Cyber security is a looming concern for companies in the Middle East. In a recent study by information security specialists Gulf Business Machines (GBM), it was revealed that more than 65 per cent of IT experts in the GCC believe that the region is a prime target for cyber criminals.
Home to some of world’s highest net worth individuals and companies, cyber crime has gained pace in the region with attacks on governments and financial institutions on the rise.
The UAE will continue to see a rise in cyber crime attacks against individuals and businesses in 2013, according to Symantec. Last year, the Norton Cybercrime Report claimed that 1.5 million people fell victim to cybercrime in the UAE, costing the country $422 million (Dhs1.5 billion) in direct financial losses.
Marc Maiffret, chief technology officer at Beyond Trust, says that cyber safety has always been an issue but it has grown in the last few years.
“I think there is a realisation that companies cannot depend on the government or traditional means if their business has an issue,” he says.
In this he argues that security concerns in the Gulf countries and the wider Middle East are not different from those seen in the US, with cyber threats compounded by businesses’ increasing need to stay connected across borders.
“Organisations today are faced with a combination of challenges including increasing business and IT complexity, in addition to massive data growth and the pervasive adoption of personal devices as a result of the Bring Your Own Device (BYOD) trend,” says Khalid Abu Baker, managing director at Kaspersky Lab Middle East.
“As a result of growing digital and mobile connectivity, organisations today find themselves exposed to the risks of complex and massive cyber-attacks,” he adds.
SOCIAL NETWORK USAGE NEED NOT COMPROMISE SECURITY
The rise of social media, smartphones and cloud computing has undeniably changed the landscape of cyber safety across the world.
A GBM survey found that cyber security risks have been increasing as social media has become more available to employees. The research built on a previous survey
in which one third of Middle East respondents reported prohibited access to social networks in their companies’ IT policies. Today that figure has been cut in half, indicating that businesses are increasingly embracing social media.
According to the Norton Cyber crime report, around 46 per cent of social networking users in the UAE witnessed cybercrime on social media networking platforms, higher than the global average of 39 per cent.
But blocking social networking sites can be detrimental to businesses, which rely on these platforms to market themselves. Maiffret argues that companies should be able to strike a balance for such issues.
“If you were to listen to only security advice, an average security professional would say you cannot do anything. So you have to balance since you don’t want to hinder your company’s growth,” he says.
The bulk of smartphone security issues arise from Android phones, where employees are downloading apps from a third party app store, beyond the control of a firm’s IT department, according to Maiffret. However, he says, threats still arise from traditional sources.
“The reality is that most of the attacks or breaches still take place from the standard laptops, desktops and servers. Mobile systems were developed long after desktop systems so there is a lot more security in something like an iPad or an iOS based device,” he says.
Maiffret also suggests that cloud computing need not be an area of vulnerability, particularly in the case of SMEs.
“Not all cloud computing is bad because especially if you take small and medium companies they do not have the resources or people to manage their own services properly. It is better for SMEs to use something like Google services because it is going to be much more secure,” he says.
Regardless of whether a person is using a Gmail or corporate account, malicious links are going to come through, which is why having security controls in place is important for enterprises.
One means of limiting exposure to cyber attacks is to restrict administrator access to systems so that any malware is unable to do as much damage.
“Most malware is not able to take information from systems if it does not have administrative action. Essentially if the user does not have administrative access and if they click on the malware it is going to greatly limit what that can do to the company.”
Overall he says it is imperative for the companies to leverage social media in their business and they cannot be restricted by the fear of malware.
ADOPTING AN IT FRIENDLY STRATEGY
GBM’s survey revealed that 42 per cent of organisations in the Middle East spent 10 per cent of their budget on IT issues but anecdotal evidence has claimed that companies still fall prey to cyber attacks.
“Value of the information is appreciated only when it (security) is compromised,” says Ahmad Al Mulla, vice-president of IT at Dubai Aluminium Company.
Corporates should have a proactive strategy as opposed to a reactive strategy when addressing cyber threats to their business, he says.
“We have a reactive approach to security and implement solutions only in response to breaches. Such an approach is expensive.”
Beyond Trust’s Maiffret argues that IT strategies have to be a top priority among the management just like other key functions prioritised at the corporate level.
“Leadership of the businesses here should realise that security is important to the company. Far too many times, the IT team knows what needs to be done but they don’t have the resources and attention from the top management,” he says.
But there are signs that cyber threats are being taken more seriously. Abu Baker says that enterprises in the region are increasingly becoming aware of the risks posed by cyber crime, driving up investment in security technologies in the region.
“The Middle East Network Security Market Report 2013 stated that the (information security) market earned revenues of $341.4 million in 2012 and estimates this to reach $933.6 million in 2018,” he says.
“This clearly means that enterprises have learned from the host of prominent security attacks in the past that have not only resulted in major financial losses but also led to loss of intellectual property, business continuity and agility in addition to the negative impact on the brand image.”