To varying degrees, the Caribbean is seen as a haven for cybercrime targeted at developed countries, but increasingly local private and public institutions are experiencing intrusions. This post challenges us to discuss how serious the region is about addressing cybercrime and cybersecurity.
Over the past few weeks there have been a spate of cyber intrusions worldwide, which resulted in the loss or theft of data. Some of the incidents reported include the New York Times, The Washington Post and Twitter, and within the Caribbean in the last two weeks, Digicel and the Office of the Director of Public Prosecutions in Jamaica were hacked.
It is also important to highlight that in the region, Jamaica has been under much scrutiny for advance payment scams, more commonly known as “lottery or lotto scams”, which are being directed at United States (US) residents. As noted in this week’s news roundup, prominent US reporter, Dan Rather, was in Jamaica last week to prepare a report on the scamming, along with what the country has been doing and intends to do, to arrest the situation.
Without a doubt, developed countries are still grappling with cybercrime, but they are committing resources to continually improve their security. In the Caribbean, what are we doing to protect ourselves and to be more vigilant?
Increasing sophistication of perpetrators and threats
Although we ought not to underestimate the ingenuity and commitment of the individual hacker who is intent on breaching our computer’s or network’s security, computer criminals are becoming increasingly sophisticated. As was noted in Escalating cyber security up the political agenda, ‘advances in technology and the Internet is causing cyber crime to become more organised and structured’. Groups or syndicates tend to be the norm. They are highly organised and their members have clearly defined functions and responsibilities, which typically results in very complex and accurate coding that has benefited from a comprehensive and communal process.
Similarly, there has been a growing trend with respect to the types of intrusions that are being experienced. They are becoming more stealth, deep and persistent. Hence although the usual viruses, trojans, worms, etc., are still being developed and are wreaking havoc on networks and systems, a new class of threat has emerged that have been designed to evade detection, yet be resident and active for months, or even years. Consequently, when the intrusion is finally detected, it is frequently unknown for long it had been present, and the extent of the damage or loss it has caused.
Penny wise, pound foolish
Worldwide, unauthorised intrusions are on the rise; but how are we protecting ourselves? Many of us, especially businesses and organisations, rely, almost exclusively, on free antivirus software.
Free antivirus software does provide baseline protection to PCs and similar devices, but there are reasons why it is free. Free software offers the most basic protection, which tends to be limited to virus detection and removal on your device. The broader aspects of computer security – such as added protection for online banking and shopping, personal data and even your keyboard – are not included.
On the other hand, in organisations that have in-house network or IT personnel, frequently, much of their time and attention is spent addressing problems staff have with the equipment, leaving little time to comprehensively oversee the integrity of the businesses’ network and systems. More importantly, the majority of organisations are not as concerned as they should be with the security of their networks, and are exceedingly modest in their spend on this area. Hence many are not prepared to supplement their in-house support with dedicated network security specialists, who would monitor an organisation’s systems and networks, and could either be employed directly, or contracted to provide the requisite services.
Poor internal policies and practices
Even with the most sophisticated protective measures, organisations, and even the individual user, must adopt good practices to limit the opportunities for unauthorised intrusions. A glaring weakness that is frequently overlooked is the USB flash drive that we use to save and carry information between devices. Similar to the floppy disk that preceded it, USB drives can harbour a broad range of malicious code that we, as users, unwittingly transfer or save to those drives, and then spread, when we connect them to other devices.
On another note;
- When was the last time you ran a full system scan of your PC, laptop, USB drives, etc., with the installed antivirus or network security software?
- Are these scans regularly scheduled?
- What other system-maintenance tasks do you do, or have committed to do, regularly?
- Do you try to keep an eye on new developments occurring in computer and network security? Do we act on them?
Many of us are not as vigilant as we should be. Hence we may not even be aware of some of the changes that are occurring in our computing devices, particularly vulnerabilities that basic security measures would flag if we used them well.
Collective resourcing and learning
Finally, it is important to highlight that Computer Emergency Response Teams (CERTs) or Computer Security Incident Response Teams (CSIRTs) still have not been established at either country or regional level across most of the Caribbean. CERTs/CSIRTs can be established within institutions, among organisations, as well as nationally, to provide another layer of intelligence and technical expertise to its members, which in turn strengthen the capability of the collective.
Several organisations, including the Organisation of American States and the Commonwealth Secretariat, have technical support to establish such CERTs/CSIRTs in the region, but few, if any, have been launched. Currently, it is unclear what difficulties are being experienced to implement CERTs/CSIRTs, but the region is increasingly seen as a conduit for cybercrime to developed countries, since it has implemented relatively few measures to address it. Hence the Caribbean could be seen as less than credible, should it wish to be seen as being vigilant about cybercrime and security, but is yet to implement some of the critical measures that would demonstrate its commitment to addressing this issue.