The Way Forward
By Computer News Middle East
When it comes to security, it seems everyone’s in a state of perpetual panic. Whether it’s mobile malware, BYOD or hacktivism, over the course of 2013 the issue of protecting valuable information and resisting attack has inspired a dizzying and persistent challenge. Businesses have a wide array of concerns that need constant monitoring; negligence and denial of these issues can result in dire consequences.
Only two years ago, Dutch certificate authority DigiNotar was the victim of a security breach, which resulted in the fraudulent issuing of certificates. The Dutch government took over operational management of DigiNotar’s systems, but within a month, the company was declared bankrupt. While nobody has been charged with the break-in and compromise of the certficates, it has been suggested the NSA were responsible for the attack. The DigiNotar case demonstrates some of the worst possible consequences of a security breach, but the events and trends of 2013 have only sharpened industry eyes.
2013 has seen the importance of a plethora of issues increase. Cisco’s 2013 Annual Security Report reveals that the highest concentration of online security threats come from legitimate destinations visited by mass audiences, such as major search engines, retail sites and social media outlets.
Meanwhile, mobile malware is an ever-present thorn-in-the-side of Android users, and small businesses who cannot afford to implement solutions are the victim of 31% of targeted malware attacks.
Add the so-called ‘Internet of Everything’ and cloud computing trust issues, and CIOs region-wide have a lot on their plate.
Etisalat’s Abdulla Hashim, Senior VP, ICT, Etisalat UAE, is keen to highlight the wide-reaching implications of security infrastructure from the top level, “The threat landscape in the UAE is very dynamic and DDoS attacks, threats on finance and banking institutions, government bodies and oil producing companies and hactivism are some of the biggest problems that all organisations have to prepare against,” he said. “These issues can have a wide-reaching knock-on effect and need to be taken very seriously. Holding the record for the highest global smartphone penetration also brings with it its own set of problems and organisations have to battle the growth of mobile malware.”
Along with all the panic, it’s only inevitable that businesses will crank up their investments in security. According to a report by Gartner, the security technology and services market is forecast to reach $67.2 billion in 2013, up 8.7 percent from $61.8 billion in 2012, and is expected to grow to more than $86 billion in 2016.
Industry leaders don’t seem to be in any disagreement that the market is increasing – particularly in the Middle East – but opinion varies slightly as to which solutions will benefit most. Mobile networking security seems to be a key talking point, however.
Alaa Abdulnabi, Regional Pre-Sales Manager, Turkey Emerging Africa and Middle East, RSA, believes the network security should take top priority, “The security market has continued to witness significant growth over the last year, driven by a growing awareness of the need for advanced security solutions in the face of rapidly evolving cyber criminals and ever-expansive modes of attack. Perhaps the most notable increase has been on the mobile device and network security end of things.”
An unavoidable issue in the security world is that of employees’ personal mobile devices. Bring Your Own Device (BYOD) culture is a neck ache for CIOs, with business critical data at risk of exposure once it has left the workplace on the employee’s personal device.
What’s more, with 85 percent of employees in the Middle East and Africa able to use company-issued computers for personal reasons, controlling the environment in which the device is used is more-or-less impossible. “Employees entering the workforce freely mix personal and business activity in the workplace, with the average number of connected devices per worker projected to grow from 2.8 in 2012 to a 3.3 in 2014, according to our Internet Business Solutions Group,” said Osama Al-Zoubi, Senior Manager, Systems Engineering, Cisco, Kingdom of Saudi Arabia. In spite of this, only 50 percent of companies in the region have established a BYOD policy for their employees.
“The challenge that CIOs face is to implement flexible, user-friendly policies,” Al-Zoubi said. “As attacks become increasingly complex, companies are more vulnerable every day. Existing security solutions are largely focused on protecting the physical infrastructure. But new architecture needs to be sophisticated enough to be separate from the physical infrastructure, enabling security solutions for devices connecting to the public Internet anywhere around the world and at any time.”
In line with the issue of BYOD is that of mobile malware. Android malware encounters grew by 2,577 percent over 2012, and 99.9% of attacks on mobile platforms target Android OS, according to Kaspersky Lab.
Nicolai Solling, Director of Technology Services, Help AG feels mobile malware should not put people off embracing other trends “We will no doubt see new and more sophisticated attacks on mobile platforms. But this should not deter customers from supporting BYOD,” he said. “There are a number of solutions available in the market that offer comprehensive mobile security and management making smartphones a secure device for employee productivity.”
