Data and cybersecurity continue to be a pressing issue in the Middle East
Data and cybersecurity continue to be a pressing issue in the Middle East, with many firms struggling to understand the threats and how best to safeguard. The Arabian Business wrote an interesting analysis on the situation and on the possible evolutions. With abundant energy reserves, ambitious national government initiatives, and major organisations based in the region, the Middle East has always attracted plenty of attention. And with Expo 2020 coming to Dubai in two years, that focus will increase. Unfortunately, this also includes cyber attacks, and many organisations in the area are struggling to cope with increasing threat levels. Moreover, the impact of attacks can be severe. According to Cisco’s 2018 Security Capabilities Benchmark Study, 9% of companies in Middle East and Africa suffered a breach in the past year, in line with a rise in breaches globally, and 48% of incidents in the region resulted in damages over $500,000.
Companies in the Middle East all-too often underestimate or misunderstand the cyber security threat
According to Sam Olyaei, principal research analyst at Gartner, companies in the Middle East all-too often underestimate or misunderstand the cyber security threat: “Most organisations want to prevent an attack, and they spend all of their resources trying to do so. That is not the right approach – in this digital age, it is no longer a case of whether you will be breached, but a case of when this will happen and being able to manage the impact of such an attack.” “The escalating number of data breaches and advanced persistent threats, along with the publicity around hacks, are making users even less confident that their sensitive data and privacy will be protected,” says Fady Younes, cyber security director – Middle East & Africa, Cisco. “Middle East organisations need holistic data protection strategies and solutions to prevent, contain, and re-mediate data breaches.”
Organizations in the region, that are increasingly becoming part of digital ecosystem, need a clear understanding of what risk they are facing if data is compromised and, they have to mitigate these threats based on their own risk appetite
“We see a lot of organisations take a checkbox approach to security, but that doesn’t provide a true picture – they need a clear understanding of what risk they are facing if data is compromised and, more importantly, they have to mitigate these threats based on their own risk appetite, not what is happening around them,” says Olyaei. However, the problem becomes more pervasive for organisations today as they are increasingly becoming part of digital ecosystems, linking them with their customers, partners and suppliers in ways they haven’t previously been doing. “Companies today are collecting a much greater range of information about their customers, using apps and methods that didn’t even exist a few years before – making it harder for them to know what risks they are facing,” says Olyaei.
Information has never been more readily available and transmittable. Businesses, especially banking and financial organisations, are increasingly processing and exchanging individual data electronically and across borders
“Information has never been more readily available and transmittable. Businesses, especially banking and financial organisations, are increasingly processing and exchanging individual data electronically and across borders,” says Hussam Sidani, Symantec’s manager for the Gulf region. “With each passing year, not only has the sheer volume of threats increased, but the threat landscape has become more diverse, with attackers working harder to discover new avenues of attack and cover their tracks while doing so. From attackers using illicit coin mining as a revenue source, to injecting malware into the software supply chain and exploiting legitimate and commonly used software, there is no shortage of ingenuity to infiltrate organisations.” While Sidani points out that the UAE government has gone to great lengths to keep its data and citizens safe, and to make businesses aware of the need to safeguard people’s data, the country ranks high in the region for crypto mining, malware, phishing and web attacks.
Nearly three quarters of all targeted cyber attacks start with a phishing message, as groups look to gather confidential information (cyber espionage). Unfortunately, organisations still seem unprepared for such tactics
According to Symantec’s research, nearly three quarters of all targeted cyber attacks start with a phishing message, as groups look to gather confidential information (cyber espionage). Unfortunately, organisations still seem unprepared for such tactics, with research from Mimecast showing that 20 percent of C-level executives sent sensitive data in response to a phishing attack, and 49 percent of companies admitting that their senior management and finance teams aren’t knowledgeable enough to identify and stop an impersonation attempt. Employees are “the easiest route into an organisation,” says Jeff Ogden, general manager, Mimecast Middle East. “Phishing and other social engineering tactics have evolved into highly advanced attacks that are difficult to spot. Increased reliance on technology for government, business and citizens demands a greater focus than ever before on securing the humans at the centre of it all.”
Lack of IT security awareness among staff remains a worrying reality for businesses in Middle East
“Lack of IT security awareness among staff remains a worrying reality for businesses,” says Amir Kanaan, managing director of Kaspersky Lab for the Middle East, Turkey and Africa. According to a recent study conducted by Kaspersky Lab and B2B International, only 18% of employed respondents in the META region are aware of the IT security policies and guidelines set in their workplace. “This, combined with the fact that 40 percent of employees consider protection from cyberthreats a shared responsibility, presents additional challenges when it comes to setting the right cybersecurity framework,” Kanaan adds.
The region sees increasing smartphone penetration and greater deployment of Internet-of-Things (IoT) technologies. Cyber security must grow
Moreover, as the Middle East sees increasing smartphone penetration and greater deployment of Internet-of-Things (IoT) technologies, cyber security is only going to increase in importance. For instance, Fortinet research shows that cyber-criminals are increasingly targeting IoT devices – which tend to be always on and connected – to deploy cryptomining malware. “Security risks continue to grow, and understanding the risks you face and the tactics your cyber enemies are using is critical to developing and implementing an effective and adaptive security strategy,” says Kalle Bjorn, director, systems engineering at Fortinet. The good news is that organisations seem to be waking up to these issues, helped in part by new regulation such as the EU’s General Data Privacy Regulation (GDPR), which came into force in May. It’s designed to give EU citizens more control over their personal data – wherever they resides.
The GDPR impact for the Middle East organizations
With GDPR Organisations are required to ensure that personal data is gathered only under strict conditions and that it is protected from misuse. Companies can potentially face fines of as much as four percent of their global gross revenue for GDPR breaches. Organisations based in the Middle East are in theory governed by GDPR if they store personal data, monitor the behaviour, or offer goods or services to EU individuals, whether free or paid, points out Harish Chib, vice president, Middle East and Africa, Sophos, even if it is just “a single European citizen’s personal data in your database.” GDPR also requires public disclosure and breach notification, “which means that even one record breached could possibly expose an organisation to penalties and negative PR impact,” Chib adds.