To put this in perspective, last year the FBI announced that revenues from global cyber-crime which includes the Caribbean, for the first time ever, exceeded drug trafficking as the most lucrative illegal global business, estimated at reaping more than $1 trillion annually in illicit profits.
Additionally, Interpol has reported that organized international gangs are behind most internet scams and that cyber crime’s estimated cost is more than that of cocaine, heroin and marijuana trafficking put together. Many of these organized international gangs have now targeted the Caribbean using our cultural and political norms in being “slow” to do almost everything totally again us.
On a daily basis it is estimated that thousands of attempted attacks against Caribbean organizations, businesses and government occur, with many going totally undetected or reported. Hackers and cyber criminals consider the Caribbean as ripe for the picking, and know that if the very small chance occurs that they are caught due the region’s lack in effective cyber security laws many cases will be difficult to prosecute, if they find them.
The lack of a regional legal framework around cyber-crime and cyber security is playing right into the hands of cyber-criminal who are laughing all the way to the bank. While it has been clear for some time now that regionally we “desperately need cyber laws and legislation in place” government bureaucracy has been largely to blame for our inability to establish effective cyber-crime and security laws and legislation.
So why is this? As we have observed in many Caribbean countries they are usually a small team of public sector workers with responsibility for writing legislation who simply do not have the technical expertise to even know where to begin in writing cyber laws and legislation for cabinet approval.
This reality is then further compounded by the rate of change in information and communication technology which is neither stopping nor slowing for no one, as a result we keep falling further and further begin in protecting critical public and private sector ICT resources and assets all across the region.
Due to our poor regional cyber security posture and our inability to comprehend the real-time threat cyber criminals and hacktivist pose to our region, as stated before these groups are using our cultural norms in being slow to act totally against us to defraud the citizenry and disrupt various public and private sector organizations.
To make matters worse when cyber breaches occur the public is often totally kept in the dark, due primarily to reputation loss concerns. Now it goes without saying that we are in hard economic times across the Caribbean and we have been very focused on regaining growth in many of our tradition sectors like tourism and off-shore banking.
However while we are totally focused on regaining growth in these traditional sectors, the daily losses and impact due to cyber-crime activity has received little or no adequate attention, these impacts include:
• The loss of intellectual property and sensitive data.
• Service and employment disruptions.
• Damage to the brand image and company reputation.
• Penalties and compensatory payments to customers (for inconvenience or consequential loss), or contractual compensation (for delays, etc.)
• Cost of countermeasures and insurance.
• Cost of mitigation strategies and recovery from cyber-attacks.
• The loss of trade and competitiveness.
• Distortion of trade.
• Job losses.
The scariest aspect of all we face in Caribbean cyber space is that they are computer networks in both the public and private sectors “today” that are currently “compromised”, “breached”, or “hacked” via a method called the “Advanced Persistent Threat”.
So what is this thing called the “advanced persistent threat” (APT)? APT is a network attack in which a cyber-criminal or hacker gains access to a computer network and stays there undetected for a long period of time even years. The intention of an APT attack is to steal data rather than to cause damage to public or private sector network. APT attacks target organizations in sectors with high-value information, such as governments, and the financial industry.
When we as cyber security professionals hear reports from all across the region of financial losses where no one knows where the money has gone, the first thing many of us cyber security professionals think is “APT”. They are potentially thousands of dollars being stolen daily in data and information resources all across the Caribbean by hackers and fraudsters, with very few public or private leaders doing anything about it, which begs the question… Why is this?
The primary reason “Why this is” is due to the fact that many Caribbean ICT, business and government leaders are not adhering to international cyber and information security best practices and standards which take a 360 view of their security posture. This 360 view should include the implementation of technical, management and operations security controls needs to lower their overall risk profile. Many are overly focused on technical security controls (firewalls etc.), and paying little or no attention to management (policies, procedures and awareness training etc.) and operational (continuous monitors etc.) security controls.
In closing, each day it becomes more and more critical that public and private sector organizations get there computer networks tested for weaknesses and vulnerabilities a cyber-criminal or hacker can exploit. Ironically usually the security fixes to prevent hackers from exploiting most vulnerabilities and weaknesses are “free” but you can’t fix what you can’t measure, nor don’t know.
A serious mental shift is needed by ICT leaders, Business Owners and Government Leaders in the Caribbean on the topic of cyber security which has the potential to significantly disrupt business operations and create major financial losses in the worst economic climate we have seen in years. The few hundreds or thousands spent on an independent assessment can literally save a business, organization or government tens of thousands of dollars or even more.
So on behalf of the Caribbean Cyber Security Center we urge region businesses, organizations and government to “Be proactive, Be aware,” get your computer network tested today, before it is too late, as there are only four types of businesses, organizations or governments in the Caribbean as it relates to the growing cyber threat:
• Those that have not been hacked and have an opportunity to protect themselves.
• Those that have been hacked and have done nothing.
• Those have been hacked and will be hacked again.
• Those that have been hacked and don’t even know it (APT)