Cybersecurity in the Caribbean
A brief look at the state of affairs and a few recommendations
Sorry for the hiatus. I *really* wanted to write more here, it just wasn’t possible.
To make it up, this one is a fairly long one, despite taking an axe to the original draft. 🤣 I hope you like it, and don’t hesitate to ping me if you want me to expand on any areas that I have deliberately kept brief.
Thanks for reading The Future is Digital! Subscribe for free to receive new posts and support my work.
Within the last ten to fifteen years, there has been an almost exponential growth in the use of the internet in the Caribbean. Typically internet use had been lagging behind that of many parts of the world. This dramatic change has occurred rapidly and, unfortunately, without the guardrails typically developed during the progressive adoption of the Internet. The Caribbean has gone from a tiny percentage point in adoption to nearly 70% of the population, totally skipping the progressive uptake as we have seen in the US, the UK and the EU.
Internet use in the Caribbean is primarily through a mobile contract, with more mobile phone connections than people in the region. Many people have two or more mobile phones, often with data connections. And even though mobile internet in the Caribbean remains relatively expensive, with certain caveats, mobile internet usage is greater than that of fixed broadband use and is, for many, the only way they interact with the internet through apps or social networking. Once a subscriber gets a smartphone and a data connection, there is an almost 100% signup rate for social media such as WhatsApp, Facebook and Instagram.
As our lives and the economy surrounding us become digitalised with ever-more products, services and processes moving into the virtual world from the physical world, so does the threat of misconduct. In the same way that crime has followed —and, in some cases, driven innovation— our lives are under pressure from actors worldwide that target us based on our weaknesses. The potential for harm is significant, from losing money to becoming unwittingly part of an organised attack on larger targets like state attacks. As the economies of scale of internet use and online life increase, so do the economies of scale of potential for crime.
This has not gone unnoticed, and small businesses and the public are starting to emphasise protection, detection, and clean-up tools in much the same way that we in the Caribbean are aware of environmental and natural disaster risks and planning accordingly. It is estimated that the biggest spenders on cybersecurity over the next three years are micro-sized and small-sized businesses – the backbone of companies in the Caribbean which are estimated to be somewhere in the region of 95% of businesses in Latin America and the Caribbean.
Cybersecurity in the Caribbean is at an early development stage, and specialised service companies that fill the requirements are few and far between. Small businesses and the public need specialised help at affordable costs to ensure they do not fall victim to cybercrime.
The Caribbean Context
It will come as no surprise that Cybersecurity is fast becoming one of the most pressing issues for business and society in the coming years. The Caribbean perspective is no different from that of the rest of the world; however, certain specificities make the challenge more delicate and need particular attention.
The distributed and only somewhat-collaborative nature of the Caribbean (the CARICOM members) and the fractured nature of the regional geopolitical situation (French, Spanish and Dutch West Indies sharing the space with the English West Indies) require a more integrated, collaborative and subtle approach.
For the most part, the larger countries in the Caribbean have tended to follow patterns seen in larger countries worldwide. They have become more outspoken in their knowledge and response to the region's cybersecurity issues. As companies in the Caribbean have become more visible to the broader world, thus increasing risk, governments, businesses, and citizens alike have become more aware of those risks and of the need to implement adequate protection systems to fight unwarranted incursions.
There is an increase in risk proportional to the rate of economic development; thus, as the Caribbean becomes more developed, cybercrime becomes a more viable means of extracting money from any unwitting community simply because the perceived potential financial gain is much more significant. Cyber malfeasance is a business! Pure and simple.
Case Study: Costa Rica – State of Emergency
Regrettably, Costa Rica recently saw this when it had to declare a state of emergency after multiple government agencies fell foul to a Conti ransomware attack. Not only had data been rendered inaccessible by AES-256 encryption and an attached US $10 million ransom (subsequently raised to US $12 million), but government data had been extracted over several months and later leaked openly when the government refused to pay the initial ransom demand. As of late April 2022, some 97% of a 672GB data dump was publicly available. Fears for the extent of data included have mounted, and so far, no review has been ordered to determine the risks for citizens and businesses of Costa Rica. But as some of this data appears to have been extracted from health systems, customs systems and other government systems that deal with payments (Social Security and Social Development), the fear is that many may fall foul of the spread of this data in the coming months and years through phishing the general public or through highly targeted attacks on influential or wealthy individuals.
