Basil Jarrett | Make cybersecurity training mandatory
I FIRST set foot on the Mandeville campus of Northern Caribbean University (NCU) in January 2004, when I was recruited by the head of the university’s Communication Studies Department to teach media and communications to undergraduate students.
Having spent the last five years studying in freezing New York City, NCU did not have to ask me twice if I would like to come help build their programme. They sold me on how sublime the Mandeville weather was, how pleasant and mild-mannered their students were, and how much latitude I would have to design my timetable and curriculum.
What they didn’t tell me was how deafeningly quiet the campus was, how hard it was to get a piece of chicken past campus security, or how many times I’d have to pray at the start of class each day. Not that I had a problem praying, but after five years in the No-Prayers-in-School USA, I had lost the ability somewhat and didn’t know how much longer I would get away with mumbling “God is good, God is great, let us thank him for…” under my breath, before one of the good Adventists would call me out. So no. Mandeville was not for me. Too quiet. Too peaceful. Too healthy. In addition to that, the guilt I felt each Monday morning after a rum-laced, party-filled weekend in Kingston started to weigh on me and after three pleasant and memorable years, I left NCU for the louder and more worldly University of Technology, swearing I’d never eat mock-chicken again.
But the campus has remained near and dear to my heart. I still have good friends and former students there who continue to fly the Adventist university’s flag and they will occasionally hit me up on Facebook (yes, I still do have a Facebook account) with a gentle reminder of the good old days.
DATA VALUE
And so, I was more than a bit surprised when I saw last Friday’s Gleaner headline that the university was the recent victim of a cyberattack and hackers were demanding millions of dollars to release the accounts of students and administrators.
Once I had got past the initial shock of “wow, someone would really target peaceful NCU? They must really hate the tofu too”, I started to think about the value of the data that was being held. You see, information, more specifically your private information, has become one of the most precious commodities in this modern, online-centric life that we now live. So much so that there’s a popular saying in the digital world that,
“If you’re not paying for the product, then most likely, you are the product.”
It’s a well-known fact that many of our favourite online sites and apps – Facebook, Google, Tik-Tok, Twitter, YouTube, the ‘gram’, etc – make their money by selling your personal data to advertisers and other organisations. This information is the key to enabling companies to develop a competitive advantage over their rivals. The company, political candidate, user or advertiser that knows its customer best is one step ahead of the pack. This value is not lost on criminals either as they have no compunction stealing your personal data and selling, blackmailing or extorting you for monetary gain. Their customers are usually companies, other criminals, criminal organisations and even political parties and candidates. And while the most obvious targets of cyberattacks would be banks and financial institutions, don’t adopt a false sense of security just yet, as sometimes, denying you access to your own information is valuable in and of itself.
THE REAL VULNERABILITIES
Cybersecurity is a cat-and-mouse game, with hackers seemingly always a step ahead of the security experts. But with the pandemic still on in earnest and many employees still working from home, there has been a significant rise in cyber incidents such as phishing and malware attacks, due to the rapid growth of remote working. To be fair, this isn’t necessarily down to only the failings of the cybersecurity guys, as users, staff and employees, especially those working from home, are also creating security vulnerabilities all by themselves. Many of the networks, modems, routers, servers and Internet connections that are not protected by IT antivirus software or firewalls present gaping vulnerabilities, as do the bad habits of employees themselves. Take the good friend of mine who installed all sorts of high-level security features on his phone – firewalls, security software, end-to-end encryption, you name it – only to be undone by his significant other simply swiping his thumbprint when he was sleeping. Sometimes high tech is beaten by the lowest-tech you could imagine and it’s no different when employees get complacent at home and begin to use unsecured Wi-Fi networks, recycle the same password for all their emails, and shun using multi-authentication to protect their online accounts. In other words, after spending millions on the best, most current, most secure cybersecurity systems money can buy, organisations must make one more important move to plug the weak link that sits at their laptop and uses password123 to access the company’s server. This is where cyber awareness training and education comes in, by targeting careless or ignorant staff who can unwittingly undo even the most ambitious cybersecurity programmes.
HUMAN ERROR
The vast majority of cyberattacks, up to 90 per cent by some estimates, target the human element through innocuous-looking phishing, social engineering, malware, spyware and ransomware, simply because people are easier to trick, compromise and exploit. It is critical, therefore, that organisations invest in cyber awareness training for staff, that effectively assists them in identifying and preventing potential security threats, such as the aforementioned malware, social engineering and phishing attempts. Employees must be trained as well in not only recognising the importance of strong passwords and multiple authentication for their online accounts, but encouraged or forced into actually using them. Employees are often the first line of defence in the company’s IT security infrastructure as their email accounts may contain a dormant virus just waiting to be activated. Staff must be trained how to not only spot these threats but must also be told how to report them once found. And in order to ensure that these actions are not seen as optional or discretionary, cybersecurity training must be mandatory, regular and continuous and enforced by strong IT security, social media, email and Internet user policies.
By adopting these measures, companies and organisations can begin to establish a culture where cybersecurity is seen as a shared and collective effort. It’s a first step but an important one. Sort of like that time I tried to walk past NCU campus security having forgotten that I had a two-piece, leg and thigh in my bag. And I would have got away with it if it wasn’t for the strong noses of some alert campus security and some jealous, meddling undergraduates.
Major Basil Jarrett is a communications strategist and CEO of Artemis Consulting, a Communications Consulting firm specialising in crisis communications and reputation management.