The eye-opening intrusion of NSA’s Prism software is certain to shape 2014, particularly in the cloud computing realm. The Information Technology and Innovation Foundation estimates that U.S cloud companies could lose up to $35billion as a result, and Solling is in no doubt that a stock-take is required by organisations worldwide “While 2013 was heralded as the year of the cloud – although how much of this was talk and how much was actual implementation is still up for debate – the NSA revelations have no doubt knocked some of the wind out of the sails of cloud computing proponents. With data security a key concern for organisations, storing sensitive information on third party servers – with the lingering worry about it being viewed by prying government eyes – is a very real concern that has forced many organisations to reassess their cloud ambitions.”
It seems security vendors in the Middle East can look forward to some decent business in 2014. According to the annual Internet Security Threat Report, the UAE ranks 40th in the globe for overall security threat profile (46th in 2011), and considering it is viewed as a leader in the Middle East, the region certainly has some catching up to do. This lack of development could leave it vulnerable to a variety of high-profile attacks, says Khalid Abu Baker, Managing Director, Kaspersky Lab Middle East, “The world is hyper-connected, and once a malware genie is out of the bottle it cannot be put back. It will attack computers in MENA, in Europe, South America – basically every computer having a similar OS, software and vulnerabilities as the initial victim. So the above-mentioned trends would have the same effects in the Middle East that they would have anywhere else in the world.
“While we can certainly expect cyber-criminal activity targeted at the Middle East to continue to increase, we can also expect a significant increase in user awareness and associated security investments. Already we are witnessing governments and enterprises in this region begin to invest significant funds in securing their networks, we are also seeing governments enforce stringent compliance requirements as far as information security is concerned.”
In spite of the need for development in the region, the general consensus is that this weakness equally presents an excellent opportunity for vendors, and a chance for CIOs to implement the best-quality solution that is appropriate to their enterprise. This translates as a clear, coherent strategy, according to Niraj Mathur, Security Practice Manager, Gulf Business Machines, “Organisations need a security strategy to combat challenges. They need a focused approach and dedicated teams to address the various challenges,” he said. “The first step to implementing a security strategy is identifying and defining the risk in the organization, and then putting controls to mitigate the risk prevalent for their organisation,”
Symantec’s Amer Chebaro, Manager, Technology Sales & Services, Middle East, sees a clear correlation in investment, “If you assume you are a potential target and improve your defences against the most serious threats, you will automatically improve your protection against other threats.”
With all the question marks surrounding security and investment, the buck has to stop somewhere. So who eactly should shoulder the burden of educating employees about all the security threats that a company faces? This question seems to divide opinion. In the red corner we have Mahmoud, Nimer, General Manager, StarLink, who sees CIOs as chiefly responsible, “It is absolutely the duty of the CIO, if you look at the current spending for IT security across the industry, other than achieving compliance and addressing next-generation threat protection, the third highest spend is on security awareness creation. Without proper employee education the impact of the growing number of threats will become far worse and almost all modern day threats leverage on social engineering taking advantage of ignorance and lack of understanding.”
Abu Baker disagrees, “Education is not the sole responsibility of the CIO but is a joint effort between all the business leaders who need to work together to define and execute the right security policies. While the CIO is no doubt responsible for investing in the right technologies to protect the enterprise network, he cannot deploy these solutions effectively without the proper buy-in from senior management and a stringent security policy to ensure employees understand the consequences of their actions and are held accountable for misconduct.”
Symantec’s Chebaro believes that it should be controlled top-down, “Cyber security has become a board level discussion, and it is vital that organisations implement policies and programmes to educate employees and create awareness about the potential threats that they are exposed to.”
However, one issue that unites leaders is that of education of employees, and of consistent policies. All agree that policies must be made clear to their staff, with nothing left to chance in this respect.
RSA’s Abdulnabi made this absolutely clear, “It is important for them to realise the need for intelligent security that go beyond traditional signature based technologies to enable them not just to mitigate the risks of an attack but help them to identity and spot “unusual” patterns and user behaviour to undertake preventive action even before the attack actually happens.
“CIOs today need transformational security monitoring and investigative solutions designed to help organizations defend their digital assets against today’s most sophisticated internal and external threats. Any intelligence-driven security program must begin with a comprehensive understanding of risk facing the organisation.”