Cyber incidents are ‘business risk’ in the Gulf
Dubai - Cyber incidents targeting corporations in the Gulf region have seen a steady rise in recent years, putting major companies at increasing risk of frequent and grave attacks. Protecting data can have massive cost implications, experts said.
Shabnam Karim, a Dubai-based senior associate for global legal firm Clyde & Company, notes there has been an increase in issues related to “ransomware” — malicious software designed to block access to a computer system until money is paid — hacking and data breach across the Gulf Cooperation Council (GCC).
“Some of these incidents relate just to the theft of confidential information but there are now regular claims relating to fraudulent payment transactions, which have occurred due to hacking.” Karim said.
“According to official statistics, the UAE is the eighth most targeted country globally and the first in the Middle East and Africa for spear-phishing.”
“Spear-phishing” is an e-mail spoofing fraud attempt that targets a specific organisation or individual, seeking unauthorised access to confidential data.
“Within the UAE, finance, insurance and real estate sectors were the most affected last year. Close to three-quarters of all attacks were directed towards companies in those sectors. We do not have accurate numbers of [the] incidents in this region. However, we have seen a real increase in the last two years in cyber incidents, across sectors,” Karim added.
Gary Hibberd, managing director of AGENCI, a leading cyber-security agency in London, stressed the inability of IT departments to confront cyber threats. “With 1 million new forms of malware created every day and the proliferation of data, to expect the IT department alone to tackle this threat is a futile exercise,” Hibberd said during a visit to Dubai.
“Companies at their board level need to see cyber-crime as a business risk. Cyber-security is not an IT problem or a technology issue any more. Corporate strategy and resources have to be marshalled to tackle this on a permanent basis.”
Oisin Fouere, managing director of K2 Intelligence and head of the cyber-defence practice within the region, said, “A key measure to ensure that gaps are effectively remediated is to establish and maintain a dedicated and skilled cyber-security function with executive level reporting.”
The sectors most at risk are companies with a large amount of customer data, such as health care and telecommunications, Karim said.
“In order to achieve a financial gain, we see hackers frequently targeting banks and exchange houses,” she said. “The Bank of Muscat claim in 2013, which resulted in a multimillion-dollar theft from hacking, is a good example of the level of sophisticated criminals that companies in the UAE are dealing with.”
“There are several risk mitigation steps that can be deployed. This includes setting up internal policies because cyber-data breaches are not always externally perpetrated but can result from internal actions, such as an employee accidentally clicking on a phishing link,” she added.
The information overload and the arrival of the Internet of Things (IoT) with the prospect of 40 billion internet-enabled devices by 2020 will make the situation even more complex.
“A growing number of security weaknesses are being identified as a result of both smart initiatives and IoT deployment,” said Fouere. “We firmly believe that until liability for security weaknesses are attributed to manufacturers that this issue will continue to pose significant cyber-security risks both for the government and individual users. Governments should introduce and maintain basic security standards for embedded devices, ensuring that manufacturers carry out adequate security testing of devices before release.”
Hibberd said the introduction of IoT, smart grids and smart cities will result in a world that is increasingly interconnected and interdependent.
Asked how risks can be reduced in the future, he stressed that “fundamentally, education is the key and awareness is its close ally”.
“We must educate those who create the products we use and it should be legislated that they provide privacy by design and default,” he said. “It must be a feature (of the product). Authorities need to put more pressure on organisations to improve their security but, ultimately, we as the users of these devices need to take account for our own safety.”
Legislation that imposes a requirement upon businesses to declare and report cyber-security breaches would be an effective tool, Karim argued.
“This would provide better data into where and how breaches are occurring, as incidents are often hidden from the public domain, businesses would no longer be able to adopt a laissez-faire approach and would have to treat cyber-security as a boardroom issue.”