Every business is vulnerable to cybersecurity threats regardless of its size, and Virgin Islands businesses should assess their risks and invest in appropriate preventive measures, two VI executives said during a webinar held last week as part of BVI Finance’s educational series on cybersecurity.
The session was led by BDO Managing Director Ryan Geluk and Harneys Chief Operating Officer Felice Swapp, who are both members of the international Information Security Systems Association.
Looking from “bytes to boardroom,” Mr. Geluk discussed the importance of regularly conducting comprehensive audits of a company’s digital assets.
In the past, he said, risk assessment focused almost entirely on what happens within the information technology department. Today, by contrast, companies must factor in voice-recognition technology, how well protected their partner vendors are, and a myriad of other potential weak points, according to Mr. Geluk.
“The main area that we need to remember when we talk about cyber risk is it has to start at the boardroom level,” he said. “Cyber attacks are becoming a lot more sophisticated and a lot more stealthy in the way that they operate.”
Big and small
Ms. Swapp said small- and medium-sized businesses in the territory may be particularly vulnerable.
Large companies like Microsoft, she explained, can allocate considerable funds for cybersecurity. However, smaller firms often have less to invest in their security budgets even though they manage high-value data that is attractive to attackers.
Like anything in business, mitigating cybersecurity risks comes at a cost, and Ms. Swapp said it is up to senior management to make decisions on policy and on how much money the company is willing to invest in the cause.
“Thinking holistically as leaders in financial services: We have to understand all the different elements — FS security, our own security, our network security, our cleaners’ security, our A/C technicians’ security — all of that comes together in terms of our tolerance for risk,” she said. “The question, of course, becomes how much risk is each of our organisations willing to tolerate? … It’s always going to be this risk-cost-benefit trade-off, because we cannot fully eliminate all of this.”
Attacks typically target individual employees first, Mr. Geluk noted.
An important countermeasure is “getting persons within your organisation to understand what the cyber risks are and how to quickly recognise them so that they’re not what we call ‘click happy,’ clicking on everything that somebody tells you to,” he said.
He encouraged businesses to schedule awareness training and testing on at least a semi-annual basis.
Training employees to easily identify security risks like phishing emails and malware attacks often is the least expensive but most critical investment to make, he said.
Mr. Geluk also highlighted the importance of fostering a company environment where individuals find happiness and feel passionate about their work to minimise the risk of dissatisfied employees putting security at risk.
With many employees working from home this year, he added, companies should pay extra attention to ensuring they have safe access to digital networks, employing multi-factor authentication where appropriate.
He also said employees generally shouldn’t have carte blanche access to everything in the network and should be careful about using unsecured lines of communication. But security requirements do still need to be reasonable enough for individuals to conduct business efficiently and appropriately for the size of the company.
“When there is a cyber attack in your organisation, the wider that net is across your network that you have access to, the more widespread any sort of attack or breach would be,” Mr. Geluk said.
Layers of defence
Beyond individuals, Ms. Swapp said it is necessary for companies to rely on multiple layers of defence that constantly evolve to address new threats.
Mr. Geluk said investments in cybersecurity have the potential to directly benefit the company as well as make it more competitive in a worldwide market. Once patrons lose trust in a firm’s security, it can be difficult to regain.
“People want to do business with organisations who take their data seriously, and who take their risks and concerns seriously,” he said.
Ms. Swapp added that there are consequences for the wider industry as well when security is breached.
“Across the BVI, our whole sector, there is collateral damage if one of us goes down for one of these reasons,” she said.
BVI Finance and ISSA plan to host a series of forums focused on cybersecurity awareness.