BRA Information Security Incident Analysis
On October 1st, 2024, the Barbados Today media company published an article indicating the Barbados Revenue Authority (BRA) and police are investigating a reported breach of the BRA vehicle registration data. The article references an official statement from BRA stating they were aware that some vehicle registration application information was circulating on the internet and social media and were actively investigating the incident. The article further quoted the official statement indicating, “[BRA] understands that restricting access to the vehicle registration portal is disruptive to Barbadians, and we regret the inconvenience that these necessary precautions have caused for the public.” The CBC Barbados X (Twitter) account posted an audio snippet from Minister of Industry, Innovation, Science and Technology, Marsha Caddle, on October 1st, 2024. The Minister indicated she is aware of the breach at BRA and, based on investigations at the time, the breach was isolated to the vehicle registration application.…
The Impact of Security Culture
As the Barbados Information Systems Security Association (ISSA) chapter celebrates the 20th edition of Cybersecurity Awareness Month, we would like to acknowledge our international organization (ISSA)®. The Information Systems Security Association (ISSA)® is a not-for-profit, international organization of information security professionals and practitioners. It provides educational forums, publications, and peer interaction opportunities that enhance the knowledge, skill, and professional growth of its members. Its core purpose is to promote a secure digital world. We want this month to focus on the impact of security culture on cybersecurity awareness, particularly within the Corporate enterprise. If we accept that “Culture eats strategy for breakfast” (Peter Drucker), then embracing Security Culture is a sure route to increased organizational success and sustainable competitive advantage. Security Culture changes how users internally process decisions before acting on an email, file, or any other object in the virtual or real world. Before any task execution, there is…
Cybersecurity in SMEs: RC²™ [Risk, Controls & Culture]
In SMEs, there are limited resources that are always competing for allocation with varying revenue-generating components such as manufacturing and marketing. Cybersecurity risk is a business risk and should be allocated funding however the quantum of the allocation does not always meet the required level therefore a rationalization of the resources needs to be accommodated. This is where an RC₂ methodology would be applied for practical application to mitigate cybersecurity risk in SMEs. SMEs do not typically have the luxury of implementing NIST CSF or ISO 27001 frameworks but RC²™can help. RISK SMEs need to assess the level of cybersecurity business risk to the organization. This involves a critical look at the business to: ❶ Identify Assets – inventory, and classification of assessment ❷ Identify Threats – external, internal threats, and natural disasters ❸ Identify Vulnerabilities – technical, human and physical ❹ Assess Impact – data breach, email compromise, and…
The intersection between data privacy and data security
Data privacy is an established discipline which deals with the protection of people’s personal information, to protect the individuals themselves. Information about people’s ethnicity, religion, gender, political affiliations, nationality, diseases, physical disabilities, age, and other things, can be used to unfairly target or persecute people. Information related to a person’s financial status, workplace, place of residence, banking information, national identifiers, and biometric information can also be used to perform ID theft and other crimes against persons. Data privacy regulations thus try to influence how such information is collected, protected, shared, and disposed of. Data privacy is a practice heavily reliant on laws and regulations, and as such has traditionally been championed by legal practitioners. Data security (which can be considered to be essentially the data aspect of Information Security), on the other hand, relates to the protection of data. Particularly, it deals with the confidentiality, integrity, and availability of data.…
Government boosting IT system after breach
The following was posted by the Nation News on March 11th, 2022 [The] Government was forced to shut down its entire information technology (IT) platform yesterday after ransomware found its way through several vulnerable holes in the system. Ransomware is malware that employs encryption to hold a victim’s information at ransom. A user or organisation’s critical data is encrypted so that they cannot access files, databases, or applications. A ransom is then demanded to provide access. Ransomware is often designed to spread across a network and target database and file servers and can thus quickly paralyse an entire organisation. The ransomware that attacked yesterday forced the Ministry of Innovation, Science and Technology to take its overall Internet service offline so the issues could be identified. In an interview with the Weekend Nation even as a special team was still investigating the matter yesterday, Minister of Innovation, Science and Technology Davidson…
Cybersecurity Framework Profile for Ransomware Risk Management
NIST’s National Cybersecurity Center of Excellence (NCCoE) has released the NIST Interagency or Internal Report (NISTIR) 8374, Cybersecurity Framework Profile for Ransomware Risk Management. Ransomware is a type of malicious attack where attackers encrypt an organization’s data and demand payment to restore access. In some instances, attackers may also steal an organization’s information and demand additional payment in return for not disclosing the information to authorities, competitors, or the public. Ransomware can disrupt or halt organizations’ operations. This report defines a Ransomware Profile, which identifies security objectives from the NIST Cybersecurity Framework that support preventing, responding to, and recovering from ransomware events. The profile can be used as a guide to managing the risk of ransomware events. That includes helping to gauge an organization’s level of readiness to mitigate ransomware threats and to react to the potential impact of events. https://csrc.nist.gov/publications/detail/nistir/8374/final
The Metaverse – A Safe Space(?)
At the February 2022 Chapter Meeting of the ISSA Barbados Chapter, we had a presentation titled, “The Metaverse – A Safe Space(?)” was by Christopher Derrell Jnr. Chris (aka Chris Jnr/CJ/upgraded Chris 2.0) is an award-winning software developer who manages UX, architecture, and development to create practical and aesthetic websites. He has 7 years of experience in Software Development and holds a Bachelor of Science (Hons.) in Computer Science and Economics from the University of the West Indies (UWI), Mona. He leads a team of web developers at Adtelligent, and also co-leads Youth Can Do IT, a social enterprise teaching youth the power of data and code. You can view the recording of his presentation below or on YouTube. We’d like to once again thank Chris for agreeing to present and engage with us for our discussion.
Operationalizing the Jamaica Data Protection Act: A Conversation with the Information Commissioner
Symptai Consulting Limited hosted a webinar with Jamaica’s Information Commissioner (equivalent to the role of Data Protection Commissioner under GDPR) for a very engaging conversation around the impact of the Jamaica Data Protection Act which came into effect on December 1, 2021. This marked the start of a 2 year transition period within which Data Controllers must familiarise themselves with the Act, their role and enforce practices that ensure compliance. You can view the recording of the webinar below or read a summy of the Act here.
Dear HR . . . Does data protection law affect my role in HR?
The February 9th, 2022 issue of Barbados Today had a column that discussed the impact of the Barbados Data Protection Act on HR personnel, titled “Dear HR . . . Does data protection law affect my role in HR?“. The article explained why data protection is important, outlines the role of data controllers, how HR staff are impacted and key components of the Act. You can read the entire article here.
