This article is available in Arabic.
In a world that’s becoming more and more data driven, where companies are migrating their systems, processes, networks and data to third-party managed clouds, cyberattacks are becoming increasingly intricate, more imminent and constitute a serious threat to the very existence of organizations.
According to the World Economic Forum, globally in 2021, 1 out of every 61 organizations was being impacted by ransomware each week. According to Forbes, Government, Manufacturing, Services, Education and Healthcare have constituted the industries most targeted for ransomware attacks.
Global initiatives are being called for and set in place to fight cybercrime and establish an efficient cybersecurity response. Laws, such as the GDPR (General Data Protection Regulation) and the DPA (Data Protection Act) incite organizations to strengthen their cybersecurity infrastructures and protect their data from possible breaches.
In the Middle East, and according to The National News, “Malware attacks in Middle East jump 17% to 161 million in first half of 2021, as the region has become a target for cyber criminals amid a rise in remote working and rapid digital transformation.” Amongst the targeted organizations is Saudi Arabia’s Aramco, where files were leaked and hackers demanded a 50 million dollars ransom.
This issue has become a major concern for leaders across the region, who view cyberattacks as a major threat to their organization’s security and growth. This threat has particularly increased during the pandemic, when people started working remotely, hence accessing everything online and creating weak links within the organization’s system. What’s worth noting, is that remote work is here to stay as people do not seem to be ready to go back to a pre-pandemic work model.
As cyberattacks attempts are set to grow, especially in countries like Saudi Arabia, Kuwait, the United Arab Emirates and Qatar, who are at the forefront of digital transformation, CEOs must tread cybersecurity on multiple levels.
1. Taking preventive measures to prepare for possible threats
According to Toni Azzi, General Manager at Mindware, “preventive measures are crucial in each and every organisation. However we believe that current threat and risk levels have pushed each organisation to define its cybersecurity strategy. This topic became, in the last couple of year, a major one and has taken a solid spot in the CEOs agenda. On top of the Chief Information Officer and/or Chief Security Officer direct responsibility in devising, launching and implementing the right cybersecurity strategy, we can see nowadays direct involvement of all the C-level executives, especially both CEOs and CFOs as no one can afford to take any risk of such organisational threat.”
Nabil Boudiab, Director of Services at RACKS24, explains that “the concept of the traditional perimeter security is not efficient today because data no longer resides inside the company – it is dispersed on the cloud and on user devices, especially that employees are now working remotely so they tend to save things locally for multiple reasons.”
“The points that need to be secured now are the cloud, social media footprint, mobile devices, connectivity laptops and touchpoints – and authentication alone is no longer sufficient. When employees remotely access company resources, are they the ones authenticating to have access? Are their devices secure enough to access the data? If security isn’t properly deployed at the hardware and connection levels, authentication is pretty much useless, because cybercrimes allow for hackers to access users devices, then wait for them to use authentication to steal their information. And the consequences of a security breach can range from penalties to the GDPR, to a negative company reputation, loss of customers and even the risk of going bankrupt” continues Boudiab.
Khalil Rizkallah, Chief Executive Officer at kloudr, states that “every organization should have a cybersecurity strategy implemented to prevent threats that could lead to the leak or loss of data. Preventive measures should be taken on the infrastructure level by applying the proper firewalls rules, remote access procedures and password policies, and on the application level by tightening the security in the development stage, applying security patches, and enabling Web Application Firewalls. Penetration testing by a certified third-party vendor also enables to detect any anomalies in the setup on all levels.”
2. Working closely with HR to educate employees
“The human resources department has a pivotal role in the cybersecurity strategy of the company. Each employee, in any department and at any level, with the lack of awareness can be, intentionally or unintentionally, a major threat to the company as long as they are connected whether from home or office, through any of their devices” explains Azzi.
According to Maroun Fadel, Managing Partner at Aikon Solution “information is a valuable strategic asset to many organisations, and helps us to make better decisions. The more significant the decisions we make, the more value we place on information supporting the decision. Having confidentiality, integrity and availability of information can mean that organisations have the insight to make better, well-informed decisions. Hence the organisations should operate a consistent mechanism to identify and rate risk across the organisation based on potential likelihood and impact. The approach should apply across all business activities. All business critical information assets should be assigned an information asset owner, to be responsible for the safeguarding of that asset.”
