Investment in cyber security needs to be smarter and more transparent
Leo Cole, vice president of marketing at cyber security firm DarkMatter, explains why organisations need to develop cyber security resilience in order to remain sustainable in the future
NUMEROUS REPORTS AND ANALYSIS OF CYBER TRENDS IN THE REGION REITERATE THAT BUSINESSES IN THE MIDDLE EAST ARE MORE LIKELY TO HAVE SUFFERED A CYBER BREACH COMPARED TO THE REST OF THE WORLD, WITH ENTITIES IN THE REGION TYPICALLY HAVING EXPERIENCED MORE ATTACKS THAN ANY OTHER.
Given the heightened cyber threat environment we currently live in, there is no shortage of headlines pointing to ongoing vulnerabilities in digital networks and the requirement to counter them.
Only recently, results from a survey conducted by the British Chamber of Commerce (BCC) showed that one in five businesses in the UK has been the victim of a cyber attack in the past year.
The industry association surveyed more than 1,200 businesses across the UK, finding that 20 per cent had been hit by a cyber attack in the last 12 months to early 2017.
Significantly, the findings show that 21 per cent of businesses believe the threat of cyber crime is preventing their company from growing. Such statistics resonate globally, and even here in the Middle East there is recurring evidence that the number and sophistication of cyber incidents is on the rise.
Closer to home, statistics released by Dubai Police in 2016 demonstrate that cyber crime in the emirate saw an increase by 136 per cent between 2013 and 2015, amounting to a reported total of $22.3m in damages and lost revenue. While in the wider Middle East, the number of compromised records as a result of data breaches is estimated to have risen by 50 per cent in the first half of 2016 to more than 10 million.
While important for framing the scale and scope of the cyber threat landscape, regional and international statistics in and of themselves do not aptly consider the added impact to reputation, which can not only be significant, but also lingering.
Numerous reports and analysis of cyber trends in the region reiterate that businesses in the Middle East are more likely to have suffered a cyber breach compared to the rest of the world, with entities in the region typically having experienced more attacks than any other.
Thus, organisations need to develop a level of cyber security resilience in order to remain sustainable into the future. Annual expenditure on cyber security runs to hundreds of billions of dollars on a global basis, yet statistics point to a rising number of incidents with a greater financial impact, highlighting a dramatic disconnect between what is being spent on perceived protection and what level of actual protection is achieved.
International Data Corporation’s first Worldwide Semi-annual Security Spending Guide, published at the end of 2016, forecasts worldwide revenues for security-related hardware, software, and services will grow from $73.7bn in 2016 to $101.6bn in 2020. The research firm predicts the largest category of investment to be security-related services, which it estimates accounted for nearly 45 per cent of all security spending worldwide in 2016.
Often, companies rush to purchase cyber security products without looking at the processes and policies required to make such investment effective. While investment in cyber security defences is precisely the correct thing to be doing in our highly digitised economies, making smart decisions and adopting an endto-end outlook to cyber security is critical. Organisations need to pro-actively assume a state of breach in their systems and develop people, processes, policies and technologies to mitigate attacks.
There is also the rise in the direct or indirect involvement of nation states in cyber incidents, which makes this an ideal opportunity for entities in parts of the world that are considered to be geopolitically neutral to establish themselves with respect to offering an alternative for the verification of digital systems and equipment.
The UAE is perfectly suited to seize the moment. By basic geography, it is centrally located and accessible from
major global centres in a matter of only a few hours’ flight.
The establishment of ‘ Trusted Transparency’ in the technology environment is overdue. The development of industry-wide platforms by which enterprises are encouraged to conduct a full review of hardware and source code before installation is a pressing requirement. Penetration testing, vulnerability assessments and code reviews are important activities for enterprises, but do not go far enough in establishing cyber resilience.
Deeper and more rigorous testing and validation of products is necessary to identify vulnerabilities, backdoors and other security weaknesses across all areas of hardware, software, cryptography and mobile should be facilitated.
Permitting approved entities to be able to confidentially review source codes as the final stage of the procurement process would build trust and result in the further expansion of IoT operations. The review may be conducted in a clean room environment with appropriate controls that allow for full open review while still protecting intellectual property.
The testing and validation of systems using advanced technologies and human intelligence to establish a full understanding and assessment of any product should also be fostered. Technological areas such as hardware, software, cryptography, and communications should be scrutinised in order to provide an integrated testing environment that covers the full spectrum of cyber security vulnerabilities.
The acknowledgement that cyber security in a digital world requires a fresh outlook appears to be gaining at least elementary support by technology providers. In May for example, Microsoft published a white paper entitled Cybersecurity Policy for the Internet of Things, in which the technology firm urges the development of cyber security policies to support the rapid growth of IoT, addressing the need for specific IoT security practices.
It has become blatantly clear that the merger of physical, digital, and biological worlds brought about by IoT can cause cyber attacks to become more dangerous and policymakers are advised to consider the concerns of businesses, consumers, and the government to identify and understand security issues, according to Microsoft.
IoT describes a new type of technical architecture, a new concept that defines how we interact with the physical world. Standing at the centre of this digital transformation is trust, which can only be established and maintained through the development of robust cyber resilience.
Traditional cyber security offerings are becoming outdated and ineffective, and the modern threat vectors demand organisations adopt a transparent and dynamic approach to cyber resilience incorporating planning, prevention, detection/protection, and response with respect to protecting digital assets.