When Mark Zuckerberg appeared before US senators in April to face questions about Facebook’s role in the Cambridge Analytica scandal – in which the personal information of up to 87 million users was harvested without their permission – the spotlight was shone more brightly than ever before on the issue of data security.
Fending off the sometimes probing, sometimes confused questions one by one, the billionaire CEO largely survived the grilling, but the mere fact he was there at all added fuel to a growing fire.
Data breaches are nothing new. Whether targeted by hackers, the result of poor security or lost computers, accidentally published, or part of an inside job, people’s data has always been at risk since the dawn of the technology age.
The stark reminders of this have been periodic. In 2005, some 92 million records were compromised as the result of a reported inside job. Two years later, TK/TJ Maxx saw 94 million compromised records, followed by Sony PlayStation’s 77 million in 2010.
Yahoo saw an astonishing 3 billion user accounts stolen in 2013, and a year later 145 million Ebay records suffered a similar fate. As did 76 million records from JP Morgan Chase in 2014, 80 million from Anthem in 2015, and 145 million Equifax accounts in 2017.
No sector is immune, and as technology continues to grow and develop, so do the chances of data attacks. Market intelligence firm, International Data Corporation (IDC), has predicted that by 2020 more than 1.5 billion people worldwide will be affected by data breaches. Meanwhile, in its 2017 Data Breach Level Index, digital security firm Gemalto noted that the number of data records compromised in publicly disclosed data breaches surpassed 2.5 billion – up 88 per cent from 2016. This equates to more than 7 million records lost or stolen every day, or 82 every second.
With less than 1 per cent of the total incidents, according to Gemalto’s findings, the Middle East region is certainly not a hot-spot for data breaches, but events of 2018 have already proven that it is far from safe.
In April, Dubai-based ride-hailing app Careem announced that it had experienced a breach in January this year, compromising the data of 14 million users. In previous years, breaches have been reported at Al Zahra Private Medical Centre, Etihad Airways and dubizzle, among others.
Back in 2016, statistics from the UAE’s then new Cyber Security Centre showed that the country was the second most targeted country in the world for cyberattacks – sandwiched by the US and Spain in first and third position. So despite the relatively low data breach-rate, the potential for breaches remains high – especially as hackers, attackers and threat actors become more sophisticated.
The challenges are manifold, but the region has gone to great lengths to keep data safe and continues to not only maintain state-of-the-art security strategies, but also keep businesses aware of the pressing need to safeguard people’s data.
Amir Kanaan, managing director – Middle East, Turkey and Africa for Kaspersky Lab – believes the recent Facebook scandal has been a key contributor to that recognition.
“It has resulted in heightened awareness, and I do hope businesses in the region take this opportunity to rethink their attitude and approach towards data security,” he says.
“Seeing the response to the issue by a number of national governments, there will be a move towards more stringent operational guidelines and regulatory frameworks for international companies that primarily deal with data.”
Even before the Facebook news broke, regional governments have been proactive in bolstering their own security levels, as well as advising private businesses to do the same.
In January this year, for example, the UAE’s Ministry of Finance marked Data Privacy Day by issuing a reminder of the importance of protecting personal data for financial transactions. And as well as the obvious concern for people’s privacy, the ministry’s undersecretary Younis Haji Al Khouri highlighted the economic importance behind it.
“The developed economic and legislative framework of the country sets focus on protecting personal information by collecting, preserving and processing data, to prevent the misuse of data, privacy violation and financial losses,” he explained at the time.
“This will contribute to establishing a sound economic environment that gains the trust of investors and financial institutions, and leads the UAE to become the preferred place to do business.”
This trust is something regional governments have been trying to instil with a series of policies, regulations, authorities and institutions announced in recent months and years.
In November last year, Saudi Arabia announced one of the most high-profile – the National Authority for Cyber Security – while the Dubai Data Strategy has been instrumental in establishing the right frameworks, foundations and practices to ensure the emirate can achieve its smart city vision while ensuring the safety of all data.
Kuwait, Bahrain and Oman’s data protection landscape is slightly less advanced, but for all three, new laws are being drafted to regulate the handling of data across sectors.
Each jurisdiction is tightening its legal framework, with harsh penalties to be meted out to individuals breaking the law, or companies selling data without permission. In the UAE, under the cyber crimes law, fines can range from Dhs100,000 ($27,226) to Dhs1m ($272,257), as well as imprisonment.
But for businesses in particular, there are perhaps more critical concerns. The 2017 Cost of Data Breach Study: Global Overview by IBM Security and Ponemon Institute showed that the average organisational cost of data breaches in the UAE and Saudi Arabia now stands at $4.94m – the second highest in the world behind the USA. This is up 20 per cent on the 2016 cost, which was $4.12m. The global average is $3.62m.
And in terms of reputation, there is a lot at stake. According to Gemalto’s 2017 Data Breaches and Customer Loyalty report, 67 per cent of people would be unlikely to do business with a company again where financial and sensitive information were stolen. A huge 93 per cent of people would consider legal action against businesses if their personal data was stolen during a breach.
What’s more, a 2017 report from Comparitech showed that a company’s stock price would drop 0.43 per cent on average immediately after a breach, with the subsequent rise much slower than before, and growth struggling to go past 10 per cent until after at least two years.
