In­vest­ment in cy­ber se­cu­rity needs to be smarter and more trans­par­ent

Leo Cole, vice pres­i­dent of marketing at cy­ber se­cu­rity firm DarkMat­ter, ex­plains why or­gan­i­sa­tions need to de­velop cy­ber se­cu­rity re­silience in or­der to re­main sus­tain­able in the fu­ture

Gulf Business - - ANALYSIS -


Given the height­ened cy­ber threat environment we cur­rently live in, there is no short­age of head­lines point­ing to on­go­ing vul­ner­a­bil­i­ties in dig­i­tal net­works and the re­quire­ment to counter them.

Only re­cently, re­sults from a sur­vey con­ducted by the Bri­tish Cham­ber of Com­merce (BCC) showed that one in five busi­nesses in the UK has been the vic­tim of a cy­ber at­tack in the past year.

The in­dus­try as­so­ci­a­tion sur­veyed more than 1,200 busi­nesses across the UK, find­ing that 20 per cent had been hit by a cy­ber at­tack in the last 12 months to early 2017.

Sig­nif­i­cantly, the find­ings show that 21 per cent of busi­nesses be­lieve the threat of cy­ber crime is pre­vent­ing their com­pany from grow­ing. Such statis­tics res­onate glob­ally, and even here in the Mid­dle East there is re­cur­ring ev­i­dence that the num­ber and so­phis­ti­ca­tion of cy­ber in­ci­dents is on the rise.

Closer to home, statis­tics re­leased by Dubai Po­lice in 2016 demon­strate that cy­ber crime in the emi­rate saw an in­crease by 136 per cent be­tween 2013 and 2015, amount­ing to a re­ported to­tal of $22.3m in dam­ages and lost rev­enue. While in the wider Mid­dle East, the num­ber of com­pro­mised records as a re­sult of data breaches is es­ti­mated to have risen by 50 per cent in the first half of 2016 to more than 10 mil­lion.

While im­por­tant for fram­ing the scale and scope of the cy­ber threat land­scape, re­gional and in­ter­na­tional statis­tics in and of them­selves do not aptly con­sider the added im­pact to rep­u­ta­tion, which can not only be sig­nif­i­cant, but also lin­ger­ing.

Numer­ous reports and anal­y­sis of cy­ber trends in the re­gion re­it­er­ate that busi­nesses in the Mid­dle East are more likely to have suf­fered a cy­ber breach com­pared to the rest of the world, with en­ti­ties in the re­gion typ­i­cally hav­ing ex­pe­ri­enced more at­tacks than any other.

Thus, or­gan­i­sa­tions need to de­velop a level of cy­ber se­cu­rity re­silience in or­der to re­main sus­tain­able into the fu­ture. An­nual ex­pen­di­ture on cy­ber se­cu­rity runs to hun­dreds of bil­lions of dol­lars on a global ba­sis, yet statis­tics point to a ris­ing num­ber of in­ci­dents with a greater fi­nan­cial im­pact, high­light­ing a dra­matic dis­con­nect be­tween what is be­ing spent on per­ceived pro­tec­tion and what level of ac­tual pro­tec­tion is achieved.

In­ter­na­tional Data Cor­po­ra­tion’s first World­wide Semi-an­nual Se­cu­rity Spend­ing Guide, pub­lished at the end of 2016, fore­casts world­wide rev­enues for se­cu­rity-re­lated hard­ware, soft­ware, and ser­vices will grow from $73.7bn in 2016 to $101.6bn in 2020. The re­search firm pre­dicts the largest cat­e­gory of in­vest­ment to be se­cu­rity-re­lated ser­vices, which it es­ti­mates ac­counted for nearly 45 per cent of all se­cu­rity spend­ing world­wide in 2016.

Of­ten, com­pa­nies rush to pur­chase cy­ber se­cu­rity prod­ucts with­out look­ing at the pro­cesses and poli­cies re­quired to make such in­vest­ment ef­fec­tive. While in­vest­ment in cy­ber se­cu­rity de­fences is pre­cisely the cor­rect thing to be do­ing in our highly digi­tised economies, mak­ing smart de­ci­sions and adopt­ing an endto-end out­look to cy­ber se­cu­rity is crit­i­cal. Or­gan­i­sa­tions need to pro-ac­tively as­sume a state of breach in their sys­tems and de­velop peo­ple, pro­cesses, poli­cies and tech­nolo­gies to mit­i­gate at­tacks.

