Taking on the GCC’s cyber criminals

There is rarely a quiet moment in the unceasing world of cybersecurity. And that is putting it remarkably mildly.

Take, for example Saudi Arabia. At the very end of October, King Salman issued a decree to set up the National Cyber Security Authority in a bid to enhance the kingdom’s existing cybersecurity efforts and protects its “vital interest, national security and sensitive infrastructure”.

Before November was out, the country had played host to countless cybersecurity workshops by numerous providers, seen the Jeddah-headquartered Organisation of Islamic Cooperation launch its own cybersecurity centre, opened the doors to the Information Security in the Middle East and North Africa 2017 conference in Riyadh, and reported that it had been targeted for several months as part of a cyber espionage campaign, purportedly by the attack group dubbed MuddyWater.

The attack is also said to have been made elsewhere in the GCC, across the Middle East region, and against many more countries worldwide.

In the UAE during November, the CEO of multinational Thales revealed that Emirates and Etihad Airways have increased demand for hardened electronic systems to protect against increasingly common cyberattacks; cybersecurity company Kaspersky Lab held a series of interactive sessions
on cybersecurity in Dubai schools; leading industry experts gathered for the RSA Conference in Abu Dhabi – at the same time as NYU Abu Dhabi hosted the world’s largest student cyber security event.

And this was just the tip of the iceberg; for what makes it to the world’s news pages are but a fraction of what goes on behind the scenes, never to be reported.

What it does show in full, however, is the growing awareness of and action on cybersecurity in a region that is spending more and more on protecting itself. Network spending alone is expected to hit $1bn by 2018 – an almost tripling of the $340m spent in 2012.

The GCC’s cybersecurity market overall is estimated to grow to over $10.41bn by the end of 2022, according to a 2016 report by BIS Research, while Gartner reported earlier this year that worldwide spending on information security would rise from $86.4bn this year to $93bn in 2018.

The region has no doubt been spurred into greater action by incidents such as the aforementioned MuddyWater attack, and the more widely publicised WannaCry ransomeware attack earlier in 2017, which infected more than 200,000 computers in 150 countries, impacting businesses from hospitals to logistics firms.

On the privacy front, the Equifax data breach exposed sensitive personal information of 143 million people, driving home not just the corporate impact, but the individual one.

“There is a growing awareness about cyber threats, and more companies are taking a strategic approach to cybersecurity” confirms Amir Kanaan, general manager of Kaspersky Lab Middle East.

“With many public cybersecurity incidents in the past couple of years, such as the attack on Saudi Aramco and the ransomware attack on the NHS this year, people, businesses and governments have started to take cybersecurity seriously.

“It is encouraging to see that every national government in the region is striving to create a secure digital environment. These strategic initiatives come at a great time as the region is equipping itself to adopt IoT services and get smarter, which will automatically attract sophisticated attacks from experienced cybergangs,” he adds.

In saying this, Kanaan touches on a topic that is extremely relevant to cities such as Dubai in particular, as they position themselves among the world’s first smart cities – seeking to use widespread and wide-ranging smart technology to offer all members of society, businesses and governments an easier, more efficient, sustainable and positive daily reality.

For all the good intentions, further progress is still to be made, explains Lt Col Bryan Miranda (Retd), associate of cybersecurity at Finesse.

“The major IT components of a smart city are IoT, SCADA (Supervisory control and data acquisition), mobile applications, web applications, Bluetooth and WiFi. All of these technology platforms have vulnerabilities,” he says.

“We [the UAE] are on a countdown to 2020 and the country is getting ready to be WiFi ready, as well as other developments,” he adds.

Faisal Al Bannai, CEO of UAE-based DarkMatter, emphasises the need for a new approach to cybersecurity.

“We are witnessing the emergence of a type of ‘tech tension’ between the obvious and significant gains being enabled by digital transformation, and the resulting widening cyber threat surface as a consequence of increased connectivity and digital intelligence,” he says.

