Hacking: The $3 Trillion Threat
Now Reading
Hacking: The $3 Trillion Threat

Hacking: The $3 Trillion Threat

With a constantly growing threat landscape, cyber attacks pose one of the largest risks to businesses in the GCC and abroad.

Gulf Business

To assess the growing concern regarding cyber attacks, you need to look no further than this year’s World Economic Forum (WEF), which ranked them among the top five likeliest global in risks it’s annual report.

Despite billions of dollars spent every year, the global economy is still not sufficiently protected against the threat, research conducted by the WEF and McKinsey concluded.

An estimated $3 trillion aggregate impact could be felt from the resulting decelerated pace of technology and business innovation, the report found.

“There are basically two kinds of consumers, in enterprise or even government. The ones that have been attacked and the ones not aware that they have been attacked,” says Laurent Heslault, director, security strategist, Symantec EMEA Western Region.


This year’s Symantec’s Internet Security Threat Report found that targeted cyber attack campaigns increased by 91 percent in 2013, and on average lasted three times longer than the previous year. The cyber security firm confirmed that it blocked 568,700 web attacks and saw 1.6 million new malware variants daily in 2013.

Of particular concern for the hydrocarbon rich GCC is that energy firms were found to be among the most targeted last year.

Here, the firm found personal ME assistants at large mining companies (the oil and gas category) to be the highest risk worker group for spear phishing, in which cyber criminals use email spoofing for financial gain or trade secrets.

Threats to energy companies come from a variety of sources, including espionage from competitors looking for data on new projects, exploration or finances.

Other threats intended for disruption and destruction have been revealed to be the work of ‘hacktivists’ and state sponsored entities, as was believed to be the case in 2012 when oil giant Saudi Aramco was hit by a large-scale malware attack named Shamoon.

“When Aramco was attacked, something like 32,000 PCs were erased in three hours. This does not happen very often, but I know lots of companies that would be killed by that kind of attack,” says Heslault, stressing that not everyone has Aramco’s financial muscle.

An anti-oppression hacker group claimed responsibility for the attack online, although its responsibility could not be verified.

As more of the GCC’s infrastructure is exposed to the internet via smart grids and smart metering, attacks on energy companies are expected to become more and more common. However, security vulnerabilities from connected devices will be far from restricted to the energy sector.


The Internet of Things (IoT), which is seeing more and more objects connected to the web, is exposing a greater number of devices used by consumers and businesses to hacking.

Cases last year saw baby monitors, security cameras and routers being hacked, while researchers also demonstrated the ability to attack smart TVs, cars and medical equipment.

“The benefit to attackers of compromising these devices may not yet be clear, and some suspect claims about hacked devices [refrigerators for instance] are to be expected,” the Symantec report said.

“But the risk is real. IoT devices will become access points for targeted attackers and become bots for cybercriminals.”

Even at this early stage, it is clear that the IoT is going to present a cyber security challenge, especially given that many of the first generation devices are not being shipped with in-built security.

One particularly troubling area could be smart cities, with Dubai and other parts of the GCC planning to modernise metropolitan infrastructure with connected capabilities.

“Lots of companies want to develop smart cities with smart metres everywhere, but the real question is are they doing their risk management before rolling this out. I’m afraid they aren’t [doing much]” says Heslault.


Outside of these threats from new sources, businesses also have to contend with vulnerabilities from older ones like the operating systems, software and encryption tools they use.

These security holes, named ‘zero-days’ are bugs that potentially allow cyber attackers to gain access to secure systems.

More zero-day vulnerabilities were discovered in 2013 than any other year, according to Symantec, with 23 vulnerabilities detected, an increase of 61 per cent over 2012.

Cyber criminals are known to exchange zero-days on black markets for anything up to $100,000, with some groups thought to have a number of the exploits at their disposal.

“There are clearly people sitting on zero-days, waiting for one to be patched and coming out with another,” says Orla Cox, senior manager for security response at Symantec.

One recent high profile case was the Heartbleed Bug, which gained widespread media attention in April.

The flaw in the OpenSSL cryptographic library allowed cyber criminals tocompanies regarding the disclosure of the vulnerability had negative consequences overall, according to Kasper Lindgaard, head of research at cyber security company Secunia.

“The lack of proper coordination preceding the disclosure of the vulnerability meant that everybody has been playing catch-up (and some still are), trying to contain the damage.”

“Due to two different disclosures of the vulnerability to OpenSSL from two different parties, OpenSSL decided to release the information two days earlier than initially intended. Those two days could have made a big difference to the whole process,” Lindgaard adds.

Addressing the vulnerability is expected to take months, with applications including VPN software, messaging and VoIP apps still vulnerable, he says.


Older threats are also being compounded by newer developments in the cyber threat landscape like ransomware.

This relatively new type of malware received media attention in March when reports emerged that a Romanian man tragically opted to kill himself and his son following threats from what he believed to be local law enforcement.

The ransomware attack, which reportedly came from an adult website, locked down his system while claiming to be from the country’s police force, and gave the choice of paying a fine for illegal activity or going to jail.

Marcel Datcu, 36, hanged himself and his son in the family living room, explaining in a suicide note that he could not pay the 70,000 lei ($21,000 fine) and did not want to go to prison, according to local media Braila24.

Ransomware attacks were on one of the fastest growing types of attack last year, increasing 500 per cent with 1.5 million internet users targeted, according to Symantec.

Victims are typically asked for $100 to $500 via online payment methods, to return access to their systems. However, whether payment results in access being returned largely depends on the honesty of the attacker.

A recent evolution of this type of malware has been highlighted as a potentially growing concern in 2014.

Ransomcrypt attacks use the same methods as ransomware but encrypt users files, demanding money to return access to them.

A small number of ransomcrypt cases detected recently have used advanced RSA 2048 encryption, meaning it is impossible to get the files back without the attacker’s approval.

These attacks, while so far targeted at consumers, could prove very damaging to businesses if they managed to encrypt network drives or servers.


Faced with a constantly evolving cyber threat there are two possibilities for businesses, says Heslault – disconnecting from the world in what he describes as “cybergeddon” or finding some balance via cyber resilience.

Naturally the former is not possible for most businesses in the digital age, meaning resilience, being able to return to operations as quickly as possible after an attack, is the way forward.

Companies cannot just rely on their security solutions to make this happen. IT security protocols for staff, a crisis management team to handle attacks, and the backup of key files are also part of any resilience strategy.

Similar to fire drills in the physical world, these plans must be tested to iron out any issues, and companies must accept that there is no return on investment, says Heslault.

It may come as little surprise that with its growing threat level to businesses, cyber security is receiving increasing attention from insurance companies.

In a survey of more than 500 of the world’s most senior business leaders by insurance market Lloyds, cyber security moved up from twelfth to third highest threat to global business in 2013.

“This means that the risks are real and they can make money out of it,” asserts Heslault, who reveals that Symantec is now working with insurers to help mature the market.

Like the rating systems awarded by financial service companies, he envisions a framework with five or six degrees of cyber resilience. The higher its resilience rating the less the company would pay for cyber insurance.

While such schemes are yet to become a reality, the financial consequences of not being adequately resilient are sure to see more enterprises take notice.

And with businesses’ growing reliance on IT systems there is no time to waste, he warns.

“What we are seeing now has never happened in the industry, such strong trends of mobility, cloud, and socialisation. And all of this is happening at the same time, which is a kind of perfect storm.”


Scroll To Top