Dubai
To say that information security is a priority for the Middle East would be an understatement. In a region that on one hand benefits from the economic and political stability of the Gulf Cooperation Council (GCC) nations and on the other faces the volatility of the political landscape in countries like Egypt, Lebanon, Syria, and Iran, cybersecurity has risen to become a major challenge, not just for large enterprises but for nations as a whole. Indeed, in recent years, the Middle East has played host to some of the first instances of advanced persistent threats and cyberwarfare anywhere in the world. Incidents like the Stuxnet attack on Iran’s nuclear centrifuge operations and the Shamoon attacks on energy assets in Saudi Arabia and Qatar are just some examples of the rising sophistication of such threats. The fact that these threats were specifically targeted and had a wider impact on the economic or political outlook of the nations affected signifies that cyberwarfare is now very much a reality. Add to this the increased use of ‘hacktivism’ to voice political or social discourse; one of the significant remnants of the Arab Spring and a key driver of recent attacks on financial services organizations in the GCC.
IDC’s analysis indicates that governments and companies in the Middle East now acknowledge that cybersecurity can no longer be taken for granted. IT security is no longer simply about ensuring an organization’s anti-virus software is up to date; it is a far more complex task that involves sophisticated strategies and now plays an intrinsic role in the stability of nations. Countries are working on implementing national information security strategies, with organisations such as NESA and aeCERT in the UAE, QCERT and ictQatar in Qatar, and the National eSecurity Center in Saudi Arabia being set up to monitor country networks and protect nations against cyberattacks. In addition to this, the occurrences of the past two years have prompted a number of countries to update their existing but archaic cybersecurity laws and establish committees (e.g., ISR in Dubai, UAE, and GIA in Qatar) with the aim of setting up security and information sharing policies for government entities.
The frequency of cybersecurity incidents has risen across the region following improvements in internet connectivity, the proliferation of mobile devices, the increase in application usage (be it enterprise, mobile, or social), the rollout of egovernment and Internet banking services, and, most importantly, the explosion of ‘insider risk’. This so-called ‘insider risk’ refers to threats that arise due to the accidental or deliberate actions of employees within an organization. Accidental incidents can be things such as employees not being aware of corporate information sharing policies, using personal USBs or devices at work that are infected, or even accessing enterprise systems from remote locations. Deliberate (or malicious) attacks include instances where employees steal corporate data or engage in corporate espionage. Most cyberattacks occur due to the existence of vulnerability points within an organization’s network, and most of the time it is internal vulnerability points such as an infected file or USB drive that set off large-scale attacks. Advanced persistent threats take advantage of particular vulnerabilities within a network or application, meaning they may go undetected for a long period of time.
Cybersecurity management has been recognised by many CIOs and IT heads as being an extremely challenging task. IT departments need to manage networks, endpoints, web services, and employee/customer identities, as well as update signatures, protect devices, and create policies, all while adhering to local, regional, or international mandates. IDC believes that the traditional attitude of just implementing appliances and software will no longer suffice; companies in the region must now adopt a holistic approach to managing cybersecurity. Companies need to establish security policies that are implemented and, most importantly, communicated to all employees. These security policies need to be reviewed and revised at frequent intervals – a task that is frequently overlooked.
A lack of related skills and insights into the relevant infrastructure present major challenges to the successful implementation of robust security strategies/policies in the region. In a bid gain insights into their infrastructures and compensate for the lack of skills, organizations in the Middle East have increasingly been seeking security automation, monitoring, and assessment solutions. There has also been an increase in demand throughout the region for security management services, vulnerability assessment services, and security event and incident management services, leading to the establishment of – and growing accessibility to – security operation centers (SOCs). Many vendors and telecommunications providers have established SOCs, particularly within the GCC, with the aim of providing vulnerability and monitoring solutions to both enterprises and SMBs. In addition to SOC services, enterprises are now engaging in third-party audits to check the robustness of their security policies. All the information and insights garnered from these solutions enables organizations to establish secure and robust security policies and practices.
Prior to the Arab Spring and Stuxnet attack, cybersecurity investments in the region were largely influenced by the occurrence of monetary- and ego-driven hacking incidents in the financial services sector. Other influencing factors included the prevalence of virus infestations and the growing importance placed on compliance initiatives, particularly in the financial services industry. However, there has been a marked evolution over the past two years, with the susceptibility to cyber risk increasing by the day and technology transformations such as mobile, Big Data, social, and cloud only adding to the infrastructure complexity and sprawl. Governments and companies in the Gulf are beginning to acknowledge that it is no longer about remaining ahead of the threat, but also about mitigating the damage caused in case of a cyberattack and sustaining business continuity/operations.
The columnist is group vice president and regional managing director for the Middle East, Africa, and Turkey at global ICT market intelligence and advisory firm International Data Corporation (IDC).
