[Exert from a recent interview I did with ICT Pulse on the state of cybersecurity in the Caribbean]
ICT Pulse: Niel, give us a quick recap of what were the most prevalent incidents in Barbados and/or in the region in 2013?
Niel Harper: In 2013, Barbados was subjected to attacks from a number of different threat vectors. Several government agencies, financial institutions and private businesses were the focus of targeted website compromises. Some of the techniques used were distributed denial-of-service (DDoS), cross-site scripting (XSS), and SQL injection attacks. There was also a sophisticated ATM skimming campaign that was perpetrated by Eastern Europeans whereby several commercial banks were targeted. I would like to emphasize that these are the known issues. I am pretty certain that the occurrences and complexity of the attacks were much higher, but as there is no legal requirement to report breaches, we will simply never know.
ICTP: Although we are still early in 2014, how is the threat landscape changing? Are there any particular areas of concerns that you have for Caribbean organisations this year?
NH: The Caribbean will be facing the same evolving threat landscape as the rest of the world. For one, as more companies and individuals in the region move their information to the cloud, we should expect to see more focused attacks on corporate and personal data stored on cloud services. Secondly, we will witness greater adoption of advanced persistent threat (APT) techniques to be used in the distribution of traditional malware. There will be growth in the amount of Android and iOS malware, and the burgeoning use of mobile apps for enterprise applications coupled with increased social media usage will broaden the overall attack surface. Given that Windows XP is still widely deployed across enterprises and on personal computers, the platform will become a huge target for attackers as Microsoft ends support activities. And finally, spam is evolving to a point where it is being employed more and more for malware payloads.
ICTP: At the CARICOM level, there appears to be a growing awareness of cybercrime and calls by leaders that something be done. In your opinion, have there been any improvements in the cyber security-associated resources or support structures in Barbados, and/or perhaps regionally? What might still be missing?
NH: The Government of Barbados has signed a MOU with the ITU to setup a Computer Incident Response Team (CIRT) within the framework of the ITU-IMPACT initiative on strengthening cybersecurity. I believe that this step is a signal of intent by government to improve cyber response capabilities in the country. However, my concern is that the accompanying cybersecurity legislation and the necessary capacity building for personnel is not being addressed in as robust a manner as it needs to be. Jamaica has expanded the capabilities of the Communication Forensic and Cybercrime Unit (CFCU) of the Jamaica Constabulary Force, and has also taken steps to establish a national computer security incident response team (CSIRT). A National Cybersecurity Task Force was also established in 2012. However, what have been missing in Jamaica are large-scale cybersecurity awareness programs to educate key at-risk groups. The Caribbean Telecommunications Union (CTU) has also been doing its part to combat cybercrime region-wide, but there are still a plethora of challenges in numerous countries in terms of adequate resources and funding for cyber security response. Moreover, there is little to no coordination among the cybersecurity entities in place across the CARICOM footprint. This prevents the region as a whole from jointly benefitting from crucial activities such as threat information sharing, critical infrastructure protection, active defense and incident preparedness.
ICTP: Are you observing any real evidence of a greater willingness among organisations to take cyber/network security more seriously? How is that awareness (or lack thereof) being manifested?
NH: I think there are generally two types of organizations across the CARICOM region: 1) Organizations that by the very nature of their business and the operational and regulatory requirements they are subject to, are compelled to take cybersecurity serious and invest heavily in a strong control framework to effectively mitigate the risks they are confronted with; and 2) Firms or institutions whose management simply does not recognise or understand the high risks which they are faced with as it pertains to cyber attacks and online crime. So what you now have is a situation where there are a handful of companies with very strong cybersecurity capabilities (mostly financial institutions), and a large amount with weak controls as it relates to cyber resilience. All in all, many Caribbean organizations are still facing serious financial constraints, and budgetary planning cycles regularly do not include large expenditures on things like IT security. Monies are spent on more seemingly important corporate interests, although this will likely change as cyber-risks increasingly pose threats to human, social and economic well being and stability.
ICTP: Are there any key areas businesses should be investing their network security/IT dollars this year?
NH: Businesses need to invest their money in personnel with specialized knowledge and expertise in implementing technical solutions, enhancing operational practices and developing effective cybersecurity-related policies. Governments as well as corporations also need to invest in awareness-raising programs around cybersecurity. And more dollars also have to be spent on research, monitoring, reporting, and coordination of responses to cybersecurity incidents.
The full article and interview can be found at: http://tinyurl.com/mlssfll