x Abu Dhabi, UAEMonday 24 July 2017

Hacking threats that lurk within the Web

Companies around the world are now facing a rapidly mounting all-out assault in the form of industrial espionage conducted over the internet, and the UAE is particularly at risk.

Organisations in the UAE must take steps to safeguard their IT systems from hackers based in other countries. Stefen Chow / Bloomberg News
Organisations in the UAE must take steps to safeguard their IT systems from hackers based in other countries. Stefen Chow / Bloomberg News

Companies around the world are facing a rapidly mounting assault in the form of industrial espionage conducted over the internet. UAE companies are identified as being particularly at risk.

The problem has gained new attention after a US national counterintelligence executive (NCE) report warning of the growing risk of corporate computer hacking emanating from Russia and China. The report went beyond previous US official assessments of the scale of the problem to assert that hackers and illicit programmers in China and Russia are pursuing US technology and industrial secrets, jeopardising an estimated US$398 billion (Dh1.46 trillion) of US research. The most heavily targeted areas include pharmaceuticals, information technology, military equipment and advanced materials and manufacturing processes.

But security analysts believe that the problem could be even more widespread in the UAE, where hacking is over four times more common than in the US. According to the cyber security firm Sophos, hackers targeting the UAE are using a broad selection of tools to attack local organisations. These range from the casual insertion of a USB memory stick into any unattended PC or laptop to sophisticated computer worms and viruses transmitted via the internet.

According to research carried out by Sophos on a 10,000-strong test group in the UAE, hacking software, known as malware, was detected on 31 per cent of systems. This contrasts with only 7 per cent in the US and 6 per cent in the UK.

"The most common threats blocked in UAE is Autoinf - 10.42 per cent of detections - and this is usually associated with malware spreading via USB keys," says Mark Harris, the vice president of SophosLabs.

He adds that the computer worm Conflicker accounts for 8.9 per cent of UAE hacks and that commonplace viruses such as Sality (3.65 per cent of detections) and Palevo (3.62 per cent) are also a threat.

The risk consultancy firm Kroll also believes that the threat may be far wider than that identified by the US NCE report.

"The report indicated that there were a number of nations who had the capability to conduct large-scale cyberattacks," says Alan Brill, the senior managing director of Kroll's cyber security and information assurance practice. "In addition, there have been cases of hacking groups with similar capabilities to infiltrate networks and steal important information over extended time periods.

"The technology that they use has become more commonly available with time, increasing the population of potential adversaries. We've seen individuals - such as disgruntled employees with access to intellectual property - steal it where no government or hacker group is involved. So you protect the property against all forms of threat, regardless of the source of the threat."

Organisations in the UAE must therefore take steps not only to safeguard their IT systems from hackers based in other countries, but also from disloyal or discontented staff carrying USB sticks.

The introduction of corporate information technologies such as remote computing, known as the "cloud", whereby company information is stored by third parties, and the increasing use of smartphones also present a growing threat.

"Both cloud computing and the advent of mobile devices like smartphones and tablets have complicated the issue … It isn't always clear where services in the cloud actually store and process your data," Mr Brill says. "The use of smartphones, tablets and mobile devices of all kinds has also become a real issue. How do you secure these devices? Who controls them? Can you limit the devices to those provided by the company, which have the security features and software selected by the company, or can employees utilise a personal device?"

Security experts also believe that the speed of innovation is a danger for companies when employees use IT extensively not only in their work lives but also for personal reasons.

"Companies need to view security as a whole, and it is only as strong as its weakest link," Mr Harris says. "So, for example, if a user decides to share a company confidential document in the cloud, but uses the same password as for their gmail account, and that password gets compromised, they've effectively lost the data."

But although companies must be aware of the scale of the cyberhacking threat, it is also important to avoid developing a culture of paranoiain which access to IT is guarded to such an extent that efficiency is threatened.

"For a UAE-based company, I think they have to do a careful assessment of their intellectual property to see how important and desirable to others it is, and then take appropriate steps to safeguard it," Mr Brill says. "Not everything has to be locked away in a vault. It has to be reasonably usable, but you need to identify and implement the right level of control to both safeguard the information and have a way to know if it is being attacked."