The Trinidad and Tobago Cyber Security Incident Response Team (TT-CSIRT) recently observed a sharp increase in malicious cyber activity targeting local and regional entities.1 The TT-CSIRT urges all entities (public and private) to adopt a heightened state of awareness.
The Caribbean has been slow to acknowledge cybersecurity threats to the region. A lack of data and measurement has meant that many successful attacks on business and government have gone unnoticed by the population, exacerbated by a culture of silence. No high-profile witnesses have spoken up about their experience dealing with the initial phases, legal process, and clean up after an incident. Fear of damaging customer confidence is partly responsible for this; however, this only leads to less information on how cybercrime affects the region. It would be safe to say that what is reported is only the tip of the iceberg and that cybercrime is much more prevalent than is generally known.
Recently, governments and institutions have made more effort to address the issues, including public awareness campaigns and working with international NGOs to develop a better cybersecurity posture for people and businesses alike. One example is Get Safe Online. Get Safe Online operates through a network of Ambassadors that organise in-the-community training using the tools and training materials developed by the organisation.
Legislation and cybersecurity strategy
When it comes to cybersecurity law, the picture is not much better. Saint Lucia, for example, has an “in development” National Cybersecurity Strategy, and despite taking the lead compared to its neighbours in the OECS, it somewhat lags behind the international community. Barbados is another country with the ongoing development of cybersecurity legislation. The most significant barriers to establishing and implementing legislation are government capacity and political willingness. A government like Saint Lucia’s faces challenges on many fronts, stretching resources beyond capacity. A general lack of world-class expertise is also apparent in the region, coupled with a general feeling that cybersecurity is only an ICT responsibility, making cross-government and cross-sector priorities challenging to place at the top of the list.
In the wider OECS region, only Saint Vincent and the Grenadines has specific cybercrime legislation with the Cybercrime Act of 2016. In other countries, cybercrime is regulated under Computer Misuse Acts or Electronic Crime Acts. They are primarily focused on how technology is used to commit crimes without explicitly addressing cybersecurity and how to deal with attacks on information systems. Questions remain on the capacity of countries to adequately prosecute this type of crime which relies on having sufficient infrastructure, personnel and accompanying judicial systems. Many lack the right equipment, software, and training to identify cybercrimes correctly.
Regionally, CARICOM IMPACS has sought to establish harmonised standards of practice, expertise and systematic treatment of cybercrime. It has additionally targeted infrastructure capacity-building to increase crime detection, law enforcement investigation and prosecution. RSS, or Regional Security System, is another organisation with a mandate to prevent and defend against cybercrime that has limited scope for responding to cyberattacks, somewhat because of a lack of harmonisation of policies regionally. Like many regional organisations, they, unfortunately, lack funding and capacity to respond adequately to the modern threat landscape.
What about CSIRTS?
Similarly, the state of Cyber Security Incident Response Team (CSIRT) development in the Caribbean lags behind the South American continent and the broader region. Only Barbados, Jamaica and Trinidad and Tobago have implemented funded and functioning CSIRTS. Suriname has restarted a program after having abandoned it a few years ago.
Small and micro-sized businesses are the backbone of the private economic structure of the Caribbean, and it is precisely these businesses that are the most vulnerable and the least resourced to deal with the complexities of digital security requirements of today. This has been substantially exacerbated by the COVID-19 pandemic, in which new expectations by employees on how, when, and where to work are becoming normalised. Working from home and the expected turn towards a flexible hybrid model for workers have widened the security exposure for companies. In other words, attacks do not need to target one specific network to gain entry to a company; many distributed networks are potential threats. This makes it difficult for understaffed, undertrained and crucially under-financed IT departments to manage such distributed networks in physical and technological terms.
Whilst cloud computing is still in the early development stages in the Caribbean, not all businesses and administrations are advancing simultaneously. Some are more advanced than others, having moved not only low-hanging fruit applications like email and accounting to the cloud but have embraced the possibilities that cloud computing offers, shifting line-of-business applications and identity services and other business-critical services off the on-premises systems. Moving to the cloud changes the security exposure for the entity in question, requiring specialised knowledge to best protect and monitor for breaches and unplanned downtime.
