By James Bynoe
CEO Caribbean Cyber Security Center
WARRENS, Barbados -- The Caribbean cyber security center (CCSC) continues to urge the Caribbean region to take the growing threat from cyber criminals and hackers seriously. CCSC estimates that on a frequent basis Caribbean businesses, organizations, governments and homes are targeted and scanned for information system weaknesses and vulnerabilities that can be exploited, yet very little has been done comprehensively to combat this growing national security, public safety and economic development threat.
In the last 12 months we have seen reports from all across the region of network breaches, website defacements, ATM scams, denial of service attacks, and credit card fraud incidents. According to recent reports from leading global security organizations, in 2013 the region saw significant increases in data breaches, banking trojans, mobile malware and other online threats.
While we are pleased to see justice served in the recent sentencing of the ATM scamsters in Barbados, ATM scams represents only one front of the multi-front cybercrime war we face as a region. Cyber criminals must not only be prevented from ATM scams (by the entire banking sector finally moving to more secure ATM technologies), they need to be prevented from breaking into business, government, and home computers all across the region.
In recent months CCSC has responded to successful and unsuccessful attempts by cyber criminals and hackers to steal thousands in revenue from businesses and individuals, we believe that as a region we could be losing millions via unsecure and unprotected work and home computers which are compromised “right now” without the system owners or home user even knowing it.
Our belief is based on the extremely low level of regional cyber security awareness, non-adherence to cyber security best practices and standards, and the time it takes an average person, business, organization or government to realize they have been “hacked or compromised”, which can be as long as two to three years.
Additionally new cybercrime and hacker techniques like the advances persistent threat or APT have become more sophisticated with cybercriminal and hackers remaining undetected for longer periods of time while slowly stealing a wide range of information to sell on the cybercrime black market or to execute fraudulent financial transactions.
Unfortunately the region has been largely unresponsive to this threat due mainly to: (1) a cultural norm to be slow at act while discussing topics to their outer limits. This slow to act cultural norm is playing right into the hands of cyber criminals and hackers who are using our low level of cyber awareness and preparedness to defraud us daily; (2) economic challenges being faced by many organizations; and (3) failure of public and private sector leaders to budget and investment in cyber defences.
Ironically, each day our telecommunications industry as supported by many governments seeks to expand internet access to all corners of the region, which in essence is providing cyber-criminals and hackers with more and more potential cyber victims. Additionally, to complicate matters we have a few regional and international organizations with resources to assist in combating the cyber threat that can't seem to get off the conference “talk circuit” and get down to the brass tacks in raising regional cyber security awareness in a tangible way.
So today we find ourselves in a place where; the public and private sectors are failing to take proactive measures to budget for and implement effective cyber protections to protect their data assets which are often the personal and financial information of their clients and customers; many home computer operating systems are outdated and have no effective antivirus, spyware or malware protection software installed; and many families do not know the do's and don’ts of the internet and how to protect themselves from the millions of online cyber predators that exist today.
So what are the some key things that must be gone to start making our region cyber safe in a sustainable manner?
• All prime ministers have to make combatting cybercrime comprehensively a national priority as has been done by other governments worldwide, and create a cybercrime leadership post that reports directly to the PM’s office. Simply adding cyber security to a minister's portfolio as is typically done will not be enough to combat this threat due to the current low level of cyber awareness that exist today, and the attention that it needs.
• The throttle on implementing a wide range of cyber security/crime laws, legislation, and acts needs to be increased. Current efforts to establish a comprehensive set of cyber laws and legislation are too slow and are not effectively keep up with the evolving cyber threat whatsoever. The bureaucratic processes we have established to implement new laws and legislation in the region has to be brought into sustainable alignment with the evolution of technology much better than is being done today. Additionally cybercrime reporting laws and legislation will pay a key role in giving us the much needed data on the real world impact of cybercrime on the region, which is a key part of the challenge we have in taking this threat seriously.
• The private sectors namely ICT and telecommunications organizations need to play a more socially responsible role in helping the region educate the masses on the cyber threat as Columbus Communications/Flow has started to do regionally, as combatting cybercrime is a multi-stakeholder issue and not just a problem for government to solve. Additionally both the public and private sectors need to proactively start budgeting for cyber defenses in the operating of their information systems and view investments in cyber defences as a cost saving customer protection measure, and not just the IT guys wanting new toys to play with. Just as we spend and budget for guards and security systems, budgeting for cyber defences is more critical than ever.
It is clear that the Caribbean is becoming more and more dependent on technology and the internet in many aspects of our daily lives, just as the cyber threat gets more dangerous and damaging. We simply cannot afford to stay the current unaware, unsecure course as the cost of recovery from a cyber-incident has been proven to be significantly higher that being proactive and getting your network or home computer tested for system weaknesses and vulnerabilities that need to be remediated.
So as we promote the effective use of technology regionally, we must, must, must do so with a keen understanding of the cyber threat and invest in cyber protections from the management, operational and technical security controls perspectives. The reality is that cybercriminals and hackers are always communicating and looking to exploit system weaknesses and vulnerabilities in order to steal money, intellectual property, and identities and they “have targeted the Caribbean”.
The last thing the Caribbean region needs in these challenging economic times is to be known as an unsafe region to do cyber/internet dependent business, or use credit cards in the case of the tourism industry. As one of the fastest growing Internet penetration regions in the world, we in the Caribbean can no longer afford to ignore the cyber threat we face today or in the future, as that next cyber victim may be YOU.