By Nadine Wilson-Harris
The rush to make Jamaica a fully digital society has been met with a barrage of hack attacks against public and private sector agencies as well as individual accounts.
Information has become the new gold, one cyber security expert has explained. Speaking with Freedom Come Rain, he said that while there have been increasing efforts to digitise information, there has been very little investment in ensuring data collected in the normal course of doing business is secured.
Principal of the Gomex Institute of Technology, Andrew Gordon, believes the scant regard for data protection is placing Jamaicans at risk for hacking, scamming, and ransomware.
“We can’t be jumping into industrial revolution 5.0 and at the same time we find the money to buy the technology, but not the money to protect ourselves from it,” said Gordon, a certified information security manager and a computer hacking forensics investigator.
Just last week, the Financial Services Commission (FSC) reported in a media release that it suffered a “cyber event”. It was later revealed that most of the Commission’s files were encrypted, and there was a request for a ransom from the hackers.
Member of Parliament, Phillip Paulwell, also reported recently that hisphone was cloned and his bank accounts were hacked by scammers who withdrew a substantial amount of money. The former Minister of Science, Technology, Energy, and Mining said the hackers had access to his e-mail, pictures, personal and professional messages and threatened to make the information public unless he paid them money. The Minister refused to give in to the demand, although the perpetrators started releasing his personal correspondence to political and personal colleagues. A few days after, his 10-month-old daughter and her mother were reported missing. They are yet to be found.
Gordon said currently, companies are not compelled to report cyber breaches, but he said this will change when the Data Protection Act, which was passed in 2020, comes into effect. The government is hoping to finalise supporting regulations in time for the Act’s full implementation, slated for December 2023. The Act seeks to protect Jamaicans’ privacy and personal information.
The cyber security expert noted that in the US, there is the Computer Misuse Act and the Federal Information Security Management Act which make it explicit that government agencies have a responsibility to protect themselves from cyber attacks.
“There is nothing in Jamaica that compels an agency to have a security manager in place,” he said.
“We invest in physical security guards in abundance because we see it fit to protect the physical structure. If the cyber infrastructure is important to us, then we have a responsibility to implement best practices,” he asserted.
He explained that companies without security managers might find it more difficult to mount a successful case in court if they have been hacked, since they might be requested to prove that their data was secured and the hacker deliberately breached it.
“The companies themselves can’t really prove that they were protecting their system, and you defeat it. If there is no security in place, what are you going to charge the person for?” he asked.
Gordon noted that Jamaicans are increasingly being asked to upload personal data online but have no knowledge of where the data is being stored.
“As it is, anybody can send you a Google form to fill out, and you are entering TRN, date of birth, and all types of things on these forms,” he said.
“You are applying for a programme for your child, they send you a Google form, and they send you a website. How do you know who has access to your child’s information? asked the security information manager.
He is urging people to be careful of what they share online. Even a photo taken with a phone, for example, can be used to tell a person’s location.
“Information is the new gold. It’s not guns or weapons really run the world anymore.
Do you notice [that] as soon as they capture your information, they tell you how much they want for it?” he pointed out.
“Normally, in a culture where you have persons highly skilled technologically and unemployed, then the instrument of crime then becomes the computer,” he said.
Churches, which generally collect data such as the address, date of birth, and next of kin of members, are also susceptible. Churches usually also have the marriage records and christening information for the children of congregants. He said cyber criminals will access information wherever it is made available.
Gordon is optimistic that the Data Protection Act will cause more companies to take their responsibility to protect customers’ information more seriously. He believes that in the same way car alarm systems are marketed with the sale of cars, there should be efforts to promote security mechanisms along with the technology used to facilitate digitization.
“I know we are a struggling economy, people have money issues, and all of that, but we could lose a lot more if we don’t take a proactive approach to cyber security,” he warned.
