A grassroots level campaign on information security is underway in the country. The UAE Information Security Awareness Committee (ISA), the main body for all awareness activities in the UAE, foresees widespread threats with more mobile services and the government opting for smart transactions. The biggest threat comes from lack of awareness; data leakage is also a major concern, says Ali Alamadi, who chairs the ISA Committee, and is also Manager of Strategic Consulting at Help AG.
What are the larger and immediate goals of the UAE Information Security Awareness Committee?
The committee consists of members from different sectors including, but not limited to academic, private, public, government, and semi-government. The committee also consists of information security students. Working groups will also develop standards, guidelines and best practices for effective implementation of information security awareness programmes or workshops. Committee members have selected 15 awareness projects for 2014 targeting different society groups in the UAE.
Our mission is to establish leadership in the development of security awareness campaigns and establishment of a security aware nation. Other goals include protecting information assets; developing security awareness standards and guidelines; providing information awareness training and implementing effective information security awareness programmes.
What are the segments of society it is targeting? Will you take it to schools, colleges, government and public sector firms?
Our aim is to target all sectors and individuals, including schools, colleges, banks, government, semi-government, private and public sectors.
With a society that relies increasingly on smart devices, how effective can such campaigns be, even as hackers and cyber criminals are finding new ways to breach systems?
With new technologies comes new vulnerabilities. These campaigns will include risks related to smart devices as the UAE government is transforming into a smart government. This helps reduce the risks of errors, negligent use of IT and social engineering. This needs to be supported by a set of technical security controls which need to be identified individually based on the risk situation. Technical information security controls are not part of the ISA Committee programme.
How many companies are on board this committee and are government departments committed to the idea?
So far, there are the Abu Dhabi and Dubai governments; universities and private companies that are members of the ISO Committee. In all, there are about 20 organisations. The feedback received from all entities and individuals has been very positive and everyone is committed to make a difference by participating in the projects.
How safe is the UAE’s electronic infrastructure? Are different sectors prepared for cyber breaches?
The UAE has issued a set of local standards (ADSIC V2, ISR and UAE IA); the implementation of these standards will help improve information security, as well as the use of international standards, such as ISO/IEC 27001. It is up to organisations to make use of all these facilities and to implement information security based on their risk situation.
What’s the biggest immediate cyber security threat you envision? Are people and companies aware of cyber security tools, software and products?
The biggest threat comes from lack of awareness of technology users. There have been many attacks targeting individuals and organisations that use human vulnerability to initiate an attack. The most common attacks include social engineering and phishing and the biggest threat we envision is data leakage. The awareness of IT staff in organisations about cyber security tools, software and solutions has increased, however, there is still lack of awareness among other users and even some individuals from top management.
Are pirated security products affecting the efficacy of dealing with cyber threats?
Pirated security products are still an issue; however, the government and law enforcement are taking many initiatives to minimise the use of pirated software. Through the ISA committee, individuals will be educated on the threats and risks of using pirated security products.
Software vendors too are becoming more efficient at combating piracy. More vendors are choosing to deliver their software applications entirely over the web, and offer a limited free version, or a full version, which is subscription based — all through the access of a web-browser.
In the future, we may even see subscription models where you buy access per hour, day or week.
As we have a Netflix for TV and movies, we can easily foresee that we will have the same for games and applications in the future. Another good news is that the trend is quite flat. It is assumed by BSA Software Alliance that the value of pirated software is approximately $63 billion. This number is no doubt a staggering amount, but it has been flat since 2010.
What about costs? Will cyber security firms bring down costs for cyber protection through this initiative?
All activities of the ISA Committee are free and people can benefit from them; security products obviously have their costs and any organisation should identify the need for such products based on the information security risks they are facing. Organisations should also clearly calculate the return of investment for the management.
How closely are you working with the government for setting standards/security protocols?
The ISA Committee includes members of UAE government departments that issue standards to improve cyber security, and the overall increase of information security awareness. Help AG has provided consulting services for implementing the new version of the Abu Dhabi Systems and Information Centre standard and the information security regulation from Dubai Smart Government as well as the National Electronic Security Authority and the National Emergency Crisis and Disaster Management Authority standards.