To varying degrees, the Caribbean is seen as a haven for cybercrime targeted at developed countries, but increasingly local private and public institutions are experiencing intrusions. This post challenges us to discuss how serious the region is about addressing cybercrime and cybersecurity.
Over the past few weeks there have been a spate of cyber intrusions worldwide, which resulted in the loss or theft of data. Some of the incidents reported include the New York Times, The Washington Post and Twitter, and within the Caribbean in the last two weeks, Digicel and the Office of the Director of Public Prosecutions in Jamaica were hacked.
It is also important to highlight that in the region, Jamaica has been under much scrutiny for advance payment scams, more commonly known as “lottery or lotto scams”, which are being directed at United States (US) residents. As noted in this week’s news roundup, prominent US reporter, Dan Rather, was in Jamaica last week to prepare a report on the scamming, along with what the country has been doing and intends to do, to arrest the situation.
Without a doubt, developed countries are still grappling with cybercrime, but they are committing resources to continually improve their security. In the Caribbean, what are we doing to protect ourselves and to be more vigilant?
Increasing sophistication of perpetrators and threats
Although we ought not to underestimate the ingenuity and commitment of the individual hacker who is intent on breaching our computer’s or network’s security, computer criminals are becoming increasingly sophisticated. As was noted in Escalating cyber security up the political agenda, ‘advances in technology and the Internet is causing cyber crime to become more organised and structured’. Groups or syndicates tend to be the norm. They are highly organised and their members have clearly defined functions and responsibilities, which typically results in very complex and accurate coding that has benefited from a comprehensive and communal process.
Similarly, there has been a growing trend with respect to the types of intrusions that are being experienced. They are becoming more stealth, deep and persistent. Hence although the usual viruses, trojans, worms, etc., are still being developed and are wreaking havoc on networks and systems, a new class of threat has emerged that have been designed to evade detection, yet be resident and active for months, or even years. Consequently, when the intrusion is finally detected, it is frequently unknown for long it had been present, and the extent of the damage or loss it has caused.
Penny wise, pound foolish
Worldwide, unauthorised intrusions are on the rise; but how are we protecting ourselves? Many of us, especially businesses and organisations, rely, almost exclusively, on free antivirus software.
Free antivirus software does provide baseline protection to PCs and similar devices, but there are reasons why it is free. Free software offers the most basic protection, which tends to be limited to virus detection and removal on your device. The broader aspects of computer security – such as added protection for online banking and shopping, personal data and even your keyboard – are not included.
On the other hand, in organisations that have in-house network or IT personnel, frequently, much of their time and attention is spent addressing problems staff have with the equipment, leaving little time to comprehensively oversee the integrity of the businesses’ network and systems. More importantly, the majority of organisations are not as concerned as they should be with the security of their networks, and are exceedingly modest in their spend on this area. Hence many are not prepared to supplement their in-house support with dedicated network security specialists, who would monitor an organisation’s systems and networks, and could either be employed directly, or contracted to provide the requisite services.
Poor internal policies and practices
Even with the most sophisticated protective measures, organisations, and even the individual user, must adopt good practices to limit the opportunities for unauthorised intrusions. A glaring weakness that is frequently overlooked is the USB flash drive that we use to save and carry information between devices. Similar to the floppy disk that preceded it, USB drives can harbour a broad range of malicious code that we, as users, unwittingly transfer or save to those drives, and then spread, when we connect them to other devices.
On another note;
- When was the last time you ran a full system scan of your PC, laptop, USB drives, etc., with the installed antivirus or network security software?
- Are these scans regularly scheduled?
- What other system-maintenance tasks do you do, or have committed to do, regularly?
- Do you try to keep an eye on new developments occurring in computer and network security? Do we act on them?
Many of us are not as vigilant as we should be. Hence we may not even be aware of some of the changes that are occurring in our computing devices, particularly vulnerabilities that basic security measures would flag if we used them well.
Collective resourcing and learning
Finally, it is important to highlight that Computer Emergency Response Teams (CERTs) or Computer Security Incident Response Teams (CSIRTs) still have not been established at either country or regional level across most of the Caribbean. CERTs/CSIRTs can be established within institutions, among organisations, as well as nationally, to provide another layer of intelligence and technical expertise to its members, which in turn strengthen the capability of the collective.
Several organisations, including the Organisation of American States and the Commonwealth Secretariat, have technical support to establish such CERTs/CSIRTs in the region, but few, if any, have been launched. Currently, it is unclear what difficulties are being experienced to implement CERTs/CSIRTs, but the region is increasingly seen as a conduit for cybercrime to developed countries, since it has implemented relatively few measures to address it. Hence the Caribbean could be seen as less than credible, should it wish to be seen as being vigilant about cybercrime and security, but is yet to implement some of the critical measures that would demonstrate its commitment to addressing this issue.
Image credits: chanpipat, Stuart Miles / FreeDigitalPhotos.net; Null Value / flickr
___________
I can only echo your concerns. You have highlighted some pertinent facts and I think that as a region we need to act now as we are already behind in setting up regional and national teams to address issues. A point to note is that it is not enough to have a police team or a technical team. I know resources are limited but we need to seriously consider setting up teams that include specially trained individuals from different backgrounds to address what is a growing issue.
Those are all valid points. Having focused on cybersecurity in the Caribbean for the last 5+ years, I can say that there is a generally a lack of awareness on all levels, public, private and consumer. It is also important not to forget our children and educating them early. They are our future leaders and business owners.
I have data from several sources that indicates that the Caribbean is targeted and hosts “bad things” much more than people realize. The interconnected nature of the world and the region enables this. Also most major corporations have branch offices in the Caribbean. So the perception of weaker cybersecurity means that we are more likely to be targeted. We are a much more trusting due to closer knit communities and consequently more likely to succumb to social engineering and similar threats.
There is one stigma which needs to be broken which is that when people think of computer security, they tend to stop after a firewall and antivirus. These technologies were invented over 20 years ago to address problems from 20 years ago. If these were the true answer to our problems, we would not have all the issues that we face today. The reality is that computer security touches nearly every aspect of an orgnizations infrastructure. computers, servers, network, databases, web, email, compliance, mobile devices, users etc. The sooner organziations are able to recognize this and make these a priority the better. On the other hand, computer security is just another layer of IT management. And when an organization has trouble even fulfilling basic IT management functions, it is completely normal that security cannot become a higher priority. One of the key areas in which I work with customers is in the application of the right security technologies in a way that can actually improve performance in other areas of IT.
I am doing my part by through work and community engagemnents with schools, parent teacher guilds and even random people that ask me what I do for a living such as my recent taxi driver.