The cyber security threat from within
Today in the UAE, cybersecurity is still seen from the perspective of an external threat. Emphasis on the internal attacker is neglected, yet research shows that the risk from such internal attacks has been an increasing worry across the world.
A recent case in point is that of the whistle-blower Edward Snowden, who leaked highly sensitive and classified information from the National Security Agency to the media in 2013.
Cybersecurity needs to be tackled from both the external and internal perspective. This is a business issue, and business leaders must own it. However, cyber crime is a new phenomenon and most business leaders have not grown up with it.
To stay ahead of the increasing sophistication and pace of cyber attacks, awareness among employees is a must, as is the integration of cybersecurity into overall risk management and continued education for all board members.
Dealing with cyber threats is a complex matter. As the information security landscape evolves, a shift of focus from protection and compliance is critical.
Relying solely on defence will not stop a determined adversary to get through to confidential information. Public and private organisations must be informed of what risks they face so that at any time they can assess the nature, timing and the occurrence of an attack. The insight that the attack provides is at the heart of the next generation of information security.
In many large, complex global organisations, moving from a reactive to proactive operating mode requires transformative change.
Technological vulnerabilities are only part of the problem. It requires organisations to address core people processes, culture and behaviours. It also requires firms to overcome significant trust barriers and collaborate with competitors and law enforcement agencies to effectively target the threats.
Many organisations act only when a serious breach occurs. Taking a proactive security stance can slow the attacker’s progress and identify their actions early.
The adaptive approach can prevent downtime, avoid expensive disruptive responses to incidents. Thinking through the threat landscape can help organisations to understand how their business might be targeted and how to configure defences.
The recent Sony cyber attack is an example of how organisations need to be more vigilant about data breaches. Historically, some organisations perceived to be foolproof have found themselves victims of cyber attacks.
Citibank was hacked in 1995 by Vladimir Levin who transferred $3.7 million illegally. In 1999 $1.7m worth of information was stolen by a 16-year-old hacker at Nasa, and RSA Security spent at least $66m on remediation after its network was breached in 2011.
In the UAE, the Government has taken the cybersecurity challenge seriously and has drafted standards and frameworks for organisations. The challenge lies in the implementation of these standards to enhance the cyber security of the state and should not be seen as a tick-the-box compliance.
Organisations have yet to adopt a collaborative approach to cybersecurity, whereby information about near-misses is shared within a community to enhance defences.
The digital environment presents many opportunities for businesses that want to find new markets. The last 10 years have seen a rapid emergence of new technology and greater connectivity for organisations and individuals.
However, this has left many firms behind the curve and struggling to achieve their aspirations without feeling exposed to cybersecurity risk.
Every day we hear of new vulnerabilities, attacks and incidents. A recent report by the Washington-based think tank The Centre for Strategic and International Studies quoted annual losses of US$375 to $575 billion, and suggested that cyber crime, through fraud and espionage, might extract up to 20 per cent of the global economic value created by the internet.
The Middle East is not immune. In 2012, Shamoon malware affected about 30,000 workstations at Saudi Aramco. In 2013, about $45m was stolen due to a credit card heist from banks in the UAE and Oman.
Understanding the external threats from hacktivists, organised criminals, industrial spies and, increasingly, nation states is important.
However, it is easy to ignore the insider risks posed by careless, disgruntled or malicious employees. Attackers are frequently gaining access to employee’s accounts through phishing emails and other socially engineered attacks.
The UK government is regularly implementing initiatives to boost awareness of cyber threats.
More regional and international boards need to challenge their teams to gain answers to the right questions before they themselves are challenged by stakeholders about their capability. Being able to identify, prioritise and protect the information life cycle helps you to move securely.
Ian Gomes is the head of advisory at KPMG Lower Gulf
Follow The National’s Business section on Twitter
Updated: March 5, 2015 04:00 AM