Residents of Bermuda can and should take steps to improve their digital security in the wake of the September 20 cyberattack on the Government, according to an IT expert.

Dave Heaney, the chief information security officer at Mass General Brigham hospital in the United States, said there were practical things that could be done to mitigate the potential consequences of personal data having been obtained by hackers.

Mr Heaney told The Royal Gazette: “Rather than focusing on should they be concerned, I’d encourage people to think about the things they can do.

“This is the incident that is happening today, this week, but … these types of incidents at a variety of different organisations are only becoming more common.

“There are things that people can do personally. Yes, there are custodians of data, like the Government, the hospital, the bank, etc, but you also have a lot of data within your own control.”

He suggested that everyone take three immediate steps to protect their information: ensure all devices are up to date, use a different password for every single website they use, and always put multifactor authentication in place.

“Those three things should be the top priority on the personal side,” advised Mr Heaney, who has worked in information security for 20 years and now safeguards the medical data of Brigham’s 2.5 million patients, including many from Bermuda.

“It’s good practice to do anyway, and sometimes an incident like this reminds people.

“It’s like when you change your clocks twice a year and that’s when you change the batteries in your smoke detector. This is the reminder sometimes for people to do a little bit of digital hygiene work.”

David Burt, the Premier, told a press conference on Monday that there was “circumstantial evidence that data may have been taken” during last month’s breach of the Government’s IT systems, but there was no “forensic confirmation” of exfiltration.

He said: “We’re working on that assumption with the Government’s privacy team to ensure that impacted parties can be notified.”

Mr Heaney, who stressed that he had no knowledge of the incident in Bermuda and that he was speaking generally, said a lack of certainty yet about whether data was taken was "not necessarily abnormal“.

“Sometimes you can go through an incident response exercise and know exactly what happened within a day. Sometimes it can take weeks to really dig through all of the available evidence and really figure out what exactly happened.”

He said though it might be easy to point a finger of blame after a cyberattack, the hackers were often working for “large, well-funded and sometimes even multinational” criminal organisations and were “pretty indiscriminate with who they are hacking”.

"Very often they are doing the digital equivalent of just walking down the street and jiggling every door handle to see which ones are unlocked,“ Mr Heaney added.

“Whatever they can get into, they get into, and go and do this.”

He said effective cybersecurity involved being “proactive and reactive all the time”, adding: “The longer an organisation has been around and the longer they’ve had a digital presence, the more difficult this challenge is, because you’re building on components that have been put in place over time.”

With a government body, Mr Heaney said, there was “often complexity and nuance that is difficult to fully understand”.

He said cybersecurity standards developed by the National Institute of Standards and Technology in the United States were starting to become more of an international standard, and they identified five key actions for organisations: identify, protect, detect, respond and recover.

Mr Burt said on Monday: “The government network is broad. There are certain places where things could have been better but ... people do not come through the front door.”

He added that “an initial infiltration did not happen via government systems entirely”.

Mr Heaney said medical data, especially, was highly targeted by hackers as it usually contained plenty of generally identifiable information about a person.

"It’s your history of diagnoses and conditions and doctor’s visits and all of that but … it often will include payment information, insurance history, family relationships, family history and more, so it’s a pretty complete profile of a person.“

In larger jurisdictions, including the US, those whose confidential data may have been breached are advised to put a block on their credit report to stop identity fraud.

Last month’s cyberattack did not affect the Bermuda Hospitals Board’s IT system but Department of Health and Bermuda Health Council services were affected.

Asked at Monday’s press conference if any medical data could have been taken, national security minister Michael Weeks said: “At this point in time, we can’t talk about anything specifically.”