The UAE recently appointment the world’s first minister of artificial intelligence (AI), the latest announcement from a country that is on a path to rapid technological advancement.
The emirate of Dubai launched its $1bn Future Fund for tech innovation in 2017, and national information and communications technology spending remains high, with IT investment in the UAE estimated to be $16bn last year, according to IDC.
As the number of tech initiatives and tech users proliferates, however, the need for internal IT security protection increases. Although not highlighted as much as attacks from external players, a high number of breaches are from internal sources.
“The UAE has always been quick to adopt new technologies, such as AI, smart initiatives, cloud and the like,” said Haritha Ramachandran, associate director, digital transformation practice, at Frost & Sullivan. “But it is crucial to ensure that security as an underlying theme is not forgotten, and there is always an update for the new initiatives and national strategies.”
Ramachandran notes that, in the past five years, UAE organisations have made IT security a priority, particularly in the banking and telecoms sectors. However, she says firms will need to pay increased attention to internal security practices as the use of cloud, bring-your-own-device (BYOD) policies and social media proliferates in the country.
Scott Manson, cyber security lead, Middle East and Africa, at Cisco, agreed that an extremely cautious approach to internal security was required. “You can lock every window and bolt every door to keep out intruders, but it won’t be of much use if the attacker is already inside; as an insider,” he said.
“Most security reports and headlines highlight stories of organisations that are attacked by an external party, but incident statistics highlight a growing number of attacks from insiders and partners. These incidents are real, and threaten your most sensitive information,” said Manson.
Build security awareness and control access
Complexity is one of IT’s biggest security challenges. “The more complex the system, the greater the attack surface. It is much easier now to hide multi-pronged attacks in different layers and parts of the IT infrastructure,” said Manson.
“Virtual machines, BYOD, cloud environments, hyper-connectivity, automation and professional cyber criminals have created an onslaught of [internal] vulnerabilities that yesterday’s cyber security [methods] cannot address.”
Scott Manson, Cisco
Company employees usually have the greatest access to company data, and this is “often overlooked” said Manson.
“Sensitive information is only as secure as the least secure human who has access to it. This is why it is important to build a culture in the workplace around security awareness and to think twice before distributing information,” he added.
“Attackers are targeting the human element of digital IT through phishing and other forms of social engineering. Simple steps and tasks can contribute to building a human firewall. Things such as training employees to identify phishing attacks could very likely save an employee from being a phishing victim. Another important step is to evaluate who has access to what data.”
Kamel Heus, regional manager, Middle East and Africa, at identity security firm Centrify, agreed that cyber threats “come in all shapes and sizes, and from all vectors”.
Heus recommended limiting staff IT access to only the core functions needed. “The fundamental issue is that too many people have too much access to too many things from too many places,” he said.
“It is very important that people have access only to what they need for their job, following least privilege principles. This includes access to applications – either on-premise or in the cloud – and appropriate access to systems and network devices for administrative users.”
Manage the mobile menace
As the number of mobile devices proliferates in the UAE, Frost and Sullivan’s Ramachandran recommends that firms run employee change management and awareness initiatives to communicate the risks and how important it is to be mindful.
According to the latest Cisco visual networking index global mobile data traffic forecast, the Middle East and Africa region will see an increase in mobile devices and connections, from 1.3 billion in 2016 to 1.8 billion in 2021 at a compound annual growth rate of 6.4%.
“The proliferation of mobile devices creates more endpoints to protect. The cloud is expanding the security perimeter. And users are, and always will be, a weak link in the security chain,” said Cisco’s Manson.
Kamel Heus, Centrify
Aaron Han, chief of pathology at American Hospital, who advises on the hospital’s IT policy, agrees that mobile devices pose a high risk.
“The proliferation of remote monitoring devices [in healthcare] is an area of great promise, but also increases risk as the health IT ecosystem grows exponentially,” he warned.
“With the growth of telemedicine, there will be ongoing challenges for patient privacy and ensuring appropriate control of access of patient information to healthcare workers who need to know. IT is highly integrated into many of our devices in hospitals, but mitigating risks is an ongoing challenge.”
ZK Research estimates that 80% of breaches originate inside the network, not through the perimeter. According to Manson, another way to protect the network from intruders is through network segmentation. “In fact, several of the most high-profile data breaches in recent years could have been prevented this way,” he said.
It’s critical that UAE organisations create a culture of cyber security awareness, according to Manson.
“Protecting proprietary and sensitive internal and customer data isn’t the sole responsibility of the IT department – nor should it be. While deploying the latest network defence tools is important, a successful cyber strategy should include developing a culture of cyber security within the workplace,” he said.
Read more about internal cyber security threats
- Financial services may have replaced healthcare as the most breached industry in 2016, but that doesn’t mean healthcare is in the all-clear.
- Even tech-savvy employees can be fooled into allowing attackers access to company networks, warns former FBI investigator Don Codling.
- Differentiating between insider and non-insider malware threats can be challenging. Expert Nick Lewis offers pointers for distinguishing malware coders from internal threats.