Cyber incidents are ‘business risk’ in the Gulf

Sunday 08/01/2017
Growing number of security weaknesses are being identified

Dubai - Cyber incidents targeting corporations in the Gulf region have seen a steady rise in recent years, put­ting major companies at increasing risk of frequent and grave attacks. Protecting data can have massive cost implications, ex­perts said.
Shabnam Karim, a Dubai-based senior associate for global legal firm Clyde & Company, notes there has been an increase in issues related to “ransomware” — malicious soft­ware designed to block access to a computer system until money is paid — hacking and data breach across the Gulf Cooperation Coun­cil (GCC).
“Some of these incidents relate just to the theft of confidential in­formation but there are now regular claims relating to fraudulent pay­ment transactions, which have oc­curred due to hacking.” Karim said.
“According to official statistics, the UAE is the eighth most targeted country globally and the first in the Middle East and Africa for spear-phishing.”
“Spear-phishing” is an e-mail spoofing fraud attempt that targets a specific organisation or individu­al, seeking unauthorised access to confidential data.
“Within the UAE, finance, insur­ance and real estate sectors were the most affected last year. Close to three-quarters of all attacks were directed towards companies in those sectors. We do not have accu­rate numbers of [the] incidents in this region. However, we have seen a real increase in the last two years in cyber incidents, across sectors,” Karim added.
Gary Hibberd, managing director of AGENCI, a leading cyber-security agency in London, stressed the ina­bility of IT departments to confront cyber threats. “With 1 million new forms of malware created every day and the proliferation of data, to expect the IT department alone to tackle this threat is a futile exer­cise,” Hibberd said during a visit to Dubai.
“Companies at their board level need to see cyber-crime as a busi­ness risk. Cyber-security is not an IT problem or a technology issue any more. Corporate strategy and resources have to be marshalled to tackle this on a permanent basis.”
Oisin Fouere, managing director of K2 Intelligence and head of the cyber-defence practice within the region, said, “A key measure to en­sure that gaps are effectively reme­diated is to establish and maintain a dedicated and skilled cyber-security function with executive level re­porting.”
The sectors most at risk are com­panies with a large amount of cus­tomer data, such as health care and telecommunications, Karim said.
“In order to achieve a financial gain, we see hackers frequently tar­geting banks and exchange houses,” she said. “The Bank of Muscat claim in 2013, which resulted in a multi­million-dollar theft from hacking, is a good example of the level of sophisticated criminals that com­panies in the UAE are dealing with.”
“There are several risk mitigation steps that can be deployed. This in­cludes setting up internal policies because cyber-data breaches are not always externally perpetrated but can result from internal ac­tions, such as an employee acciden­tally clicking on a phishing link,” she added.
The information overload and the arrival of the Internet of Things (IoT) with the prospect of 40 billion internet-enabled devices by 2020 will make the situation even more complex.
“A growing number of security weaknesses are being identified as a result of both smart initiatives and IoT deployment,” said Fouere. “We firmly believe that until li­ability for security weaknesses are attributed to manufacturers that this issue will continue to pose sig­nificant cyber-security risks both for the government and individual users. Governments should intro­duce and maintain basic security standards for embedded devices, ensuring that manufacturers carry out adequate security testing of de­vices before release.”
Hibberd said the introduction of IoT, smart grids and smart cities will result in a world that is increas­ingly interconnected and interde­pendent.
Asked how risks can be reduced in the future, he stressed that “fun­damentally, education is the key and awareness is its close ally”.
“We must educate those who create the products we use and it should be legislated that they pro­vide privacy by design and default,” he said. “It must be a feature (of the product). Authorities need to put more pressure on organisations to improve their security but, ulti­mately, we as the users of these de­vices need to take account for our own safety.”
Legislation that imposes a re­quirement upon businesses to declare and report cyber-security breaches would be an effective tool, Karim argued.
“This would provide better data into where and how breaches are occurring, as incidents are often hidden from the public domain, businesses would no longer be able to adopt a laissez-faire approach and would have to treat cyber-se­curity as a boardroom issue.”