Study sounds alarm over UAE data security
DUBAI // Companies in the Emirates are leaving themselves open to computer attacks by failing to adequately protect sensitive commercial data, according to a recently published study.
As many as 75 per cent of respondents to a survey conducted by two UK academics said they did not have a policy in place for protecting sensitive information from hackers, the study showed. Internet security firms have previously warned that the Emirates is becoming a popular target for cyber criminals, though the alerts have apparently fallen on mostly inattentive ears.
"The issue is not taken very seriously by the majority of companies," said Messaoud Saidani, a member of the Coventry University engineering and computing faculty and who helped write the report. "People get on with their daily business not fully aware of the real threats around them. For a place such as the UAE, which is a business centre for the region, the level of vulnerability is disturbing."
Mr Saidani's research was conducted with his Coventry colleague Khalid al Awadi, an Emirati. The paper was published in the journal Information Management and Computer Security in July.
One of the biggest internet security concerns in the region in the last six months has been the Stuxnet virus, which is said to have been designed to target Iranian nuclear facilities but has since spread to affect computer systems in other countries.
There have been 1,600 known Stuxnet infections in the Emirates since the virus appeared in July, said Costin Raiu, a director at the Moscow-based computer-security firm Kaspersky Lab.
"Obviously, Stuxnet being a very serious threat, one could assume that it should be handled with high priority, although the data clearly doesn't indicate" that is being taken seriously, said Mr Raiu.
Kaspersky claims that 56 per cent of cyber attacks within the region are directed at the UAE. Moreover, there is a high level of ignorance about the techniques used by cyber criminals, said Fadi Aloul, the assistant professor of computer engineering at the American University of Sharjah.
Mr Aloul recently devised an experiment to test student awareness of phishing techniques, which are used by hackers to obtain bank details or other personal data. Almost everyone who took part was duped by the ruse.
"There's a general lack of awareness here," he said. "You need to education people on the tactics used by hackers, and it's a continual process, as their techniques change."
Some experts, however, disagree about the lack of knowledge of viruses and hacking. Christopher Brennan, the vice president of emerging markets at the anti-virus firm McAfee, said that large organisations in the Emirates generally had a good awareness of the risks of lax security. The quality of protection varied depending on the size of the company, he said.
"When considering this issue, it really depends on whom you ask," said Mr Brennan. "Some government organisations and corporations have very high standards indeed, even higher than in Europe."
In the university study, some 77 per cent of respondents were small and medium-sized organisations, with the majority in the services sector. The majority of respondents, however, did not have a written plan designed to secure data. Similar studies in the UK showed the number of companies that fell short in that respect was far lower, said Mr Saidani, with only around 20 per cent not having a security strategy.
The survey targeted 70 organisations across the country, and 35 firms responded to questions.
"Everywhere around the world data is being stored on computers rather than as paperwork," Mr Saidani said. "As soon as you store information electronically, it's vulnerable."