The COVID-19 pandemic has left MSMEs with budgets for investment at historic low levels. MSMEs are typically small businesses with more pressing day-to-day issues, such as immediate revenue generation to pay the bills. With existing relationships with telecom providers, the telecom companies will likely provide cybersecurity offings soon, given the network-based nature of the threat.
The threat landscape (non-exhaustive)
Understanding global threats and their provenance will also play a prominent role in understanding the landscape and developing solutions to minimise those risks. The most common threats to small businesses and administrations in the Caribbean are estimated as follows:
Immediately after a successful penetration of defences, a small application sits in background tasks on the infected computer or computers, slowly encrypting data using a virtually impossible-to-decipher encryption key. Once the data has been fully encrypted, the user is alerted that the data is now inaccessible. A ransom of a significant amount is required to decrypt the data and allow access once again.
Social Engineering or Phishing
Social Engineering or Phishing is a psychological technic to garner an employee's confidence in a company or government office and then exploit that confidence to extract information or gain access to restricted data. It is often the method used to deploy ransomware and is the weakest link in the armour of cybersecurity.
Internal malicious intent
Although relatively rare by most counts, the risk of a disgruntled employee with access to confidential and vital data is manifest. This can be highly disruptive to a business or administration. For example, employees on social media displaying discontent can be the target for exploiting weaknesses to enter a network.
Poorly configured and patched systems
Even the best firewall is only as good as its configuration and patch level. Poorly configured or outdated firmware in IT equipment is a regularly exploited vector for entry into the target network.
Poor credential hygiene
Easy-to-guess passwords, not regularly changed passwords, and sensitive data with poor access controls are easy targets. Sparse use of two-factor authentication also plays a role in allowing those that should not be permitted.
Mitigation Strategies and Policy Guidance
The following is just a small sample of the opportunity to improve the threat landscape in the region. If you’d like more detailed advice, please let me know.
Invest in the expansion and capacity-building of CSIRTs and regional cybersecurity organisations
Only with adequate and ongoing funding will the diverse region be able to fully appreciate its desire to develop world-class cybersecurity services protecting the public of the Caribbean. We would recommend regional, local government, NGO and private sector funding be increased substantially and rapidly. Events in Barbados, Trinidad and Tobago and more recently in Martinique show the threat is here and the consequences substantial.
Development of affordable managed services for the region
Security software of the past that required an initial purchase, installation and configuration to become fully operative and successfully manage that threat cannot deal with today’s ever-changing security threat landscape. Capital purchase of security software is no longer adapted, and the business model has changed.
We recommend that a managed service provider (MSP) starts with a small but highly specialised team incentivised and remunerated on contract signups and renewals. As the business grows, so can the team and the incentive structure.
Develop and deliver targeted education for users, managers and decision-makers
As with much in life, better education is the key to fundamentally understanding and acting on the current context. There is, sadly, not enough specialised education in the region for the general public to fully understand the implications of good cybersecurity practices. Although organisations such as Get Safe Online have been doing some of this over the last few years, we recommend that governments and NGOs invest in developing local training and awareness on specific cyber security issues, such as protecting smartphone use on the internet.
Develop targeted and highly focused services designed for MSMEs
Customers need to quickly see the value of the offering and be onboarded rapidly and without difficulty. Time spent designing simplified services and automating the onboarding process for the customer will allow the customer to take advantage with less apprehension. Particular attention should be given to building modular services, allowing flexibility in the offering tailored to the customer and not the supplier.
Understand where existing services lack and fill those gaps
Conducting a gap analysis of the state of cyber defences in the Caribbean, looking at the state of government or law enforcement’s resources and role in cybersecurity, including participation from the private sector. This will likely identify complementary areas of interest, encouraging the broadest and most efficient development possibilities.
Develop Security-as-a-Service offerings sold as insurance policies
Just as we have cyberattack software as a service, we should have Cybersecurity as a Service. Software as a Service (SaaS) has been a great enabler for small businesses to use enterprise-grade software that was previously out of reach financially and technically. So it should be for cybersecurity. Providing a service offering akin to an insurance contract (leaving the details of the included/excluded services outside the scope of this report) would allow MSMEs to strengthen their defences in the most cost-effective way.
If you liked (or not) this article, please leave a comment:
Don’t forget to: