Nadine Maitland | Jamaica needs a comprehensive information security governance framework
Due to the information revolution, along with the advent of the World Wide Web (WWW) and a wide range of technologies, data has become the most valuable asset for most organisations and governments; however, there are some serious concerns regarding information security. These concerns can be classified as real and sometimes just a perception.
However, with so many reported incidents of cybercrimes and anecdotal evidence revealing that as far back as 2007 the cost of cybercrime had outstripped those of narcotic drugs, there is need for immediate action, as the cost of information security continues to grow.
For most companies worldwide, the average cost of cybercrime grows by 8.5 per cent annually, and overall investment in information security was estimated to be over $75.4 billion on a yearly basis. Parallel to the increase in investment/the cost to address cybercrime, is the increase in reported breaches and the cost associated with these incidents. This has resulted in an overall cost of cybercrime worldwide; in 2017, estimated to be over $600 billion.
Clearly this is a paradoxical situation, as there is an increase in spending on information security, yet there is an increase in information security breaches.
Today, many organisations’ and governments’ critical infrastructures are becoming more dependent on information systems, and the Internet is becoming the medium of choice for communication. This has created several information security risks.
NEED FOR COORDINATED APPROACH
With the increased use of smartphones in developing countries, there is growth in the use of the Internet and its services at a faster rate than in developed countries, yet the region is behind in preparing for the imminent risks involved in the use of these global networks.
As governments and companies in these regions move to take advantage of the new opportunities created by the Internet and the technologies available, there is need for a coordinated approach to cybersecurity.
Research indicates that there is complacency towards cyber/information security and fragmentation in the approach to information security. Said has resulted in many assets being left unprotected because of limited budget, and hackers exploit the opportunities that are present in these systems.
Reports reveal that developing countries are struggling with information security, and finding a solution for cybersecurity has proven to be a major problem in these regions. In recent times, banks in Jamaica and the region have suffered significant losses as a result of cybercrime, and Jamaica is often referred to as the ‘scamming capital’ of the world, where there is a wide range of sensitive information already in the hands of criminals.
There is need for a deliberate effort in addressing the issue of information security governance that goes beyond setting up of committees and talk shops. The lack of adequate technological structures, limited skill sets and inadequate anti-cybercrime strategies that meet international standards in developing countries make them more vulnerable, and they are affected more by cybercrime than developed countries.
One way to begin addressing the situation is the development of a comprehensive information security governance/policy structure that is owned, managed and enforced by qualified information security professionals. This should be ‘policed’ to ensure compliance and that penalties for breaches are enforced.
This should clearly define how sensitive information will be collected, how long it will be kept, who will have access to this information, and the protocol that should guide the disposal of data/information and equipment.
This is not a ‘magic wand’ and is not meant to be taken as prescriptive, because there are no silver bullets to taming this growing ‘monster’. However, it will provide a framework that if followed, could reduce the incidents of breaches and reduce the need forad hoc and reactive responses that are presently employed in most cases when there are incidents of information security breaches.
MOST UNDER-REPORTED CRIMES
It is an established fact that cybercrime is one of the most under-reported crimes; however, in recent times, there has been an increase in reports of these incidents in Jamaica, so just imagine if we should see the full cost of this crime.
The enforcement/implementation of the Data Protection Regulation (GDPR) in the EU on May 25, 2018, is a clear signal to all regions that there should be a systematic way of dealing with the collection, use and disposal of data/information. The GDPR clearly outlines penalties for breaching these policies, and there are far-reaching implications for all countries that do business with that region.
The Government of Jamaica needs to adopt this approach and provide an enforcement team to be the guards of this policy, or we will continue to see an increase in information security breaches.
Recent reports indicate that one of the most, if not the most important arm of the Government, which could be referred to as the flagship department in technological matters, has disposed their e-waste (computers and cellular phones) without scrubbing or the proper cleaning of these devices that contain sensitive information, this is alarming.
Presently, there is the ‘imminent’ development and implementation of the NIDS and several other government agencies are integrating their information systems (assets) and resources, such as TRN, NIS and driver’s licence numbers, just to name a few. These credentials contain individuals’ personal information, ranging from home and business or work addresses, children’s names and spouse information, just to name a few, and with the talk of a ‘one-stop shop’, there is cause for concern.
There needs to be a clear direction and a governance structure in place, enforced and communicated to all users and administrators of these systems and custodians of these information assets. We should not wait until something else happen on a larger scale; I believe the Government should take the lead in this matter. Having a ‘policy’ that is not enforced or managed is like having no policy.
Nadine Maitland is a lecturer at the School of Computing and Information Technology at the University of Technology, Jamaica. Email feedback to firstname.lastname@example.org.