Dubai offers a glimpse of the future
Future Technology Week could become the enterprise tech event to watch in the Middle East.
You only have to look at the steadily increasing salary of information security specialists in the United Arab Emirates to see how seriously cybercrime is being taken. With chief information security officers earning upwards of US$250,000 in 2017 – a rise of five per cent from 2016, according to figures from recruitment firm Robert Half – enterprises are spending big on cybersecurity measures to ensure the integrity of their data.
The UAE is a prime target for hackers, given its high-value oil and financial services sectors, and the proliferation of connected devices among its population. The country’s cyber-crime threat ranking has improved over the past two years, but cyber-attackers still see the UAE as a lucrative target.
According to cybersecurity firm Symantec, the UAE’s 2016 Internet Security Threat Profile dropped to 51. That’s compared to 41 in 2015. The lower the ranking, the lower the threat risk.
In the Middle East and North Africa (MENA) region, Symantec says, the UAE ranks 10th in terms of cyber-threat levels faced, behind first, second and third placed Iran, Egypt and Pakistan, respectively. The UAE and Saudi Arabia are the only Gulf Cooperation Council states inside Symantec’s MENA top 10.
However, the UAE was the second most-targeted nation in terms of ransomware attacks in the MENA region.
Email is increasingly being used to breach cyber-defences. One in 136 emails received in the UAE is malicious, with ransomware used to overrun and lock computer systems. The ransomware is delivered in the form of an attachment containing malware-laden macros. When the attachment is opened, the host computer is instantly affected. Hackers can then demand a ransom to unlock the computer.
This method shot to prominence with the WannaCry attack in May 2017, which impacted factories, hospitals and businesses in more than 150 countries. The ransomware took advantage of older operating systems to wreak havoc. The UAE was largely unaffected, perhaps thanks to the attack landing in inboxes on a Friday, a non-work day for many businesses.
As Hussam Sidani, Symantec’s regional manager for the Gulf, says, the UAE has put in place measures to strengthen information security at federal, public and private levels. Sidani also notes that more enterprises are recognising and reacting to the weakest links in their cyber-defences: their staff and end-users.
“This year, Symantec has identified seismic shifts in motivation and focus,” Sidani says, cautioning that global hackers are using increasingly advanced techniques to beat defences.
“The world has seen specific nation states doubling down on political manipulation and straight sabotage. In the Middle East, we saw Shamoon putting Saudi Arabia on high alert again after attacks were uncovered late 2016.
“Meanwhile, cybercriminals caused unprecedented levels of disruption by focusing their exploits on relatively simple IT tools, unsecured internet of things devices and cloud computing services.”
Cybersecurity firm Dark Matter warned in 2016 that five per cent of all global cyberattacks were directed at UAE businesses and organisations. Startlingly, that’s a 500 per cent rise over the past five years.
Rabih Dabbousi, Dark Matter’s senior VP of sales, marketing and business development, says respect among peers is as big a catalyst for many hackers as financial gain. “As this sector digitises, bringing in efficiency, productivity and enhancement to the overall business model, it also gives opportunities to attackers to use common tools,” he says.
So what can your business do to protect itself? The first step is to understand the threats it faces. Contextualising assets and vulnerabilities within a risk profile is paramount – without doing this, the most effective protection won’t be forthcoming. Your information security team must familiarise itself with the reasons behind any potential breach. Once it has drawn an accurate picture of the information technology ecosystem your business operates in, a robust strategy can be formed.
This begins with a mapping exercise to understand your business’s various configurations, users, network reach and system state. Next comes tracing threats back to potential attackers and assessing their capabilities and resources. The analysis of these two steps should then lead to information that decision-makers can quickly act upon.
A number of factors are often overlooked when it comes to implementing such a strategy. One is that your information security team – whether internal or contracted – should be local experts with a global outlook, rather than vice versa. This will ensure a greater knowledge of threat profiles, local policies and governance.
Another is approaching enterprise cybersecurity on a business-wide basis, not just an IT footing. That means bringing together all functions – from board level to human resources, and even clients and suppliers – and then training them in the risks your business faces and how they can be minimised. Sustainable cybersecurity demands the breaking down of business silos and bespoke tactics.