Countries pay thousands of dollars to recover from data breaches, but no one has quantified losses to the individual, says cybersecurity expert Edward Millington, nor have governments been held accountable.
He was reacting to news that the October 30 cyberattack at the Barbados Statistical Service (BSS) resulted in “sensitive personnel and statistical data” being in the possession of a criminal ransomware group, as revealed in a video message from Government.
“I can tell you in a cybersecurity breach, any company is looking at a minimum of US$25 000 to $30 000 for incident response. You add on top of that recovery services from IT (information technology), legal and all other issues surrounding that, you can easily spend close to or well over $100 000 depending on how big the organisation is,” Millington told a Nation team, noting that could be traced via the company’s audit.
“No one knows at this point. There is no hard form data on how breaches affect persons and what that costs look like per person. No one understands that. We just know that there are companies around the world that help you to recover your identity.”
However, the managing director of CariSec Global Inc., who has done extensive professional training and certification with a focus on cyber and information security risk, cyber resilience and enterprise risk management to the level of trainer, warned that in highly digital societies, this could take several years.
“In countries like South Korea, Japan, China, where everything is digital, you hardly see any paper, you are just known by a number or by a certificate – a digital certificate.
“When you have been compromised, where your identity is lost, how can I confirm who you are? It’s a lot of work and if the systems are not interconnected properly and so forth, like what happens in America, somebody steals your social ID, your social number and your identity, you have to ask yourself, ‘Why does it take three to five years to recover my identity’?”
The Mia Amor Mottley administration has committed to digital transformation in several areas, including across the public service. When asked whether Barbados was ready for such a move, he said to look no further than the country’s cybersecurity capability or maturity, transparency about notifications and whether “we are working very hard with professionals to defend our systems” for the answer.
Lieutenant Commander Neil Matthews, head of the Barbados Defence Force’s Cyber Unit and incident manager, who also spoke Friday night on the BSS breach, said they had teamed up with the Ministry of Technology to investigate the incident, isolate the affected system and engage experts to help secure the network. He advised Barbadians to secure their information online and warned of the potential of increased phishing attacks and online impersonation.
Millington said the more information someone had on an individual, the more the person could be compromised. If someone gets access to email, for example, they could blackmail employees and force them to commit crimes against the business or Government, he added.
Senator Chad Blackman, Minister in the Ministry of Economic Affairs and Investment, said Government was “learning from it and rebuilding confidence in our ability to safeguard the vital information entrusted to us”. He added that to guard against future attacks, they were implementing enhanced cybersecurity measures, improving access controls and conducting comprehensive staff training at the BSS.
Millington said nations put general data protection regulations in place and while companies could be fined for these breaches, he was yet to see any punitive measures applied to countries when they occurred. Based on the laws, the local Data Commissioner had to report to counterparts across Europe and America, but no one knew what happened after that.
He reiterated the call for more transparency surrounding these breaches.