“A renewed view of cyber resilience is necessary to overcome this tech tension, as during the course of the year we witnessed cyber threats growing in number and sophistication, highlighting the heightening challenge to maintain security across digital systems.”

Among the changes made by governments to the cyber landscape is the Dubai Cyber Security Strategy, launched in June.

The first stage of the strategy features five main pillars, including: ‘cyber smart nation’, i.e. raising public awareness; ‘innovation’, i.e. scientific research into the field; ‘cybersecurity’, i.e. establishing controls to protect data; ‘cyber resilience’, i.e. maintaining the flexibility of cyberspace and ensuring the continuity and availability of IT systems in the event of any cyber-attacks; and ‘national and international collaboration’, i.e. establishing local and global partnerships to consolidate cooperation frameworks.

It’s an example of the type of leading role that global analysts are demanding of their governments, though Lt Col Miranda argues much more needs to be done from the top from a legal perspective.

“I am not impressed with the cybersecurity regulations in the region,” he says.

“I feel we have a long way ahead to get to a place where we can secure ourselves – especially at the speed we are advancing in technology.”

Currently in the UAE, the Cybercrime Law No. 5 of 2012 has the provision to issue a variety of penalties, including lengthy prison terms and fines ranging from Dhs50,000 to Dhs3m.

But on the business front, Lt Col Miranda suggests a new tack. One solution he puts forward is a “mandatory audit imposed by the government” that would form part of the requirements of a business’s trade license renewal.

Kanaan, however, believes there should be a more symbiotic approach.

“Businesses and governments should learn from each other and apply best practice strategies to their own organisations in order to stay a step ahead of cybercriminals,” he says.

“The winning card here is for both governments and businesses to work together and approach cybersecurity jointly.

“We are definitely impressed with regional governments’ forethought in developing cybersecurity plans for their countries. There’s a long way to go, however, but the fact that the need has been acknowledged and addressed is encouraging.”

Yet despite the encouraging moves coming from the government and the increasing awareness of businesses, the fact remains that industries across the region face constant threats.

“In many ways the Middle East faces similar cyber threats to those one would expect elsewhere in the world, given the international connectivity driven by digitisation,” says Al Bannai.

“The prevalence of the energy sector in the region, and the rapid digital transformation of critical national infrastructure has brought with it an increases attack surface for utility companies, for example.”

Lt Col Miranda agrees, adding: “The treats are endless, with ransomware, email spoofing and network attacks. We can only expect this to increase in the future.”

He also points out the implications for businesses: “The risks posed by malware and hacking are severe enough that many small businesses are unable to recover.

“It’s not just the remediation costs – it’s the reputation damage, loss of business and legal costs that can follow an incident.”

Figures from Symantec show that in 2015, 43 per cent of all cyber-attacks targeted small business, while the United States’ National Cyber Security Alliance found that 60 per cent of small companies are unable to sustain their businesses over six months after a cyber attack.

Research by Keeper Security showed that only 14 per cent of small businesses rate their ability to mitigate cyber risks, vulnerabilities and attacks as ‘highly effective’.

The good news for all businesses is that increasingly sophisticated solutions are being provided developed by cybersecurity players. However, there is one key area than needs some dramatic improvements: That of talent.

A study by the Information Systems Audit and Control Association (IASCA) showed that there will be a global shortage of 2 million cybersecurity professionals by 2019. The 2016 Cybersecurity Skills Gap report also highlighted that 53 per cent of organisations experience delays of as long as six months to find qualified security candidates, and 84 per cent of organisations believe that half or fewer of applicants for open security jobs are qualified.It paints a dangerous picture for Lt Col Miranda.

“The skill shortage is acute and if there is no intervention, I think this will only continue to deteriorate.”

Kanaan adds: “The ratio of sophisticated cyberattacks is continuously increasing and can be prevented by adopting effective cybersecurity measures that include security solutions, education and raising expertise.”

