Escalate cyber defence up to the boardrooms

A recent IT security report shows that executives in the Middle East are more concerned about cybercrime than the rest of the world.

What is perhaps even more striking in the report — by the non-profit IT trade association CompTIA — is that 85 per cent of executives believe that the cybersecurity threat level is increasing — 40 per cent rate the threat as ‘increasing significantly’. With such a high level of concern, the question remains: why is cybercrime such a concern and what can businesses do about it? Is this misplaced — or is it a real reflection of an increasingly ever-present danger?

The harsh reality is that it is escalating rapidly, the world over. Cybercrime in Dubai doubled over the past year. According to Dubai’s Criminal Investigation Department of Police Affairs, in 2013, there were approximately 1,600 reported crimes, up from 700 in 2012.

The knock-on effect is much greater than the crime itself. The UK Cabinet Office reports that the full cost of cybercrime on the economy is in the region of $45 billion per annum. A significant proportion comes from the theft of intellectual property, which accounts for around $15.5 billion per year.

Such theft has the ability to destroy businesses and livelihoods.

So, does this mean that businesses are fighting a losing battle — that hackers and criminal networks will always be one step ahead? The level of concern certainly demonstrates that businesses are aware of the threat — but are they doing enough?

Part of the problem lies in the increasingly complex ways in which hackers and criminals are using technology to attack individuals and infiltrate organisations. As data moves across multiple platforms, the window of risk becomes greater.

The capture of big data provides cyber criminals with a vast pool of new, structured data to mine. Retail transactions now take place online and through apps, providing greater opportunities for personal information to be captured, leading to identity theft on a much greater scale.

The CompTIA survey has also thrown up interesting perspectives on the nature of cybercrime: 54 per cent of Middle East executives believe that human error is a growing factor in security incidents. Hackers know that they do not always need to beat the security software — they can often rely on human error to open the door for them.

One recent example was the security breach at the online retailer eBay, which lost the personal identification of millions of customers simply because one employee lost their user ID and password.

Such errors are easily avoidable. Organisations that hold the data of millions of people should employ a two-factor or three-factor authentication, which means access cannot be granted by a single sign-on password. The loss of a password and username should not provide hackers with access.

Multiple levels of security are now particularly commonplace in large organisations and across critical infrastructure, where biometrics are increasingly the norm. Infrastructure such as airports, nuclear power plants or military buildings will require a number of authentications, including thumbprints and/or retina scans.

One of the most important ways to avoid human error and ensure that important security software is up to date is to bring the people who are running IT infrastructure into the boardroom. Executives need to have an ongoing dialogue with IT departments so that they understand what is being done to protect the business.

A critical step is to ensure that IT technicians are properly trained and certified, equipped with the know-how to beat the threats that businesses face. Ongoing training is crucial.

Sadly, for the Middle East there is a significant shortage of properly certified IT practitioners who understand how to protect a business. In the Middle East, 68 per cent of managers say that IT security is one of their most important priorities.

What is clear is that there is awareness of the problem and an eagerness to find solutions. Yet the very people who are best placed to protect against the rising threat of attack are in short supply.

It is encouraging that executives in the Middle East are so concerned about IT security and that businesses are facing up to the reality of the skills shortage. Businesses must engage with skills organisations to ensure that we are all working together to beat cybercrime.

Enterprises must ensure that their existing IT practitioners are up to date and certified, able to cope with the myriad threats that technology poses. Bringing the people who run IT infrastructure in to the boardroom — and then the classroom — is the best way to meet these challenges.

— The writer is executive vice-president for Certification and Learning at CompTIA.