisle Technology Solutions and the principal consultant at Data Privacy and Management Advisory Services. He is a former IT advisor to the Government’s Law Review Commission, focusing on the draft Cybercrime bill. He holds an MBA from the University of Durham and is certified as a chief information security officer by the EC Council and as a data protection officer by the Professional Evaluation and Certification Board (PECB). Steven can be reached at: Mobile: 246-233-0090 Email: steven@dataprivacy.bb
