Staff ignorance about security opens up firms to cyber attack
Ninety-nine per cent of incidents come from ‘internal vulnerabilities’
The university is active in security awareness, which is something we lack in this region DR FADI ALOUL Head of computer science at the American University of Sharjah
Employees’ lack of understanding of basic security is leaving organisations in the region vulnerable to cyber attacks, security officials say.
With 99 per cent of cyber incidents a result of “internal vulnerabilities” and an expected 26 billion devices in the world by 2030, they said more diverse and regular staff training was required to counter evolving digital threats.
“We see lots of social engineering attacks, which is something where we lag behind,” said Dr Fadi Aloul, head of computer science and engineering at the American University of Sharjah. “The university is very active in security awareness, which is something we lack in this region. People are so excited about technology and gadgets, and completely forget about security.
“The Internet of Things is probably our next big threat. It’s a tsunami coming up very soon that will lead to cyber blackmailing.”
During a panel discussion about the GCC Cyber Threat Landscape at the Gartner Security Summit in Dubai yesterday, security officials spoke of internal vulnerabilities as the Achilles heel of today’s cyber-security environment.
“The financial sector is the most targeted in the world because it’s where the money is,” said Thabet Khamis, head of information security at the UAE Central Bank. “The type of attacks we get are mostly social engineering, fraud attempts and we see attempts from people who pretend to be chief executives and account managers in specific banks.”
Social engineering attacks are when the user is tricked into giving away information or breaking normal procedures.
External cyber attacks involve criminals hacking into a system on their own, while internal attacks are when an employee allows the hackers into the company system, whether by mistake or intentionally.
“The one-click processes most banks are trying to achieve to enhance customer experience actually lead to some of the incidents we face in the financial sector,” he said.
“I always tell my team to go back to basics, [especially when] organisations in the Arab world depend on people more than the process, so when that person leaves, it goes back to zero.”
Research suggests that 95 per cent of successful internal cyber attacks are triggered by untrained staff, perhaps clicking on a link in an email that they should not.
“Only 5 per cent are malicious,” said Sam Olyaei, senior research analyst in security and risk management at an American research and advisory company.
“We look at the first line of defence – the people. You can have the best defence in the world, but you can’t do anything if it comes from the inside. People need to be educated.”
Many penetration vulnerability tests in the UAE found ransomware and viruses hidden in the organisations’ networks.
“I tell them to start with the internal components first,” said Mohammad Bushlaibi, a forensic analyst at aeCert, the UAE computer emergency response team at the Telecommunications Regulatory Authority and the country’s cyber security co-ordination centre.
Regional studies have found that careless employees were the most significant challenge in facing these threats, followed by external cyber hackers, internal cyber hackers and then “hacktivists”.
“You need to think about human interaction as well,” Mr Bushlaibi said.
“It could just be a human resources employee receiving a CV from someone he didn’t contact. Open it, and you have a ransomware in your system.”