An unprecedented international malware attack this month served as a reminder that businesses and individuals in the Virgin Islands and across the world are often unprepared for costly breaches of cyber security, VI industry professionals warned this week.

The May 12 attack — dubbed the WannaCry ransomware — rocked certain industries in the United Kingdom and struck Microsoft computers around the globe.

The phishing scam came in the form of e-mails — often designed to look authentic or familiar to the user — carrying links or attachments that installed ransomware when selected, according to a BDO Limited press release.

Additionally, the ransomware acted as a cryptoworm, spreading to other vulnerable computers without the need for a user to take any action.

After infecting a computer, the virus encrypted all of its files and launched a message demanding a ransom payment of a few hundred dollars in the cryptocurrency Bitcoin.

The malware is thought to have infected more than 230,000 computers across 150 countries on all major continents, hitting Russia and Europe especially hard.

Though there were no reported infections in the VI, residents should still prepare their systems for future cyber threats, according to Guy-Paul Dubois, manager of technology risk services at BDO.

The territory is particularly vulnerable to future attacks due to the amount of sensitive information held by financial services firms, said Guy Phoenix, the owner of Fresh Mango, a VI-based IT-support company.

“It’s become clear to me that the BVI is really quite exposed,” Mr. Phoenix said.

VI security

To prepare, Mr. Dubois encouraged VI companies and individuals to always update their computer systems when patches are available.

“Everybody seems to be clicking ‘update later,’” he said. “You should always update the moment you get it.”

As part of his job, Mr. Dubois conducts “penetration testing” for businesses around the territory, attempting to hack into systems to expose weaknesses.

For him, protecting a business’s system from malware largely comes down to three simple steps: staying up to date with patches; keeping employees informed of potential risks; and backing up all files.

Doing the work to ensure those steps are followed is preferable to dealing with the aftermath of a preventable cyber attack, explained Ryan Geluk, deputy managing director of BDO.

“Security is an investment, not a cost,” he said.

To that end, Mr. Dubois recently founded a VI chapter of the international Information Systems Security Association, a not-for-profit organisation dedicated to promoting effective cyber security around the world.

The chapter — which currently has ten members — plans to meet once a month to discuss cyber security issues in the territory, Mr. Dubois said.

Future attacks?

Mr. Phoenix said he expects additional cyber attacks in the near future, some of which may already be in the works.

An online group called the Shadow Brokers stole the hack necessary for the ransomware attack from the US National Security Agency (see sidebar).

According to Mr. Phoenix, the mysterious group also hijacked 23 other pieces of software from the NSA, any of which could form the basis of another cyber strike in the future.

Any attack carrying a timestamp to kick in at a future date might already be in progress, he said, calling the situation a potential “cyber security time bomb.”

Though Mr. Phoenix said his customers are now safe from the WannaCry ransomware, he remains worried about the prospects of unknown attacks, and he encouraged companies and individuals to do everything they can to beef up their cyber security.

“You can never make the risk zero, but you can help minimise the risk,” he said.

Potential legislation

Both Messrs. Geluk and Dubois called for government-mandated cyber-security standards for the territory’s registered agents.

In the wake of negative publicity generated by data breaches like the Panama Papers, setting minimum standards for security could protect the financial services industry and serve as a marketing point for the territory, Mr. Geluk explained.

“Especially in the financial services industry, one breach is one too many,” he said.

Mr. Phoenix also said there is a “strong case” for mandated standards, but cautioned that any legislation would have to carefully craft those benchmarks with industry input so as not to overburden smaller businesses. 

Reporting requirement?

Mr. Dubois said he would also support additional legislation requiring companies to announce when they have been breached by a cyber attack.

Currently, there is no such requirement in the VI, which means that instances of malware are likely to go unreported.

Such a measure would help improve the territory’s cyber security as a whole, Mr. Dubois argued.

However, he doubted such legislation could be passed in the VI due to probable pushback from the financial services industry.

In the US, 48 states, Washington DC, Puerto Rico, Guam and the USVI have enacted some degree of legislation requiring private or governmental entities to disclose security breaches regarding personally identifiable information, according to the National Conference of State Legislatures.

However, Mr. Phoenix said he did not know of any such legislation in the UK. Both he and Mr. Geluk were cooler on that idea, saying they are more in support of simply mandating minimum-security standards.

This article originally appeared in the May 25, 2017 print edition.

{fcomment}