There is also the rise in the di­rect or in­di­rect in­volve­ment of na­tion states in cy­ber in­ci­dents, which makes this an ideal op­por­tu­nity for en­ti­ties in parts of the world that are con­sid­ered to be geopo­lit­i­cally neu­tral to establish them­selves with re­spect to of­fer­ing an al­ter­na­tive for the ver­i­fi­ca­tion of dig­i­tal sys­tems and equip­ment.

The UAE is per­fectly suited to seize the mo­ment. By ba­sic ge­og­ra­phy, it is cen­trally lo­cated and ac­ces­si­ble from

ma­jor global cen­tres in a mat­ter of only a few hours’ flight.

The es­tab­lish­ment of ‘ Trusted Trans­parency’ in the tech­nol­ogy environment is over­due. The devel­op­ment of in­dus­try-wide plat­forms by which en­ter­prises are en­cour­aged to con­duct a full review of hard­ware and source code be­fore in­stal­la­tion is a press­ing re­quire­ment. Pen­e­tra­tion test­ing, vul­ner­a­bil­ity as­sess­ments and code re­views are im­por­tant ac­tiv­i­ties for en­ter­prises, but do not go far enough in es­tab­lish­ing cy­ber re­silience.

Deeper and more rig­or­ous test­ing and val­i­da­tion of prod­ucts is nec­es­sary to iden­tify vul­ner­a­bil­i­ties, back­doors and other se­cu­rity weak­nesses across all ar­eas of hard­ware, soft­ware, cryp­tog­ra­phy and mo­bile should be fa­cil­i­tated.

Per­mit­ting ap­proved en­ti­ties to be able to con­fi­den­tially review source codes as the fi­nal stage of the pro­cure­ment process would build trust and re­sult in the fur­ther ex­pan­sion of IoT op­er­a­tions. The review may be con­ducted in a clean room environment with ap­pro­pri­ate con­trols that al­low for full open review while still pro­tect­ing in­tel­lec­tual prop­erty.

The test­ing and val­i­da­tion of sys­tems us­ing ad­vanced tech­nolo­gies and hu­man in­tel­li­gence to establish a full un­der­stand­ing and as­sess­ment of any prod­uct should also be fos­tered. Tech­no­log­i­cal ar­eas such as hard­ware, soft­ware, cryp­tog­ra­phy, and com­mu­ni­ca­tions should be scru­ti­nised in or­der to pro­vide an in­te­grated test­ing environment that cov­ers the full spec­trum of cy­ber se­cu­rity vul­ner­a­bil­i­ties.

The ac­knowl­edge­ment that cy­ber se­cu­rity in a dig­i­tal world re­quires a fresh out­look ap­pears to be gain­ing at least ele­men­tary sup­port by tech­nol­ogy providers. In May for ex­am­ple, Mi­crosoft pub­lished a white pa­per en­ti­tled Cy­ber­se­cu­rity Pol­icy for the In­ter­net of Things, in which the tech­nol­ogy firm urges the devel­op­ment of cy­ber se­cu­rity poli­cies to sup­port the rapid growth of IoT, ad­dress­ing the need for spe­cific IoT se­cu­rity prac­tices.

It has be­come bla­tantly clear that the merger of phys­i­cal, dig­i­tal, and bi­o­log­i­cal worlds brought about by IoT can cause cy­ber at­tacks to be­come more dan­ger­ous and pol­i­cy­mak­ers are ad­vised to con­sider the con­cerns of busi­nesses, con­sumers, and the gov­ern­ment to iden­tify and un­der­stand se­cu­rity is­sues, ac­cord­ing to Mi­crosoft.

IoT de­scribes a new type of tech­ni­cal ar­chi­tec­ture, a new con­cept that de­fines how we in­ter­act with the phys­i­cal world. Stand­ing at the cen­tre of this dig­i­tal trans­for­ma­tion is trust, which can only be es­tab­lished and main­tained through the devel­op­ment of ro­bust cy­ber re­silience.

Tra­di­tional cy­ber se­cu­rity of­fer­ings are be­com­ing out­dated and in­ef­fec­tive, and the mod­ern threat vec­tors de­mand or­gan­i­sa­tions adopt a trans­par­ent and dy­namic ap­proach to cy­ber re­silience in­cor­po­rat­ing plan­ning, pre­ven­tion, de­tec­tion/pro­tec­tion, and re­sponse with re­spect to pro­tect­ing dig­i­tal as­sets.

Newspapers in English

Newspapers from UAE

© PressReader. All rights reserved.