By Annelia Nixon

Tribune Business Reporter

anixon@tribunemedia.net

The Bahamas’ cyber security chief yesterday called for shared resilience and information sharing to better combat threats in an increasingly digital world.

Sametria McKinney, director of The Bahamas’ cyber incident response team (CIRT), told the 32nd meeting of the heads of CARICOM social security organisations: “You have to share information on things like what tools are you using.

“And I’m not saying share on the Internet. I’m talking about sharing with your community. These are the conversations you need to have. You also need to share framework and policies because if you’re in the same business, you’re doing the same thing.” She discussed risks, including those related to technology, legal, people and strategy.

“All of those are part of enterprise risk management,” Ms McKinney said. “So what you’re seeing is you’re seeing some phishing, some fake apps, you’re seeing viruses, malware. You’re seeing fraud, you’re seeing password theft, you’re seeing data loss. These are some of the things you’re seeing.

“But the reason why I put this here is because I initially had a slide at artificial intelligence (AI) and I opted against it. But I did want to mention phishing specifically because one of the things I want people to appreciate, when you think about what your threat looks like, is that your threat isn’t static.

“It’s just non-static. It’s evolving. So that means then at the Board level, at the management level, at the operation level, at the technical level, that we should be talking and understanding what our threats are. We should be discussing those threats and then, more importantly, we should be discussing them together.

Ms McKinney added: “The other thing, too, is your threat actors are also evolving. And they’re evolving because technology is changing. A perfect example of that is phishing. You remember back in the day you would have these phishing e-mails, say from an African prince. I used to see them. I would open them and read them. Just in case.

“And the way we would tell that they were phishing would be because the grammar was wrong, the sentence structure was wrong, there was an obvious sign that, you know, maybe this doesn’t work. Nowadays, that is not the best method of telling if it’s efficient because with AI, the e-mails that they’re sending you are correct.

“They have no errors, they know your name. They know enough about you to be 100 percent believable. So that means that your threat actors are evolving. They’re getting better at this.”

Ms McKinney explained that companies need to create committees to monitor cyber risks, appoint someone to do an assessment and consider risk appetite. “The second thing is: Who’s talking to the Board? You need a committee, another one,” she added. 

“You can combine it with the audit committee or the risk committee or whoever committee. But somewhere you need to be looking at your risk. Cyber risk is what I’m talking about. They need to be able to tell you about things like when you have your pen test done, the vulnerabilities that were discovered, and then the road map and prioritisation plan of addressing those.

She added: “The other is we must assess. When you go out, you’re hiring somebody, you’re finding your framework, you are assessing. So give somebody some money to assess. If you don’t have a vulnerability scanner in your facility, just find one. The first time they run that vulnerability scan, don’t panic. There’s going to be so many unpacked systems you wouldn’t believe it.”