Dubai: Even with cyber attacks an ever present danger, UAE businesses are just not doing enough to keep data safe.
“Most companies are quite aware of the growing threats of cyber-attack and are taking steps to mitigate the risks,” said Arindam De, Managing Director at Protiviti UAE, a risk and compliance consultancy. “However, such steps are not adequate in comparison to the continuously evolving threat landscape.
“Regarding strong cybersecurity measures, some companies are “later to the game” than others. And in cybersecurity domain, what was considered enough in the past is not enough for the present - and certainly inadequate for the future.”
Fact is there is no let in the ferocity of such attacks. UAE-based Finablr’s forex business Travelex was hit at the start of the year with a ransomware attack that forced the shut down of its computer systems.
Saudi Aramco, which bore the full weight of the biggest cyber attack ever in August 2012 and damaging around 30,000 computers, saw an increase in attempts since the fourth quarter of 2019. Ride-hailing app Careem saw a leak a year earlier when data of up to 14 million customers were stolen.
“A shift is occurring in the nature and type of cyber attacks companies’ experience,” De added. “The so-called identity or personal information thefts are losing value for hackers... what is on the rise is ransomware.”
What’s to be done
To nail down what what’s being done to date, George Stoyanov, Partner at Grant Thornton UAE, said the region has seen a lot more regulation. “This obviously reflects the regulatory regimes happening in the rest of the world around information security and data protection,” Stoyanov said.
The so-called identity or personal information thefts are losing value for hackers
Effective cybersecurity begins with protection, followed by detection, identification, response and recovery, according to National Institute of Standards and Technology (NIST) Cybersecurity Framework. But companies scored higher on protection and detection, but lowest on identification, response and recovery, according to a study conducted by Protiviti.
The majority tend to react only after an attack has occurred. But scammers are presenting increasingly sophisticated threats as their targets struggle to keep up with the sinister technology.
Companies that proactively assess risks and take action to defend themselves are able to mitigate cyber risks to a certain extent - but, these are not many. “To minimize their risks, companies should build cybersecurity into each step along their digital transformation process,” De added.
Governments have developed guidelines for essential cybersecurity defences, while setting up emergency response teams for sharing threat intelligence. “These measures are expected to mandate companies to step up their control activities and do enough to protect themselves against cybersecurity risks,” De added. “The first challenge lies in how securely our technologies are designed, deployed and operated - it is a fact that breaches happen due to insecure design, configurations or coding.”
The next challenge is the lack of experienced, skilled and talented cybersecurity professionals. “While the attacks are getting sophisticated day by day, the workforce are not keeping pace with the hackers,” De said.
Although IT audits are among the most vital and common go-to solutions for companies, it is not the only answer to prevent cyber-attacks. “In majority of IT audits they take a look at what has happened in the past and checks how ready you are at present,” Stoyanov said. “But until the next audit, the systems remain effectively susceptible. So, a lot of companies these days are engaging in a continuous type of monitoring to enhance protection.
“You’re only strong as your weakest link – It’s a matter of how you would respond to the cyber-attack when the inevitable happens.”