Out-Law Analysis | 01 Jun 2015 | 10:12 am | 2 min. read
Many Middle East businesses are failing to do enough to plug gaps in their security and prepare themselves for when hackers almost inevitably breach their defences and gain access to their systems and data.
Too many companies place their faith in preventative automated security tools and believe that new cyber security initiatives in the region on their own provide them with adequate protection from cyber criminals.
A fundamental change in attitude and approach is required to ensure businesses address cyber threats as a community and not merely on an individual basis. Companies should form an industry-wide, international group through which information on cyber risks and best practice protections and incident responses can be collated and shared. This would improve actions and responses to threats dramatically.
Although this type of information sharing could prove challenging if organisations are in competition, security firms such as Cyberpoint have developed software which allow anonymous and non-attributable reports to be sent to their collaboration forum. This can be used to produce actionable alerts to all other members who are connected.
Companies have to accept that tackling cyber risks is complex and will remain a continuous and ongoing process. The responsibility to fight cyber crime cannot be left to governments alone, although government-led cyber security initiatives in recent years in the Middle East are welcome.
Regional legislation such as the UAE’s Law No. 5 of 2012 combating IT crimes, Saudi Arabia’s Anti-Cyber Crime Law, Oman’s Cyber Crime Law and Iran’s Computer Crimes Law, is helping to combat and deter the growing threat of cyber crime.
In Qatar, the government last September set out a new cyber crime prevention law that is aimed at safeguarding the country’s technological infrastructure and strengthening cyber security within Qatar. Qatar’s Ministry of Information and Communications Technology has set up the Qatar Computer Emergency Response Team (Q-CERT), an agency tasked with identifying major cyber threats and tackling them before they cause harm to individuals, companies, or public bodies. Q-CERT aims at being the first responder to critical cyber incidents at the national level and in any of the critical sectors.
However, the time for businesses to do more to help themselves has now arrived. The need for greater information sharing is prompted by the spectacular growth in internet connectivity in some countries in the region, such as Qatar, and increasingly high levels of smart device adoption in the Middle East and. A Middle East ICT security study undertaken by Cisco found that there will be 598 million smart devices in use in the Middle East by 2018, up from 133m predicted for 2015.
Increased connectivity and internet-enabled devices pose new and increasingly sophisticated risks to cyber security.
The security incident experienced by Saudi Aramco, the world's largest oil producer, in 2013 shows what can happen if hackers breach security measures in place. In that attack, data from over 30,000 of the company's machines was deleted. The same malicious software was reportedly the cause of a cyber attack that caused the computer systems and website of Qatar's RasGas to shut down.
Businesses might believe they are protected from cyber crimes, but security software companies face a battle in producing software that can protect systems and data as technology changes and methods of attack evolve. There is an ever widening gap between the actual enhancements of information security, and the enhancements required based on the accelerating threat levels. By engaging in information sharing forums, Middle East businesses can help to close this gap.