As part of the effort to address the issue, Al Bannai announced in March that DarkMatter planned to increase its employee headcount by more than 35 per cent by the end of the year. The firm had already grown from 30 to more than 480 by that point since its launch two years earlier, putting its end-of-year target at around 650.

The CEO previously told Gulf Business that local talent would help drive the region’s cybersecurity industry and that DarkMatter was looking to identify young talent in the UAE’s universities.

“It will start creating a pipeline of people who say ‘there’s a good job, there’s an interesting space’,” he said at the time.

“These guys could join DarkMatter today but tomorrow they might start other companies, and through that we will have industries getting created in this space,” he added.

It is this kind of change that Lt Col Miranda believes is vital to the success of the region’s industry, creating a momentum across all aspects of cybersecurity.

“As cybercriminals evolve, so must the defenders,” he says.

“As Charles Dickens once eloquently said, “change begets change”. When one who is educated in turn educates others, there will be a compound effect on creating the security culture that is much need. IT security is everyone’s job.”

While there may be some improvements to be made to the inner workings of the industry, it’s clear to see that the cybersecurity market is booming.

The estimated growth to $10.41bn by the end of 2022 is no doubt driven by statistics such as IASCA’s finding that 74 per cent of companies globally believe that the likelihood of their organisation being hacked through IoT devices is ‘high’ or ‘medium’ – a stat that rings true in a region where digitisation is expanding rapidly.

“The market for cybersecurity solutions is booming due to the fact that the Middle East, being one of the fastest developing regions in the world, and one of the most advanced in terms of technology adoption, is targeted by a myriad of cyberthreats,” says Kaspersky’s Kanaan.

“As threats are changing, so are the solutions, which is why having a choice of vendors providing a range of solutions is an advantage for the customers. The fact that a multitude of companies are offering similar products is also a huge motivating factor for us to constantly innovate and come up with competent solutions that feature top of the line next generation technologies.”

So with threats, awareness and innovation on the rise, where will the GCC’s cybersecurity industry go in the coming year?

Finesse’s Lt Col Miranda is clear about what must happen.

“Organisations are losing the cyber-war and, as a result, cybersecurity needs to evolve to combat the growing problem created by cyber-attacks,” he says.

“This may take the form of security systems integrated with AI, or simply stricter regulations to organisations will take the threat more seriously.”

It’s a view backed up by Kanaan, who pinpoints some of the growing trends in the sector.

“Advanced Persistent Threats target businesses more and more each year,” he says.

“Kaspersky Lab expects to see a decreased emphasis on ‘persistence’, with a greater focus on memory-resident or file-less malware, reducing the traces left on an infected system and thereby avoiding detection.

“We predict an increase in the repurposing of off-the-shelf malware by cybercriminals who make us of already created attack vectors.

“We also see diversification in attack targets by industries. Attacks on financial services organisations such as banks, investment funds, and both stock and currency exchanges, including those handling cryptocurrencies, are taking place more and more often.

“Industrial cybersecurity is also becoming acute, which is especially relevant for oil and gas, and similar facilities in the Middle East.

On a more positive note, he highlights ABI Research’s forecast that machine learning in cybersecurity will boost big data, intelligence and analytics spending to $96bn by 2021. This machine learning supported by analytics, says Kanaan, will lead to “an elemental shift in the way we work with machines to ensure security in a highly digitised world”.

For the time being, however, DarkMatter’s Al Bannai offers companies some simple advice in a bid to establish continuing protection.

“We advise entities to implement the Cybersecurity Life-Cycle, or something similar to it,” he says.

“[This is] a multi-stage approach, encompassing planning, prevention, detection and protection, and response to cyber incidents.”

And with ISACA’s research claiming that the average cost of a data breach will be $150m by 2020, and more than one in four organisations having already experienced an Advanced Persistent Threat, it would seem that there is no time like the present for GCC businesses to ensure their cyber defences are as solid as can be.