Security MEA speaks with Thomas Fischer, Global Security Advocate at Digital Guardian on the overall state of security in the region.
How is the security landscape evolving in the Middle East?
We are seeing an increase in investment and companies spending more time and effort on addressing threats. Companies in the Middle East, especially the GCC states, have been hard hit over the past few years with both insider and outsider threats. Much of this is focused on hacktivism as well as impeding companies like Saudi Aramco from doing business. The attacks seem focused on core infrastructure aspects trying to hurt Middle East countries from operating effectively.
While companies have not been afraid to invest in security technology, there is more of a need now to focus on the people aspects including looking at process and governance. Like the rest of the world, technology and information is becoming an integral part of business in the Middle East and this is increasing the attack footprint and potential for interruption and data leakage.
What are the current trends in cyber security in the Middle East? Are there any trends that are unique to this region?
I see the key trends in the Middle East being a primary focus on governance and working on the people and process aspects of security. We are starting to see the implementation and enforcement of governance policies such as NESA that will impact trends on spending and employee awareness.
Cloud is becoming a reality in the Middle East as well and is also a key trend that needs to be considered as greater adoption will bring greater security challenges.
Data protection will also have an impact as companies and government offices will need to consider how to deal with data leakage and protecting data from both insiders and outsiders – this will have even more of an impact for companies that do business in places like the EU.
However, these trends are not unique to the Middle East, we’ve seen these trends in other countries as well in the past.
Many reports suggest that there has been an increase in cyber-attacks; if so, which verticals are more prone to attacks? What makes these verticals an easier target than others?
The main verticals under attack are government, oil and gas and financial sectors. The goal in large part will be to disrupt the ability of these to carry out their business thus having immediate or short term financial impact. For the governments, we see more hacktivism or even state-sponsored. Foot print and size makes these more interesting for attackers. People are the easy vector in to the companies and the proliferation of malware in the region doesn’t help. Companies that are distributed and have many offices across the region are also an attack vector as traditionally there has not been a good level of centralised tracking.
Is there any way to quantify the number of attacks and the kind of losses that have occurred because of cyber-attacks?
Quantifying is only as good as the reporting and notifications carried out by the victims. Some reports have been suggesting that there are 100000 or more attacks during the year and some companies don’t know but the average remains between 1 to 500 (average loss around 500k). But in general, most reports show the Middle East as largely having more incidents than the rest of the world.
Only strong monitoring and reporting will provide a good understanding of the number of attacks happening.
Is finding trained security professionals a real challenge in Middle East? If yes, what are the reasons for the shortage and how do you overcome this? Also does the lack of skilled manpower availability have any impact on the security preparedness of the organizations in the region?
The Middle East have traditionally not focused on the people aspect of security. This is both an issue end-user wise and in terms of infosec professionals. Like everywhere in the world, there is a strong demand for security professionals which unfortunately does create issues around retention.
Training and incentive are key aspects to get the right infosec staff. Teams also need time to be able to retrain and learn new aspects and understand how to deal with new attacks as well as new technology.
End-user awareness and training which will enable employees to help control the spread of phishing attacks and malware, is an important aspect of helping an organisation deal with lack of security professionals. Organizations should focus on enabling the end-user to be a part of the solution instead of the problem.
What measures should organizations take to safeguard themselves?
Focus on the governance, policies and procedures, don’t rely only on technology.
Build a strong awareness programme to enable the end-user to help and be a part of the solution. Remember that security is an end-to-end problem, include the user in that end-to-end problem. You need to move beyond the traditional thinking that this is an audit or IT issue, to integrating a full blown security architecture that covers all aspects of the business workflows. Think of Security as an enabling solution that not only helps protect the organisation via technologies to stop attacks or control exfiltration but also acts as an enabler to ensure business is carried out in a secure way (process and people).
Last but not least, what role can the governments play?
Governments can help be enabling strong compliance regulations like GDPR and ensuring businesses take the right measures through controls and audits. Governments can also help by establishing sharing programs and getting companies to buy into a country or region wide community threat intelligence work. Governments should also see themselves as authorities and provide guidance as well as assistance into understanding and providing recommendations to thwart threats.