Boudiab states that companies need to look first and foremost into hiring a seasoned CISO who can impose security policies on every level. “These policies should not impede the company’s work, but rather be established as a culture. The chief security officer should then liaise with HR to properly train employees on the importance of security. If this is not done, there will be what we call “shadow IT”, which constitutes a major threat to the company, because then it will have no control over its IT or security.”
Rizkallah adds that “internal cybersecurity threats can arise from careless or uninformed employees as well as current or previous employees with malicious intents. It will be particularly troubling if it involves someone who is trusted or with privileged access rights. It is therefore really important to work internally with HR to make sure all employees are properly educated and aware of cybersecurity threats and to make sure that current employees are provided with the right privilege or access, and all access is completely stopped for previous employees.”
“Nowadays, with the mobility that technology has facilitated to the workforce, enabling each member of the team to access data, edit, review, perform transactions and extract any report through any device (laptop, tablet, phone, connected TV, etc.), each employee will be creating an additional frontier for the organisation against the external risky world. Continuous training and awareness sessions along with on-going communication on all levels should take place to avoid putting the company at risk”, states Azzi.
3. Consolidating regional and global collaborations to counter the attacks
Fadel explains that the mission of any regional collaborations should be to counter cybercrime and to resolve cybersecurity issues. This is done by creating a safer and cooperative regional cybersecurity environment, and strengthening the role of ITU in building confidence and security in the use of information and communication technologies. The initiative should be based on developing regional and/or global information security frameworks and policies and provide consolidation centres for member states to manage these programs and initiatives, including their strategy and governance.
Many associations were launched to support companies and to secure their continuity despite existing risks and threats in the market, states Azzi. He explains that “on the governmental side, many laws and regulations took place. However we believe there is still a lack on the regional and global levels to support such initiatives and protect the companies and therefore the economies from such risks. Governments must be more proactive in such areas, take both protective and corrective measures, launch awareness initiatives, issue laws and most importantly be firm in fighting cyberattacks.”
4. Selecting the right partners for the organization
According to Boudiab, CEOs now run background checks on companies they want to work with because how these companies run their security policies affects their decision. It’s no longer about assessing the technological play only – they need to investigate their third and fourth party providers as security needs to happen on the entire supply chain.
Azzi explains that selecting the right partner to develop, plan and execute the cybersecurity strategy in the organisation is crucial. Companies must look into the profile of the consultants, experience, certifications and best practices. Selecting the right systems to implement, involving key people, conducting trainings and awareness sessions and communicating clearly and concisely are key success factors in the project.
“Now companies need to look at what’s happening outside their perimeters and monitor that, because these are the weakest links that need protection”, states Boudiab.
5. Building a knowledge exchange system between organizations to benefit collective data and resources sharing
According to Fadel, “countries and government entities should implement an awareness plan and secured cyber-environment for both the private and public communities. It should be one of the e-government initiatives to help and build trust in using online services.
The strategy of the government authorities is to develop information security strategies and policies to preserve the community’s online existence. Awareness must include technical recommendations in order to prevent them from being attacked.
Azzi states that “sharing information and replicating best practices between organisations is very important. However, it is still limited due to the confidentiality and sensitivity of information and data.”
Fadel concludes by stating that the aim of the government responsibility should be to provide a safe cyberspace for citizens, to enable smooth and secure knowledge transfer and to raise awareness about the importance of cybersecurity among the society.
He equally stresses on the importance of strengthening cooperation between governmental and private institutions, and law enforcement institutions to address security incidents.
“Raising awareness around the mechanisms and procedures used to deal with cyber risks and threats is essential during the pandemic, because cybercriminals will target first and foremost remote workers”, Fadel adds. “It is instrumental for Middle Eastern governments to assist private and public organizations in implementing proper systems that will prevent data breaches and cybercrimes, in alignment with international standards.”