What should the Middle East do to enforce cyber security?

If 2014 was the ‘year of the data breach’ in the US, then future cyber threats will be far more global. The stark reality is that the cyber security risk is growing and in particular, this globalisation of cyber risk poses a serious challenge for the Middle East.

In 2014, there were a record 783 data breaches in the US according to the Identity Theft Resource Center. These figures represented a 27 per cent increase in malicious cyber activity in one year – raising the threat level significantly and putting cyber security right at the top of most US corporate and national security agendas. And while the US is probably the most cyber threatened nation in the world, it is also the best prepared. The dynamic in the Middle East is somewhat different.

Last year, the UAE’s National Electronic Security Authority declared cyber security as one of the biggest economic and national security challenges facing countries in the 21st century.

The good news is, NESA’s right. Particularly in rapidly developing parts of the world such as the Middle East, where technological and economic advancements outpace cyber infrastructure, cyber criminals and hackers threaten social, economic and national security.

So why is that good? The recent establishment of NESA demonstrated that the UAE recognises the challenge. It also means they are serious about combating it.

The bad news, however, is that the problem is about to get a whole lot bigger.

The Internet of Things (IoT) – or as we call it the Internet of Everything – will redefine the cyber security landscape. To accommodate potentially trillions of connected devices, the internet will move from IPv4 to IPv6, which will open a floodgate of new threats.

To put this in context, as things and objects become smart and connected, the internet will – comparatively – go from something the size of a golf ball to something the size of the sun according to Marc Goodman, author of Future Crimes: Everything is Connected, Everyone is Vulnerable and What We Can Do About It. Securing an area so vast requires skill, planning, budget resources, expertise and agility.

While this paradigm shift in information and communications technologies will deliver new, innovative solutions and services that create jobs, stimulate economic activity and transform primary industries, it can only do so if resilient to the evolving threat of cyber criminality.

In an ironic twist, those countries with the most forward-facing internet-based technologies are potentially the most at risk. For example, Dubai is planning to transition into a smart city using smart sensors and devices in areas ranging from social services to transportation, the economy and tourism infrastructure. For cyber threat actors, this is a massive increase in potential vulnerabilities.

The GCC’s oil industry is particularly exposed. With such heavy state reliance on hydrocarbon revenues, many regional oil fields should – and must – become data driven to drive efficiencies and mitigate volatility in oil prices. Yet in doing so, we have to realise that this opens them up to a growing legion of sophisticated hacktivists and cyber criminals intent on degrading and destroying critical infrastructure developed over generations at tremendous cost.

Saudi Aramco attributed $15m of losses to the attack it suffered in 2012. Next time, the bill might not be so cheap.

The answer lies in collective action. Cyber security is no single person, organisation or industry’s problem – it is everyone’s. Just as the risks are shared, so should the responsibility for addressing them. Through an alliance of pooled expertise, resources and budgets, we can begin to give the cyber security challenge the attention it demands.

To start with, at least 5 per cent of a corporation’s IT budget should be spent specifically on cyber security. Beyond that, we need active, board-level involvement from senior leaders such as chief operating officers and chief information officers to ensure that cyber security is a core corporate priority. No board meeting should take place without cyber security being somewhere close to the top of the agenda.

They must elevate the organisation’s approach in five key areas: defense, leadership, systems, incident response and preparation.

• Adopting an active defense approach to cyber security is an emerging trend that senior leaders must follow. It makes the best use of real-time intelligence and assessment data to shape decision-making, fine-tune defenses and preempt threats.

• When it comes to leadership, all leaders should be aware that cyber attacks now touch every part of an organisation. Therefore, it is critical that the risk and responsibility be spread out across the organisation. Anything less will result in a flawed approach – and a potentially shortened tenure for any leader.

• The third area refers to systems or product development: It is imperative that IT leadership lead a fundamental shift to embedded security, with cyber defense a driver of product and systems development, rather than an afterthought. This shift is particularly important as the internet of everything expands the avenue of attack.

• At the same time, incident response offerings should include the right balance of multidisciplinary expertise–crisis communications, legal, policy, business and technical.

• Ultimately, an effective cyber security response requires two organisational shifts in behaviours. First, corporate functions such as legal, human resources and marketing must work together around an issue where there previously has been little collaboration. Second, they need to do so quickly.

The threat is real and imminent – if you haven’t already been hacked, you will be without a defense-in-depth strategy. Regional growth, the digital sphere and online criminality have converged, and with so much at stake for core institutions in the Middle East, the cost of doing nothing has never been higher.

With inputs from Dr. Mahir Nayfeh, senior vice president, Booz Allen Hamilton MENA.