Robust cyber shield needed
Survey finds only 30 per cent of enterprises have sound encryption strategy
DUBAI — Having your company’s IT department be solely in charge of cyber-security isn’t enough anymore, as hackers are well aware about the vulnerabilities that an under educated staff will offer them, experts at the fourth Gulf Information Security Expo and Conference (Gisec) said.
They further stressed the importance of ensuring that plans to prevent against cybersecurity threats should be shared as an agenda across the whole organisation and be made a top level priority in the boardroom. Recent statistics show that the cost to the world economy due to cybercrime in 2016 stood at $650 billion and may cross $1 trillion mark by 2020. In light of the recent ransomware attacks that left many businesses across the world reeling, one of the ways that organisations can protect their data is through encryption.
Speaking to Khaleej Times at the exhibition, Philip Schreiber, regional sales director for Thales e-Security in the Measa region, highlighted the findings of a recent survey and said that only 30 per cent of respondents in the Middle East have a comprehensive encryption strategy — a number that stands in marked contrast to the global rate of 41 per cent. Today, more than ever, a business-led cyber-security strategy that spans across the whole enterprise is needed to tackle the growing threats that organisations face, he said.
Employee education is one of the strongest defences that companies will need to look into in the coming months Warren Mercer, Security researcher at Cisco Talos
“As businesses the world over increasingly turn to cloud services, we’re seeing a rapid rise in sensitive or confidential data being transferred to the cloud and yet in the Middle East less than a third of respondents had an overall, consistently applied encryption strategy. Encryption is now widely accepted as best practice for securing data and a good encryption strategy depends on well-implemented encryption and proper key management,” Schreiber said.
Thales’ 2017 Middle East Encryption Trends report found that 42 per cent of Middle East respondents perform encryption on their premises prior to sending data to the cloud. However, only 37 per cent of Middle East respondents are willing to turn over complete control of keys and encryption processes to cloud providers. The top drivers for encryption are IP protection and the protection of customer information. This is in contrast to the global data where compliance is, and historically always has been, the top driver for encryption. In the Middle East, compliance ranked fifth on the list at 28 per cent, as compared to the global average of 55 per cent.
Mohammed Abukhater, regional sales director for the Mena region at FireEye, noted that when it comes to attack trends today, there is a much higher degree of sophistication than ever before. Financial attackers have improved their tactics to the point where they have become difficult to detect and challenging to investigate and remediate.
An attacker that is harder to detect, investigate and remediate is inherently more likely to remain in an environment to accomplish their mission, which means the
A good encryption strategy depends on well-implemented encryption and proper key management Philip Schreiber, regional sales director for Measa at Thales e-Security
The concept of protection against attacks is no more the responsibility of one department Mohammed Abukhater, regional sales director for the Mena at FireEye
theft of greater volumes of financial information. Experts have estimated that the average damage a data leak costs to the information owner is around $5.3 million.
FireEye’s M-Trends 2017 Report observed a rise in financial crime in Europe and the Middle East. Less security mature financial services organisations are a top target for sophisticated cyber criminals with experience attempting to breach some of the world’s largest, most secure conglomerates. Cybercriminals have turned to leveraging vulnerable financial messaging systems in the region.
“Maturity can mean that the fallout and damages from attacks can be minimised,” Abukhater said.
“The concept of protection against attacks is no more the responsibility of one department in an organisation; today, you need to focus on three pillars. These include training your employees for such threats, investing in the latest technologies and intelligence, and finally having a proper process in place to handle the threat.”
Speaking on the damage recently left by the WannaCry ransomware attack, Warren Mercer, security researcher at Cisco Talos, said that ransomware is going to continue be a “massive problem” in the coming years, simply because of the financial gains involved. More concerning however, is the fact that the attack was self-propagating and didn’t involve the use of any advanced infrastructure, he said.
“We will also continue to see DDoS [distributed denial of service] for financial motivation.”
When it comes to protection, there is still a skills shortage in the region’s cyber-security industry that needs to be addressed. “People have to understand that not every company can hire every single security person and infrastructure to defend themselves against such sophisticated attacks. Employee education is one of the strongest defences that companies will need to look into in the coming months. You need them to be aware of how to look out for phishing and spear phishing attacks lest they click on a link and allow criminals access to sensitive information.”