The need for better and more robust cybersecurity measures by financial institutions is evident with the increasing number of attacks taking place in Jamaica, the Caribbean, indeed, across the world.

In recent times, Neal & Massy, Mayberry, Scotia Group Jamaica, Biomedical, NCB, and Jamaica National have all suffered cyberattacks, which compromised their operations and put their businesses under undue stress and strain.

Many financial institutions in developing countries see cybersecurity and data protection measures as a pesky expense and are reticent to put in place the necessary investment. Many do not regard it as a required operating expense and then bemoan their folly when they are attacked and their businesses compromised.

A significant paradigm shift is needed, and cybersecurity must be seen as part of the cost of doing business; it is integral to digital transformation.

Earlier this year, a report by Fortinet highlighted over 30 million cyberattack attempts in Jamaica during the first half of 2025, with a rise in breaches targeting manufacturing, telecommunications, healthcare and financial services. 

Attackers are increasingly using AI-generated tools like FraudGPT and WormGPT.

Last month, O’Rane Gray, CEO of CompConn and digital transformation expert, made a presentation before the 18th OECS Credit Union Summit in St. Kitts.

With 25 years of experience in cybersecurity and IT governance, Gray stressed the importance of data privacy and enterprise architecture. His presentation highlighted the urgent cybersecurity challenges facing credit unions and provided actionable strategies to protect financial institutions. 

Gray detailed how threat actors are continuously adapting their tactics to exploit vulnerabilities in credit union systems, emphasising that traditional security approaches are no longer sufficient against sophisticated attacks.

He stressed that cybersecurity must be elevated to a board-level concern, requiring leadership engagement and strategic oversight rather than being treated solely as an IT department responsibility.

Gray recommended that a layered security approach must be adopted, advocating for implementing multiple layers of security controls to create comprehensive protection, noting that reliance on any single security measure creates dangerous blind spots.

Phishing attacks and dark web exposure pose existential threats to credit unions’ operations and reputations. Gray advocated for continuous risk assessments that adapt to the changing threat environment, explaining that security is an ongoing process rather than a one-time implementation.

The digital transformation expert who hails from the parish of Portland in Jamaica, pointed to the need for policies that are both comprehensive and understandable, the challenge of maintaining compliance without impeding operations and the critical role of leadership in fostering a security-minded culture across all levels of the organisation.

“Create clear, concise policies that align with regulatory requirements while addressing specific organisational risks. Pay attention to the importance of regularly engaging security awareness training that connects policies to practical scenarios employees encounter,” counselled Gray.

Develop robust backup and recovery systems 

Given the prevalence of ransomware, Gray stressed the importance of implementing comprehensive backup and disaster recovery plans that follow the 3-2-1 principle:

• Maintain three copies of critical data 
• Store on two different media types
• Keep one copy off-site and disconnected from the network

Conduct board-level cybersecurity assessments 

Gray emphasised that boards must understand their oversight responsibilities for cybersecurity. He recommended regular assessments to evaluate the board’s cybersecurity governance capabilities and knowledge gaps.

Invest in continuous security education 

Recognising that human error remains a primary security vulnerability, Gray advocated for ongoing security awareness training programs that include:

• Regular simulated phishing exercises 
• Role-specific security training
• Security updates in all staff meetings 

So, what can be done? 

What can be done to protect your business and fight off these attacks that are occurring more frequently?

Gray advised implementing automated compliance tools and conducting regular audits to identify policy violations and improvement areas.

The panellists agreed that phased approaches with clear communication tend to be more successful than sudden sweeping changes. They recommended beginning with high-risk areas while building understanding and buy-in across the organisation.

O’Rane Gray emphasised that effective security requires a comprehensive approach that combines technology solutions with governance, training and operational procedures.

He went on to recommend adopting Managed Detection and Response (MDR) services to provide 24/7 threat monitoring and response capabilities. These services combine advanced technology with human expertise to identify and neutralise threats before they cause significant damage:

• Enable rapid incident response even with limited internal resources 
• Provides access to specialised security expertise
• Offers continuous monitoring across all network assets