Raphael John-Lall
Companies and businesses in T&T need to develop more skills in developing a plan to deal with the fallout from ransomware attacks and other cybercrimes.
This is the view of managing director of Pinaka Consulting, Shiva Bissessar, who was recently in Finland attending a training session in this area.
Over the last few years, several prominent companies and businesses in T&T have been the victim of ransomware attacks from the National Insurance Board (NIBTT) to the Telecommunications Services of T&T (TSTT) to Venture Credit Union.
The EU CyberNet Winter School took place from 14 to 16 January 2026 in Helsinki, Finland and was organised by the EU CyberNet, an EU-funded project implemented by the Estonian Information System Authority and the Deutsche Gesellschaft für Internationale Zusammenarbeit (GIZ) in cooperation with the Finnish Transport and Communications Agency TRAFICOM.
The EU CyberNet Winter School 2026 concluded after three days of intensive learning on managing communication in crises and addressing challenges in the age of artificial intelligence to improve skills of EU CyberNet Expert Pool members.
A ransomware attack is a form of malicious software (malware) that encrypts a victim’s files or locks their system, with the bad actors demanding payment—usually in cryptocurrency—to restore access. Attackers often steal data first (double extortion), threatening to release it publicly if the ransom is not paid.
Bissessar said businesses and the public, as well, seem to “underestimate” the rise of these types of cybercrimes.
“We’ve seen in Trinidad and Tobago, and the wider Caribbean, instances of ransomware attacks, instances of other type of cyber incidents. And what I have taken note of is there does seem to be a deficiency with respect to the communication plan in managing such an incident,” he said.
He urged business leaders to meet with management and develop plans in the case of cyberattacks.
“They definitely have to plan for, in the event of a cyber incident, what is the communication plan with the public, with our shareholders, with our board of directors, various stakeholders of that business.”
More action needed
Based on the Global Cybersecurity (GCI) Index 2024, Bissessar said T&T’s business community and other stakeholders are not very well prepared for ransomware and other types of cyberattacks.
According to this report, out of a maximum of 20 points in the area of legal measures, T&T scored 8.88. In the area of technical measures, T&T scored 6.98. In the area of organisation measures, T&T scored 16.21.
Out of the five tier rating system, T&T was given a Tier 3 ranking.
“I believe Trinidad and Tobago is in the third tier. A lot of the other Caribbean countries are in the second tier. But all that goes to say is that our maturity with respect to our information security posture, our cybersecurity posture, is somewhat lacking. And it is very important to treat with cybersecurity as a risk that you need to manage within your organisation. Communications is a critical part of managing that risk. And you do have to prepare for the eventuality,” Bissessar said.
He referred to recent ransomware attacks in T&T and advised businesses to prepare themselves.
“If you’ve learned any lessons from the past incidents we’ve seen taking place in Trinidad and Tobago, where victims have been exploited by a ransomware, you would recognise that there are deficiencies that need to be addressed. So, small and medium businesses, large entities, they all need to cater for this type of risk. Even small micro-entities need to cater to this risk. Because the attacks can take place at any time. They are targeted attacks. Of course, the larger your footprint, the more attractive you are to attackers, of course,” Bissessar said.
He also said there is a view that cyberattacks in T&T are even more prevalent than what is reported in the media.
“What you see in the news, of course, is not all of the attacks. You would only see a small fraction reported of the attacks that have occured. There is no obligation on entities right now to report, for example, in the absence of legislation. These entities may be getting attacked, and there’s no obligation for them to report. Do we have a true picture of risks being manifest via attacks in the local environment? I would say no, we don’t.”
He also called on businesses to lift their standards and engage in more training to protect their themselves.
“It is incumbent upon these small businesses, small and medium businesses, and the large entities to recognise this risk, treat with the risk, put measures in place to reflect that information security is thriving throughout your organisation.
Again, one metric is your organisational structure. Does it reflect an information security posture? Do you have that specialisation or segregation of duties focussing on information security?”
Raising standards and adopting international best practice can help companies and businesses be better equipped to enter regional and international markets, he said.
“So, certification is something that can be used by entities that would like to sell into foreign markets, or provide assurances to the domestic market. If you want to say, for example, look, you are producing software within the local markets. And then the local market says you have to demonstrate that you’re paying attention to data privacy. You have to demonstrate that you’re holding other people’s data in a secure environment and not misusing the data. How does an entity do that? By attaining a certification like the ISO 27001 certification, you are able to demonstrate that.”
He also spoke about dire financial consequences for businesses that are not prepared.
“The ransomware game is, they will get into your network, they will encrypt your data to the point where you cannot use it and they will try to sell you a key. And that selling of the key is the actual thing that requires the ransom to be paid, where the victim now has to pay a ransom to get those files, to get the decryption key. There are ransomware groups.”
Unfortunately, he said criminals have now turned this into a businesses and it is even more reason why companies and those in the legitimate business sector need to protect themselves.
“So, this is not an individual, this is a business, this is an ecosystem of attackers, of bad actors. And why I say it’s an ecosystem, so for example, one guy may operate a call centre, another guy may operate the initial entry point into the network, he may specialise in that. And they orchestrate basically an attack within a ransomware group.”
