Small businesses must fight cybercrime from front lines

It has been a decade since a coordinated, nationwide cyberattack took down operations in Estonia and effectively left the entire eastern European country without internet access.

For a small yet economically significant nation like the Cayman Islands, however, the warning remains.

“If Estonia can be knocked offline, the Cayman Islands can be knocked offline,” KPMG cybersecurity principal Micho Schumann noted on Monday evening.

KPMG cyber security principal Micho Schumann presents a free cybersecurity workshop for small businesses at the Chamber of Commerce. – Photo: Kayla Young

“Basically, [Russian hackers] flooded Estonia’s networks with so much data that everything was inoperable for about a week,” he said.

During a free cybersecurity workshop at the Chamber of Commerce, Mr. Schumann put business leaders on notice. To effectively defend against cybercrime, even small businesses must defend from the front lines.

From attracting the ire of a foreign superpower to a disgruntled employee, a myriad of cyberthreats can disrupt commerce and shake economies.

In Cayman, where the financial services industry reigns, the list of potentially lucrative hacking targets is significant.

While Cayman may feel far removed from rogue actors in Europe or Asia, in the wired world, no man – or island – is an island.

“Any intellectual property, mergers and acquisitions, large deals, this is what the state-sponsored guys are after. Think about military information or infrastructure projects,” Mr. Schumann said.

“Let’s say somebody wanted to build a port … and I wanted to know how much my competitor wants to pay for that project? … It would be really good to hack into the government servers and find that stuff out.”

To safeguard against threats, everyone from entry-level employees to the executive suite must be trained to understand potential vulnerabilities. Even well-meaning workers can invite security breaches by following bad links or unknowingly sharing company information.

Mr. Schumann described internal testing in Cayman where his team has accessed high-level and sensitive data using a summer intern login.

“Often within a few hours, we’re able to gain complete administrative access to their network, even though we are given basic access,” Mr. Schumann said.

“We’ll ask for a summer intern account and tell them, let us see what we can do. We’ll get access to payroll. We get access to passports and work permit information, all kinds of databases.” He recommends employees commit to having at least two strong passwords: one for the corporate network and another for personal email.

“Now, I would like everybody to have strong passwords on every service they have, but it’s unrealistic,” he said.

Disgruntled employees who intentionally target sensitive data pose an additional set of challenges. Detecting these insider threats can be difficult. These are current and former workers who have been granted system access and thus sit in a unique position to exploit data.

A KPMG survey found nearly 70 percent of internal fraudsters were men ages 36-55 in a management role with at least six years in the organization. Mr. Schumann advised business to deactivate old user accounts, which can be used to access systems.

He said organizational cybersecurity can often resemble a candy bar or M&Ms: crunchy on the outside but soft on the inside.

“We see a lot of organizations that put a lot of focus on the outside, but once we get inside … all of a sudden, the controls drop and anybody has access to everything,” Mr. Schumann said.

He advises workers, when traveling, to avoid free WiFi, which can be used to access information stored on company laptops. He recommends using an encryption service to prevent breaches and to access personal accounts through cellphone apps, which typically come with encryption.

“You need to have encryption. Encryption is your friend here,” he said.

While cybersecurity can be a complex topic, effective protection often comes down to the basics. “It’s not rocket science. It’s simple,” he said.

He encourages companies to review their digital training and staff awareness. Starting with the small details, he said, can prevent potentially devastating losses.

For information about small business workshops, visit

If you value our service, if you have turned to us in the past few days or weeks for verified, factual updates, if you have watched our live streaming of press conferences or sent an article to a friend... please consider a donation. Quality local journalism was at risk before the coronavirus crisis. It is now deeply threatened. Even a small amount can go a long way to sustaining our mission of informing the public. We need our readers’ financial support now more than ever.