BRA Information Security Incident Analysis
On October 1st, 2024, the Barbados Today media company published an article indicating the Barbados Revenue Authority (BRA) and police are investigating a reported breach of the BRA vehicle registration data. The article references an official statement from BRA stating they were aware that some vehicle registration application information was circulating on the internet and social media and were actively investigating the incident. The article further quoted the official statement indicating, “[BRA] understands that restricting access to the vehicle registration portal is disruptive to Barbadians, and we regret the inconvenience that these necessary precautions have caused for the public.” The CBC Barbados X (Twitter) account posted an audio snippet from Minister of Industry, Innovation, Science and Technology, Marsha Caddle, on October 1st, 2024. The Minister indicated she is aware of the breach at BRA and, based on investigations at the time, the breach was isolated to the vehicle registration application.…
The Impact of Security Culture
As the Barbados Information Systems Security Association (ISSA) chapter celebrates the 20th edition of Cybersecurity Awareness Month, we would like to acknowledge our international organization (ISSA)®. The Information Systems Security Association (ISSA)® is a not-for-profit, international organization of information security professionals and practitioners. It provides educational forums, publications, and peer interaction opportunities that enhance the knowledge, skill, and professional growth of its members. Its core purpose is to promote a secure digital world. We want this month to focus on the impact of security culture on cybersecurity awareness, particularly within the Corporate enterprise. If we accept that “Culture eats strategy for breakfast” (Peter Drucker), then embracing Security Culture is a sure route to increased organizational success and sustainable competitive advantage. Security Culture changes how users internally process decisions before acting on an email, file, or any other object in the virtual or real world. Before any task execution, there is…
Cybersecurity in SMEs: RC²™ [Risk, Controls & Culture]
In SMEs, there are limited resources that are always competing for allocation with varying revenue-generating components such as manufacturing and marketing. Cybersecurity risk is a business risk and should be allocated funding however the quantum of the allocation does not always meet the required level therefore a rationalization of the resources needs to be accommodated. This is where an RC₂ methodology would be applied for practical application to mitigate cybersecurity risk in SMEs. SMEs do not typically have the luxury of implementing NIST CSF or ISO 27001 frameworks but RC²™can help. RISK SMEs need to assess the level of cybersecurity business risk to the organization. This involves a critical look at the business to: ❶ Identify Assets – inventory, and classification of assessment ❷ Identify Threats – external, internal threats, and natural disasters ❸ Identify Vulnerabilities – technical, human and physical ❹ Assess Impact – data breach, email compromise, and…
The intersection between data privacy and data security
Data privacy is an established discipline which deals with the protection of people’s personal information, to protect the individuals themselves. Information about people’s ethnicity, religion, gender, political affiliations, nationality, diseases, physical disabilities, age, and other things, can be used to unfairly target or persecute people. Information related to a person’s financial status, workplace, place of residence, banking information, national identifiers, and biometric information can also be used to perform ID theft and other crimes against persons. Data privacy regulations thus try to influence how such information is collected, protected, shared, and disposed of. Data privacy is a practice heavily reliant on laws and regulations, and as such has traditionally been championed by legal practitioners. Data security (which can be considered to be essentially the data aspect of Information Security), on the other hand, relates to the protection of data. Particularly, it deals with the confidentiality, integrity, and availability of data.…