A summary of key findings of a recent cybersecurity survey conducted in the Americas.
Last week, news stories began to emerge that the Islamist extremist group, ISIS (the Islamic State of Iraq and the Levant) had hacked the Saint Vincent and the Grenadines’ government website:
Visitors to the website, , www.gov.vc, are greeted by the message “Hacked by Moroccanwolf – Islamic State” – accompanied by a photo of a man firing a machine gun from the back of a pick-up…
(Source: St. Lucia News Online)
For a small and idyllic multi-island state in the Caribbean, with a population of just over 100,000, Saint Vincent and the Grenadines, arguably, may be as far away from ISIS as one can get. However, regardless of whether ISIS indeed is responsible for defacing that country’s government website, the fact remains that breach occurred and the website was compromised.
Breaches of government websites, along with a broad range of other network security threats are increasing across the Caribbean, and across all key segments of the society. In Jamaica in late 2014, over 10 government websites were hacked, and a study conducted earlier in the year revealed that “at least 43 government entities are at the risk of being hijacked by cyber criminals because those sites lack the requisite security features” (Source: The Gleaner).
In January 2015, the Organisation of American States (OAS) in collaboration with Trend Micro, a well-known security software firm, conducted a survey among OAS member states on “cybersecurity, attacks, preparedness and critical infrastructure” (Source: OAS and Trend Micro). The survey was targeted at the heads of security and/or CIOs of the major critical infrastructures in all countries in the Americas. Responses were received from 575 entities in 26 countries. The Caribbean/CARICOM countries that participated in the exercise were: Barbados; Belize; Dominica, Dominican Republic; Grenada; Saint Vincent and the Grenadines; and Suriname. Some of the more telling results from the survey are outlined below:
- 53% of survey respondents noticed an increase in the level of incidents to computer systems in 2014, and 76% of respondents were of the view that incidents against infrastructures are getting more sophisticated.
- 46% of the government sector, followed the energy (47%), communications (44%) and the financial and banking (42%) sectors have experienced attempts to have information deleted or destroyed.
- The most common types of attacks are: phishing (71%), unpatched vulnerabilities (50%), distributed denial of service (42%), and SQL injection (32%).
- Over two-thirds of the respondents (69%) have cybersecurity awareness policies for their employees, whilst just over a half of them have a disaster recovery plan (54%) and a cyber-incident response plan (52%). However, just over a third of respondents (37%) have adopted Industrial Security Standards (BERC CIP, ISO 270).
- The technical cybersecurity measures put in place to protect critical information systems were: antivirus (90% of respondents); industrial firewall (86% of respondents); automated backup (74% of respondents); audits/penetration testing (54% of respondents); encrypted communication (49% of respondents); event correlation (38% of respondents).
- Finally, only 5% of respondents felt that their organisations were “very prepared” for a cyber-attack.
A few thoughts…
The results of this OAS/Trend Micro survey suggest that the Americas, and for our purposes the Caribbean, might not be as prepared as it should be for cyber incidents. Attacks are becoming even more sophisticated and frequent, but there still appear to be significant gaps in the policies that have been adopted and in the technical measures that have been implemented.
Image credit: Yuri Samoilov (flickr)