Cisco added weight to the negative reputational impact of data breaches in its 2017 report, Cybersecurity Report: Chief Security Officers Reveal True Cost of Breaches and the Actions that Organisations are Taking.
The firm noted that more than 50 per cent of organisations faced public scrutiny after a security breach, with operations and finance systems most affected, followed by brand reputation and customer retention. Some 22 per cent of breached organisations across the 13 countries surveyed lost customers – 40 per cent of them losing more than a fifth of their customer base. Almost a third – 29 per cent – lost revenue, and 23 per cent lost business opportunities.
Change in mindset
These are the kind of statistics regional companies are keen to avoid contributing to, and while security breaches are considered inevitable rather than possible, the strength of the Gulf’s cybersecurity industry is going to great lengths to keep businesses protected.
A key part of that, according to UAE-based cybersecurity firm DarkMatter, is a change of mind-set.
In its 2018 Cyber Resilience and Trust Report, CEO Faisal Al Bannai wrote: “The fact is, we are facing a crisis and trust is being eroded; but, we are doing little to avert it. While technology has advanced for the better, our thinking has not. Now more than ever, the need for a revolution within the cyber security industry is vital to rebuild trust.”
Owing to the evolution of the threat landscape, Al Bannai posited that “a new, more predictive and intelligent dimension of cyber security will need to be embraced – one that masters an understanding of threats post-perimeter”.
Calling traditional cyber security offerings “increasingly outdated and ineffective”, he said that the industry will need to foster a level of ‘cyber resilience’ instead – “a shift in focus from the cyber security thinking of today to a focus on cyber resilience and the industry needs of tomorrow”.
The report identifies resilience as the “the capacity to recover quickly from difficulties and end up stronger” and highlights a number of steps in order to establish this. They range from tactical measures such as confronting the talent problem, strengthening the ecosystem, and investing in cyber security function, to action on a systems level, such as constructing a ‘dome of trust and transparency’ to protect digital society.
In signposting these changes, and others, the report symbolises a heightened awareness of the cyber security industry’s role and responsibilities when it comes to safeguarding data. But the weight of responsibility remains largely on the shoulders of businesses themselves.
And according to Kanaan, preparedness is the key: “In the case of security the trick is to always be prepared. And when you feel that you are fully prepared, check once again,” he says.
“I believe preparedness is the best strategy to stay protected. Companies can bring onboard cybersecurity specialists who can test systems for security gaps and plug those gaps accordingly.
“If this isn’t taken seriously, the resultant potential for data loss, lack of control, loss of customer trust, and loss of revenues will be far-reaching and difficult to remedy.”
Sunil Paul, co-founder and chief operating officer of software system integrator Finesse, adds that clarity and workplace culture is also vital.
“As proper security policies and strategies are very important for organisations, communicatin of the same among staff is essential,” he says.
“A poor organisation culture with respect to employee mobility can also lead to security vulnerabilities. Organisations that fail to adjust to modern workplace needs, such as employees using their own devices at work, are far more likely to experience data breaches.
The GDPR effect
This enhanced self-awareness and sense of responsibility has been felt more keenly since the introduction of the General Data Protection Regulation – GDPR – across Europe.
GDPR strengthens the rights of individuals to demand that companies reveal or delete the personal data they hold. It also requires organisations to report any kind of breach to the authorities within 72 hours of being aware of it. This in turn should push them to strengthen their detection and response plans, improving the overall data protection landscape.
Implemented on May 25, the regulation addresses the export of personal data outside the European Union and the European Economic Area. And while it is a law tailored to the data protection and privacy of individuals within the EU and EAA, the regulation is having an impact around the world. This is largely because many companies are taking the opportunity to fall into line with best practices, but also any company that has access to the data of EU citizens must comply with GDPR. With such a large expat community – many of whom are from Europe – the GCC will certainly feel the force.
and requiring you to opt-in in order to continue receiving communications from them. But this is just the tip of the iceberg. Some seven years in the making, GDPR is expected to have a massive impact on data protection and the companies holding your details.
Despite these landmark changes to the way data is handled, security is approached, and organisations are held accountable, there are still several challenges ahead. And there always will be.
The progressive nature of technology means that threat actors will always find new ways to breach data, and organisations will need to find new ways to combat this – in terms of eliminating the chances of attack as much as possible, and in terms of dealing with any hacks that occur.
As the Internet of Things, smart cities and cloud technology develop at pace, so too does the scope for cybercrime, meaning focus on protection will necessarily increase in breadth and intensity.
This is where the challenge of talent comes into the picture. According to Frost & Sullivan there are expected to be more than 1.5 million unfilled cyber security positions around the world by 2020. Naturally, this issue extends to businesses, which will need in-house talent to safeguard any data they are holding. The talent pipeline must be improved quickly in order to ensure data is protected long-term.
Finally, legislation must also continue to expand in scope. The GDPR is an important step in the right direction, and Gulf countries – at least the UAE and Saudi Arabia – have been proactive in tightening their laws. But technology and people move faster than legislation, making it hard for it to keep pace with hackers. Lawmakers face a challenge in ensuring any new legislation or regulation is relevant and effective both now and in the future.
But even with these challenges, there is a new appreciation for privacy and the importance of data safety. The Facebook and Cambridge Analytica scandal may have shocked many, but in its aftermath businesses in the GCC and around the world have been given the opportunity to look again at the way they store and use data, which can only have a positive impact on the security landscape in general.