High-profile breaches and new trends in cybercrime targeting governments, critical infrastructure and sensitive data have led to a heightened interest and need for security. From online bank heists to industrial, network infiltration, theft of data and trade secrets, the threats in our web-based society continue to evolve at a rapid pace.
The increase in digital applications and internet adoption means more complex security is required, with the “2014 Global Economic Crime Survey” carried out by PwC showing that in the Middle East, the amount lost through cybercrime could be as much as $100 million (Dh367 million) annually.
The Survey also identifies cybercrime as the second most common form of economic crime reported in the Middle East, and fourth globally. A Middle East ICT Security Study undertaken by Cisco also shows increasingly high levels of smart device adoption, set to grow from 133 million to 598 million by 2018. Qatar has seen spectacular growth in internet adoption, ranking second among 132 developing countries for high levels of internet connectivity, according to a new report from the UN Broadband Commission.
However, with increased internet use comes more risk.
In 2013, Saudi Aramco, the world’s largest oil producer, was the victim of an assault which infected and deleted data from over 30,000 of its machines. The same malware was reportedly the source of an attack against Qatar’s RasGas, shutting down their corporate computer systems and website. Syrian hacktivists accessed the Qatar Domain Registry and redirected nearly a dozen government and business websites to propaganda, including the Ministry of Interior, Ooredoo Qatar, Qatar Foundation and the Ministry of Foreign Affairs in October 2013.
The Emerging Cyber Threats 2014’ report produced by Qatar Computing Research Institute identified potential attacks on Qatar’s critical infrastructure, and the increased reliance of organisations on hosting information on cloud systems. IctQatar has also identified new trends in cyber crime such as increasingly sophisticated attack methods involving large-scale identity, financial information and trade secret theft, acknowledging the financial sector as being the sector of choice for cyber criminals.
Sophisticated hacking groups
A report by EY states that breaches of information security are set to rise annually by 50 per cent. These figures are concerning, but even more worrying is the amount of businesses and organisations which have been breached, and remain dangerously oblivious to it.
Firms might believe they are protected from cybercrimes, but the pace of technology is a battle security software firms are constantly engaged with, as sophisticated hacking groups are keeping apace with the constant development of new technologies and methods. This creates an ever widening gap between the actual enhancements of information security, and the enhancements required based on the accelerating threat levels.
Governments in the Middle East are now taking action to combat and help deter the growing threat of cybercrime, through regional legislation such as the UAE’s Law No. 5 of 2012 combating IT crimes, Saudi Arabia’s Anti-Cyber Crime Law of 2007, Oman’s Cyber Crime Law of 2011 and Iran’s Computer Crimes Law 2012. In September 2014, the Qatari government promulgated a cyber crime prevention law (No. 14 of 2014) aimed at safeguarding the country’s technological infrastructure and strengthening cyber security within Qatar.
Qatar’s Ministry of Information and Communications Technology (ictQATAR) has formed the Qatar Computer Emergency Response Team (Q-CERT), an agency tasked with identifying major threats to the digital space and resolve them before they cause any harm to individuals, companies, or public bodies. Q-CERT aims at being the first responder to critical cyber incidents at the national level and in any of the critical sectors.
But the responsibility to fight cybercrime does not fall to governments alone. Companies have to accept that tackling such a complex issue will remain a continuous and ongoing process.
I believe there needs to be a fundamental attitude change, with organisations needing to ensure their basic security practices are up to scratch. We need to do more to safeguard our data, by ensuring simple straightforward security gaps are closed and become far less reliant on automated security tools, taking a defensive stance by educating ourselves about the limitations of security tools.
Fraud prevention initiatives
We need to ingrain the philosophy that hackers are already inside the defences of our systems, and that organisations need programmes in place to spot and limit the potential. This in addition to your data “crown jewels” being heavily protected through encryption or extra security.
That said, the use of traditional forms of fraud prevention initiatives will always be a part of the defence. However, to achieve the most efficient and effective route to combating cybercrimes, programme developers need to form an industry-wide and international cooperation through information sharing and collating cyber issues which would improve actions and responses to threats dramatically.
Although this type of information sharing could prove challenging if organisations are in competition, security firms such as Cyberpoint have developed software which allow anonymous and non-attributable reports to be sent to their collaboration forum, which can then produce actionable alerts to all other members who are connected.
As an information sharing platform, the internet was never designed to be a secure network. However, as we are well into the digital age and every aspect of our society converges online in some capacity, we are increasingly faced with sophisticated and critical threats.
While public and private sectors work together to provide the safest infrastructure possible, the key will be in identifying and responding to threats as quickly as possible and to mitigate damages and bounce back quickly.
The writer is a Partner at the law firm Pinsent Masons.