momius - Fotolia
Financial institutions are finding themselves at the forefront of the cyber security battle, and according to Ahmed Baig, CEO of the Chief Information Security Officer (CISO) Council Middle East, there is work to be done.
With a rising volume of attacks in the past 18 months, cyber security issues will be a leading theme at this month’s GITEX Technology Week 2016 conference.
According to Baig, the non-profit industry body, which has about 4,000 members in the Middle East, last year saw an increase in advanced persistent threats (APTs), ransomware and phishing against government and commercial entities.
“We have seen a significant increase in the volume and sophistication of cyber attacks against both governments and private corporations,” said Baig.
“A couple of years ago, we had a lot of APT attacks on governments, which still continue to happen. But what we have seen recently is that these attacks have gained a lot of traction in the financial sector and against other commercial entities.”
Megha Kumar, senior research manager for software at IDC Middle East, Africa, and Turkey, said security was critical, not just for securing enterprise data but also as a major facilitator of the digital transformation process.
“Increasing the levels of awareness and proactivity around security is critical for organisations across the GCC,” she said. “Financial motivation continues to drive cyber crime activity in the region. The implications of such incidents are far reaching, not just from a financial perspective but also from a regulatory and reputational point of view.”
Kumar said advanced persistent threats could go undetected for long periods of time, adding to the complexity of the challenge.
Despite the growing danger of security breaches, most firms in the Middle East are still adopting a reactive approach to protecting their digital assets. But the migration to digital business will further increase security risks and could change this attitude.
Baig warned that security breaches would typically result in the loss of data and perhaps corporate reputation, but he added that the moment organisations went digital, the physical and virtual worlds were combined and things would get more serious.
He said the IT industry was witnessing a global storm in cyber attacks.
One of the problems in the Middle East was that many businesses still viewed their IT department as a simple service department, not capable of delivering much value to the business, said Baig.
But this was changing and the roles of CIO and CISO were gaining strategic importance, he added.
Baig said the adoption of advanced technology was becoming an important factor in boardroom discussions, which would raise awareness and understanding of cyber security.
“Most local businesses are still very reactive when it comes to securing their infrastructure and IT assets,” he said. “They see security as an unwanted expense, until the time when they get hit by an attack. And in most cases, organisations do not have a mechanism to detect whether they are compromised.”
Baig said one of the most important things the sector had to understand about cyber security in the Middle East was that small firms still dominated the business sector and there were few enterprises with more than 10,000 employees. This made the cyber security challenge different from that for organisations in Europe and the US, for example.
Read more about cyber security
- Hot on the heels of the Qatar National Bank breach comes a campaign employing advanced social engineering techniques.
- Cyber attackers are using encryption to hide malicious activity, making it increasingly difficult to find as more organisations turn to encryption to protect data, a study has revealed.
- The information security community is failing to educate users in a way that helps then understand cyber threats and change their behaviour, according to consultant Jessica Barker.
IDC’s Kumar said advanced IT threats could go unnoticed for long periods of time and added that job cuts in IT departments also put organisations at risk of cyber attack.
She said insider risk was heightened when disgruntled employees leave a company, potentially taking sensitive corporate information with them. “In such cases, data loss prevention, data access management and governance are all major security factors that must be addressed to avert any unwanted drama.”
A shortage of security skills in the Middle East is an issue that must be addressed, but the region is not alone there, said Baig.
He said that in the first couple of months of the Middle East CISO Council’s existence, it had taken part in roundtables in the US, and from the input from global partners and key issues that came out of those discussions, it was clear IT security skills were not just a regional issue. “There is a global shortage of security professionals and this region may have a bit more of a problem than others,” he added.
Lack of best practice
A lack of best practice in the region is also a concern. When Middle East organisations face a security issue, they don’t share the information for fear of embarrassment. The downside of that is they don’t get to share best practice and don’t learn from that experience.
Baig said many countries had no laws governing compulsory disclosure of data breaches, including most of the Middle East countries. “But this is changing – there is more compliance coming into government and the commercial sector,” he said. “Some countries, like Qatar, are evaluating regulations where the companies that face breaches could also be fined. You will see regulations like these in the next three to five years, even in this region,” he said.
“Also in the banking industry, there are a lot of intelligence-sharing groups working locally and these have tied up with other international information-sharing forums.”
Baig said the CISO Council tried to encourage participants to share information about breaches and attacks with their peers, but this was difficult in the region.
“Name and shame is one of the biggest issues where the culture here prevents organisations participating,” he said. “But also most businesses in the region are family owned, which is one of the factors why information is not going public.
“Things are changing, but it might take a little more time, unless we have some regulation to make it compulsory to make organisations disclose these attacks.”
Baig said most CISOs were worried about data breaches and the losses they could cause. But fears would increase and broaden in the coming years and extend to other executives as companies go digital, he added.
“The moment they go digital, the physical and virtual worlds are combined, so things are going to be a lot more serious,” he said.
Ahmed Baig will take part in two roundtables during the GITEX 2016 conference in Dubai. The CISO Council will take part in the CISO Breakfast Briefing on 18 October.