In the last 12 to 18 months, it is estimated that there has been a significant increase (more than 40 per cent) in cyber related criminal activity in the Caribbean as reported by a leading global cyber security research organisation.
In recent weeks, the threat from ATM cyber criminals has made the news yet again, culminating in a public warning from the Royal Barbados Police Force urging citizens to be cautious when using ATM machines which we commend them for.
However, ATM cyber scams represent just “one” component of the overall cyber threat facing Barbados and the Caribbean. The recent unauthorised web changes to a key Barbados tourism website represents yet another troubling component of the cyber threat called “website defacement”.
Website defacement is a type of cyber-attack where a hacker changes the content of an organisation, business, or government’s website in an offensive, business/politically harmful manner.
When hackers make unauthorised changes to websites of Caribbean businesses, governments and organisations that alter their visual appearance, written content, or overall message it is considered a form of corporate sabotage that can cause reputation damage, lower customer confidence, and adversely impact profits.
Unfortunately, this reality makes any Caribbean business, government or organisation that has a website vulnerable to website defacement. The evidence shows that hackers are now targeting the Caribbean due to our low level of website security awareness, and non-compliance with website security best practices and standards.
As one of the oldest and most common cyber-attack methods used by hackers, SQL injection techniques are often used to carry out website defacements through gaining unauthorised access to a website’s administrative accounts.
After this, the defacer has access to most or all parts of a website, or host network in some cases. Website defacers often post messages or content that talk negatively to the website administrator, business, government or organisation for failure to implement effective website security measures.
In addition, to the fact that website defacements can cause significant public embarrassment to a business, organisation or government, they can also be a gateway for greater unauthorised access and compromise of a system/network, or lead to loss of data depending on the business function of the website.
For example a website that has online payment processing capabilities may lose significant customer confidence if defaced, causing them to refuse to use the online capabilities due to security concerns. As a result, a loss of online revenue could occur.
With that said, the Caribbean Cyber Security Centre (CCSC) believes that the best way for Barbados businesses, organisations and Government to prevent website defacements is to have their websites tested for website application and hosting platform vulnerabilities and threats a hacker can exploit, and fix all identified issues by severity as soon as possible.
CCSC also urges the region to utilise local and trusted ICT resources to conduct the recommended website testing. Far too often we are outsourcing our IT security support needs to sources in Canada, the United Kingdom, or the United States for no good reason, which often cost us more.
Additionally, the region can’t just pay lip service to ICT development in critical areas like cyber security, and then outsource our ITcyber security support needs to ICT companies abroad with the talent and expertise right within our shores.
The CCSC believes that cultivating local and regional ITcyber security talent and expertise to conduct routine website security testing will be critical to sustaining the regional fight against the evolving cyber threat in a cost effective manner.
Ironically, in most cases the fixes for website security weaknesses or vulnerabilities identified are free. But you can’t fix what you don’t know, hence the importance of getting your website tested.
As we become more dependent on the internet and ICT generally as an economic development driver, it is critical that Caribbean businesses, organisations and governments budget to have their website’s independently tested at least twice a year.
A small investment in having your website tested and identified issues fixed has been proven to be significantly less than the reputational damages, and loss in customer confidence that can occur as the result of a defaced website.
• James Bynoe is the Caribbean Cyber Security Centre’s chief executive officer and senior cyber security consultant.
