Before the Next Cyberstorm: A Call to Action for TCI
If you know me, you will know how deeply I care about cybersecurity—especially when it comes to protecting the digital landscape of the Turks and Caicos Islands (TCI). While I have often shared my thoughts on social media, a friend encouraged me to take my advocacy further by writing for local newspapers. Life got in the way, as it often does, but here I am, finally putting pen to paper—because when it comes to cybersecurity, it is better late than never. After all, the cyber war is ongoing and will never end.
I know we live in a world where many people do not enjoy reading about topics they do not find immediately interesting, and I am sure Cybersecurity is not on most person's interest list. However, I hope that if I can share bite-sized “cyber nuggets,” I might spark a quick glance that inspires someone to take action—whether to secure themselves, their families, or their organisations. By extension, this will help secure our country. It is my dream to see a cyber-aware Turks and Caicos Islands.
After a major cyberattack struck the Bermuda Government in 2023, I reached out to several Senior Government Officials. My message was clear: it’s only a matter of time before the same happens to us. In that email, I not only warned them of the impending threat but also offered my assistance and outlined several initiatives that could help prepare TCIG for the inevitable. I urged them to be proactive rather than reactive, emphasising the importance of readiness in the face of a growing digital threat.
In November 2024, I was invited to speak at the National Cyber Risk Assessment Stakeholders Re-engagement event. Once again, I shared my fear of the inevitable, emphasising that “it is not a matter of if, but a matter of when.” During my presentation, I provided concrete examples of Caribbean nations battling relentless cyberattacks, including the Barbados Revenue Authority, which experienced a hack in October 2024. This breach compromised approximately 230 gigabytes of sensitive data that was later shared on the dark web, exposing the personal information of many Bajans and raising serious concerns about privacy and data security. In simple terms, the dark web is made up of websites hidden from normal view and inaccessible via traditional search engines like Google. I’ll delve more into the dark web in a subsequent article.
I made it abundantly clear that ignoring these lessons is a grave mistake. The belief that our beautiful by nature TCI is still the best-kept secret and that we are somehow immune to cybercrime is both dangerous and misguided.
Now, here we are—facing the fallout of a major cyberattack. Sadly, as I predicted, we were not prepared. I am certain consultants have been hired to advise on fixes that could have been implemented long ago. Recommendations will undoubtedly pour in, and the overburdened IT team—who are likely being unfairly blamed—will continue working tirelessly to recover what they can.
A quick note to executives in both the public and private sectors: IT teams must be given the resources they need to secure your organisation effectively. Unfortunately, it is all too common in the region for blame to fall solely on the IT department when things go wrong. Successful cyberattacks, however, are a shared responsibility—from the Executives down to clerks. This is why many forward-thinking organisations now include cyber risk experts on their boards—to ensure robust measures are in place to address this ever-growing threat.
So, what will be the lasting impact of this cyberattack? I fervently hope we break free from the all-too-common pattern of half-hearted action—implementing one or two recommendations before slipping back into 'business as usual,' leaving ourselves vulnerable to the next inevitable attack.
The government must lead the charge in making TCI a cyber-aware nation. But until that happens, I will continue to do what I can within my sphere of influence—sharing insights and practical tips that, I hope, inspire action by organisations and individuals alike.
Cyber-Nugget for Today
For Organisations:
Security awareness training for your staff is crucial. While I do not know the exact details of the recent attack, there is a high probability that it began with someone clicking on a phishing link or unknowingly exposing sensitive information. Educating your team is not optional—it is essential. If employees do not know how to recognise a security threat, they can not avoid, report, or mitigate it. Their vigilance is your organisation’s first line of defence.
It’s worth noting that over 70% of all data breaches are caused by human error—and with the rise of Artificial Intelligence (AI), this percentage is expected to increase.
For Individuals:
Cybersecurity is not just for your employer—it is for everyone. It must become second nature, like locking your front door when you leave the house. Strong passwords, multi-factor authentication (MFA), or even passkeys (when available) should be habits, not afterthoughts.
I have heard countless IT personnel express frustration at the pushback they receive on MFA implementation. However, in this day and age, MFA should not be optional. It should be enabled for all accounts—work email and systems, personal email, social media, financial institutions—any account that contains sensitive information. So, if you have not done so yet, please turn on MFA for your accounts now.
Cybersecurity is about protecting you! Together, we can build a safer digital future for our country; let us build a cyber-aware Turks and Caicos Islands.