Over the past few months, the cybersecurity community has been taking stock of breaches and losses related to cybercrime that occurred during the course of 2022, and the numbers aren’t pretty:

• The average cost of a data breach for a company in 2022 was US$2.09 million, representing a 15% increase from 2021.
• The Latin American and Caribbean regions were particularly hard hit, suffering 137 billion attempted cyberattacks between January and June 2022, with ransomware being the most common breach.
• During the first six months of 2022, approximately 384,000 ransomware distribution attempts were detected worldwide. Of these, 52,000 targeted victims in Latin America.
• In Jamaica alone, the estimated losses due to cybercrime exceed $12 million annually, according to The Major Organised Crime and Anti-Corruption Agency (MOCA) figures.

Trinidad and Tobago (TT) was among the many Caribbean countries that saw a significant increase in attacks, especially ransomware, according to the TT Cybersecurity Incident Response Team (TT-CSIRT) of the Ministry of National Security.

One such incident that made headlines was a ransomware attack that forced Massy Group, one of TT's largest consumer goods and pharmaceutical suppliers, to close its stores. The attackers paralyzed the supermarket chain's systems and exfiltrated over 216 gigabytes of data.

In another incident, the cybercriminal gang Conti effectively froze Costa Rica's financial sector, leading the country to declare a national emergency and suffer losses of an estimated US$38 million per day. And in November last year, The French Caribbean island of Guadeloupe was forced to shut down all its computer networks to protect its data after a "large-scale cyberattack."

Everyday consumers ultimately bear the cost of these incidents: 60% of companies increased the price of their services following a data breach to offset their losses.

One of the reasons for the alarming uptick in data breaches is that threat actors are becoming more sophisticated and selective when planning their attacks and choosing their targets. The rapid pace of digitization is another contributing factor. Businesses in all industries have migrated their processes and equipment to IoT-based cloud networks. Too often, however, this move is often made without the necessary due diligence to secure endpoints and perimeters.

 

A Collaborative Response from Caribbean Countries

Recognizing the scope and severity of cybercrime’s threat to the region, Caribbean states are intensifying their collaborative efforts. One such example is the CARICOM Implementation Agency for Crime and Security (IMPACS), originally founded 16 years ago to help formulate strategy and coordinate regional responses to more traditional crime and security issues. It comprises 15 member states, including Antigua and Barbuda, Bahamas, Barbados, Dominica, Grenada, Jamaica, Montserrat, Saint Lucia, St Kitts and Nevis, St Vincent and the Grenadines, and Trinidad and Tobago.

In 2017, IMPACS introduced The CARICOM Cyber Security and Cybercrime Action Plan (CCSCAP), which aims to help member states address threats and vulnerabilities by codifying a “practical, harmonized standard of practices, systems, and expertise for cybersecurity, to which each Caribbean country could aspire.”

The Caribbean region is also finding support from The Cybersecurity Innovation Councils, an initiative of The Organisation of American States (OAS) and Cisco with the objective of advancing the cybersecurity political agenda of the OAS Member States.

In a recent meeting held at the OAS headquarters in Washington, DC, experts discussed the state of cybersecurity in the region and how to work collaboratively to sharpen its cyber defenses. Private sector and implementation community representatives shared their experiences with the aim of finding synergies among different stakeholders to help countries prevent, respond to, and recover from cyberattacks. Participants gathered in a creative thinking workshop to share ideas on strengthening the capacities of the entire cybersecurity ecosystem, promoting trust, and accelerating research and development in the Latin American and Caribbean region.

Several new initiatives were announced to further this goal, including an innovation laboratory, an applied research workshop, and a governance and artificial intelligence course. The importance of ensuring the secure adoption of emerging technologies that contribute to the digital transformation of organizations, and addressing issues such as security by design and by default was also emphasized.

The OAS Secretary for Multidimensional Security, Luis Fernando Lima Oliveira, noted that “Building cyber resilience is essential for the countries of the region to protect themselves against increasingly sophisticated threats. The attacks that the region has suffered in recent months show that cybercriminals work in an orchestrated manner, launching similar attacks in different countries almost simultaneously. Faced with this, there is no other solution than to work collaboratively. Initiatives such as the Cybersecurity Innovation Councils, which promote alliances between the public and private sectors, civil society, and academia, have become increasingly relevant to improve the capacities of countries in cybersecurity.”

 

How Can Businesses Shore Up Their Own Defenses?

While intensified cooperation on the part of government and the private sector to tackle the scourge of cybercrime is encouraging, every business needs to ensure its own information security strategy is fit-for-purpose. The fundamentals of cyber-hygiene include:

• First, identifying cybersecurity-related business risks based on an impact assessment. This should include a thorough assessment of all potential vulnerabilities and attack vectors and the definition of a remediation approach (covering people, processes, and technologies) for each identified business risk.
• Putting in place differentiated and targeted protection for the company’s most sensitive assets by ensuring the appropriate orchestration, technology, and personnel are in place to avoid any lasting impact on business continuity or quality of customer service.
• Assembling internal or third-party cybersecurity capabilities to continually mitigate identified vulnerabilities.
• Regularly running third-party cybersecurity ratings, vulnerability assessments, and drills, especially for the organization’s most critical sites (such as their supply chain and research and development arms.)

We discussed Cyber Hygiene in a 4-part blog series that focused on Vulnerability Management, Cybersecurity Posture Frameworks, and Incident Response. That series will provide a good start for organizations that need to map our a cost-effective way to improve cyber defense.

 

Conclusion – Partnering to Mitigate Digital Risks

The explosion of global connectivity and the propagation of internet-connected devices have given cybercriminals a technological advantage in creating digital risks. As a global managed security services provider, our goal is to provide you with tools to help with your security posture and decision-making processes. Further, we assist you with an understanding of your security baseline, and help you fend off attacks as they happen. We approach security in a modern, multilateral way by leveraging our global reach and strategic investment in innovation.

As we suggested in our Cyber Hygiene blog post series, “a significant number of organizations and security leaders see cyber hygiene as somewhat theoretical rather than something measurable. Most professionals in the IT security or cybersecurity industry understand it is difficult to set a value to systems, litigation costs, brand damage costs, ransomware costs, data loss costs, compliance penalties and so many other difficult to estimate variables.” That said, it is critical to employ risk management principles when choosing investments to improve cyber defense.