With abundant energy reserves, ambitious national government initiatives, and major organisations based in the region, the Middle East has always attracted plenty of attention.
And with Expo 2020 coming to Dubai in two years, that focus is only going to increase. Unfortunately, this also includes cyber-attacks, and many organisations in the region are struggling to cope with increasing threat levels.
According to Sam Olyaei, principal research analyst at Gartner, companies in the Middle East all-too often underestimate or misunderstand the security threat: “Most organisations want to prevent an attack, and they spend all of their resources trying to do so. That is not the right approach – in this digital age, it is no longer a case of whether you will be breached, but a case of when this will happen and being able to manage the impact of such an attack.”
The impact of attacks can be severe. According to Cisco’s 2018 Security Capabilities Benchmark Study, 94 percent of companies in the Middle East and Africa suffered a breach in the past year, in line with a rise in breaches globally, and 48 percent of attacks in the region resulted in damages over $500,000.
“The escalating number of data breaches and advanced persistent threats, along with the publicity around hacks, are making users even less confident that their sensitive data and privacy will be protected,” says Fady Younes, cyber security director – Middle East & Africa, Cisco. “Middle East organisations need holistic data protection strategies and solutions to prevent, contain, and re-mediate data breaches.”
Fixing the holes
Rather than trying to focus on prevention strategies, companies should shift their investment to detection and response, and make decisions based on the risks that they face within the enterprise.
“We see a lot of organisations take a checkbox approach to security, but that doesn’t provide a true picture – they need a clear understanding of what risk they are facing if data is compromised and, more importantly, they have to mitigate these threats based on their own risk appetite, not what is happening around them,” says Olyaei.
However, the problem becomes more pervasive for organisations today as they are increasingly becoming part of digital ecosystems, linking them with their customers, partners and suppliers in ways they haven’t previously been doing. “Companies today are collecting a much greater range of information about their customers, using apps and methods that didn’t even exist a few years before – making it harder for them to know what risks they are facing,” says Olyaei.
“Information has never been more readily available and transmittable. Businesses, especially banking and financial organisations, are increasingly processing and exchanging individual data electronically and across borders,” says Hussam Sidani, Symantec’s manager for the Gulf region.
“With each passing year, not only has the sheer volume of threats increased, but the threat landscape has become more diverse, with attackers working harder to discover new avenues of attack and cover their tracks while doing so. From attackers using illicit coin mining as a revenue source, to injecting malware into the software supply chain and exploiting legitimate and commonly used software, there is no shortage of ingenuity to infiltrate organisations.”
While Sidani points out that the UAE government has gone to great lengths to keep its data and citizens safe, and to make businesses aware of the need to safeguard people’s data, the UAE ranks high in the region for crypto mining, malware, phishing and web attacks.
According to Symantec’s research, nearly three quarters of all targeted attacks start with a phishing message, as attack groups look to gather confidential information.
Unfortunately, organisations still seem unprepared for such tactics, with research from Mimecast showing that 20 percent of C-level executives sent sensitive data in response to a phishing attack, and 49 percent of companies admitting that their senior management and finance teams aren’t knowledgeable enough to identify and stop an impersonation attempt.
Employees are “the easiest route into an organisation,” says Jeff Ogden, general manager, Mimecast Middle East. “Phishing and other social engineering tactics have evolved into highly advanced attacks that are difficult to spot. Increased reliance on technology for government, business and citizens demands a greater focus than ever before on securing the humans at the centre of it all.”
“Lack of IT security awareness among staff remains a worrying reality for businesses,” says Amir Kanaan, managing director of Kaspersky Lab for the Middle East, Turkey and Africa.
According to a recent study conducted by Kaspersky Lab and B2B International, only 18 percent of employed respondents in the META region are aware of the IT security policies and guidelines set in their workplace. “This, combined with the fact that 40 percent of employees consider protection from cyberthreats a shared responsibility, presents additional challenges when it comes to setting the right cybersecurity framework,” Kanaan adds.
While Gartner encourages organisations to invest in people and processes, rather than buying technology for the sake of buying it, Olyaei points to the practical limits of this approach.
“The skills market is also proving extremely challenging for organisations here, as in many cases they simply can’t find the skills that they want – they just don’t exist in the region, and this issue is even more pervasive on a global scale.”
The research analyst adds that to address this issue, organisations have to optimise their security functions operationally, and invest in a range of programmes to develop current staff.
New devices, more threats
As the region sees increasing smartphone penetration and greater deployment of Internet-of-Things (IoT) technologies, cyber security is only going to increase in importance. For instance, Fortinet research shows that cyber-criminals are increasingly targeting IoT devices – which tend to be always on and connected – to deploy cryptomining malware.
“Security risks continue to grow, and understanding the risks you face and the tactics your cyber enemies are using is critical to developing and implementing an effective and adaptive security strategy,” says Kalle Bjorn, director, systems engineering at Fortinet.
The good news is that organisations seem to be waking up to these issues, helped in part by new regulation such as the EU’s General Data Privacy Regulation, which came into force in May (see box on right).
“GDPR is clearly having a substantial impact as companies increasingly understand that they need to address issues like data privacy – something many organisations hadn’t previously considered,” says Gartner’s Olyaei. Gartner is seeing double-digit growth in security spend and an increasing demand for services, particularly outsourcing, managed services and consulting as a result of increased awareness related to regulations such as GDPR.
Olyaei highlights the speed at which British Airways recently reacted to a security incident. After BA discovered last month that 380,000 passengers had been affected by a hack, it announced the information within three days. By contrast, Dubai-based ride sharing platform Careem waited three months before revealing that personal data of up to 14 million people was stolen in January.
While the full impact of regulations such as GDPR remains to be seen, awareness security seems to be firmly on the up. “Cyber Security is finally becoming a ‘top of mind’ business objective, with many organisations making the board hold accountability,” says Cisco’s Fady Younes. “This makes sense considering a large security breach doesn’t only affect finances and productivity but can severely damage customers’ trust towards the brand.”
The message is clear: data security is the responsibility of the most senior people in any organisation. If they ignore its importance then they face mission-critical risks to their companies.
What impact will GDPR have in the region?
The European Union’s General Data Privacy Regulation, or GDPR, came into force in May. GDPR is designed to give EU citizens more control over their personal data – wherever that data resides. Organisations are required to ensure that personal data is gathered only under strict conditions and that it is protected from misuse. Companies can potentially face fines of as much as four percent of their global gross revenue for GDPR breaches.
Organisations based in the Middle East are in theory governed by GDPR if they store personal data, monitor the behaviour, or offer goods or services to EU individuals, whether free or paid, points out Harish Chib, vice president, Middle East and Africa, Sophos, even if it is just “a single European citizen’s personal data in your database.” GDPR also requires public disclosure and breach notification, “which means that even one record breached could possibly expose an organisation to penalties and negative PR impact,” Chib adds.
“Regional firms must assess the impact of GDPR on their operations, redesign their data protection processes and train their employees about GDPR-compliance because it will affect multiple departments across an organisation,” says Mansoor Sarwar, technical director at Sage Middle East. As well as potential fines, “other fallout could be injury to a company’s reputation and its ability to do business in the EU,” Sarwar notes.