Moving into cyberspace has done wonders for increasing the speed and ease of many work and communication processes. Yet it has done nothing for changing basic patterns of human behavior — wealth and success attract online crime like mead attracts flies; and the Middle East’s high profile as a rare hub for economic boom in a world full of gloom speaks to both qualities: wealth and success.
“The Gulf represents a prime target for individuals, organizations and nations conducting cyber espionage. Now is an opportune time for [governments of the Gulf Cooperation Council] and the companies operating in the region to take pre-emptive measures against a new and growing threat,” warns Roger Cressey, a senior vice president at consultants Booz Allen Hamilton (BAH) and a noted expert on counterterrorism and cyber security.
The region’s vibrant economic environment means that there are many company formations and expansion projects along with the rapidly growing embrace of social media by companies and individuals. This translates into huge demand for information and communications technology (ICT) in the GCC. According to a five-year research by Markaz, the Kuwaiti Financial Centre, the GCC will spend on average $64 billion every year on ICT products and services until 2015.
Such a rate of growth and overall ICT investment create a double “downstream market opportunity” for the cyber sphere’s powers of light and darkness, where on the one hand security experts can sell their solutions but on the other hand cyber criminals are drawn to assault governmental and corporate networks with increasing attempts to steal their secrets.
“Across the Gulf, the cyber espionage threat poses serious long-term consequences to company profitability and competitiveness, and national security,” Cressey says. “The region’s strong energy and financial sectors are particularly vulnerable, as witnessed by recent cyber-attacks in the GCC.”
Regional companies’ desirability and vulnerability to cyber criminals has been exposed in high-profile hacking attacks on oil and gas majors Aramco in Saudi Arabia and RasGas in Qatar that caused many millions of dollars in damages this summer. These incidents, coupled with other cases, such as the hijacking at Al-Jazeera news network and the alleged attempt to take over the Saudi and United Arab Emirates stock exchanges, are a wake-up call, industry experts say.
Cyber-security
Investments in security software and appliances have been on the rise globally, with one assessment, by research firm RNCOS, putting the increase at 25 percent compounded annual growth rate (CAGR) for the period of 2010 to 2013. Research by consulting firm Frost & Sullivan (F&S) sees the CAGR of spending in the network security market at 18.31 percent for 2012-2018. For the GCC-wide expenditure in this sector, the implication is an increase from currently around $340 million to nearly $1 billion in 2018.
Cyber attacks, and damage incurred from these intrusions to companies in the Middle East and North Africa (MENA), are not always reported. “The high profile attacks have made people here more aware of the risk to your image and costs if customer [information] is lost, for example. However, a lot of attacks are not being reported for the same reason,” F&S Director — ICT Practice MENA Andy Baul-Lewis tells Executive.
Organized crime, motivated by the prospect of illicit financial gain, is a main source of cyber attacks, according to F&S. The stakes to be gained from stealing valuable data or from harming companies are so high that threats to Arab companies can include foreign governments, unscrupulous competitors or disgruntled employees and even ideologically driven enemies within.
The use of malware has become a more pertinent issue, as today’s hackers share their knowledge in web forums. According to F&S, criminals go for corporate secrets as much as private data, mainly banking related, when planning an attack. F&S projects the use of malware will grow tenfold over the next three years to just under 2.5 million incidents. This would lead to the cost of detection, containment and recovery of advanced persistent threats increasing 20 percent annually to $9.2 billion in 2014.
“Until you’ve been attacked you don’t know what damage it causes,” says Baul-Lewis. “The truth is that even when an attempted attack is thwarted, criminals persevere until they achieve their goal. Many organizations are investing in the front-line of protection but there isn’t enough awareness at the back-end; more employee education is required.
BAH’s Cressey points out that publicized cyber attacks originating in the Middle East and targeting Western organizations can create a false impression that governments and organizations in the Middle East are not a target.
“This could not be further from the truth. Key targets include the information-technology, oil and gas, defense and pharmaceutical industries. Virtually every organization inside and outside government with valuable intellectual property is now a likely target for cyber-attack,” he explains.
On top of that, the price of even normal growth can entail punishing risks to companies in a region where public and private sectors are racing ahead in adopting new ICT at uneven speeds. “Technological infrastructure doesn’t always keep pace with change. Internet outages and power supply, along with security threats, can be a problem in the GCC,” says Pierre Havenga, managing director for Emerson Network Power Systems MENA.
According to research cited by him, an outage can cost an organization an average of about $5,000 per minute, or $300,000 in just an hour. “For a business under pressure in this region, that could be the difference between survival and extinction,” he adds. Network Power is one of five business divisions of United States-based engineering and technology company Emerson, which is investing $33 million into an ongoing expansion of its regional hub in Dubai’s Jebel Ali Free Zone, or JAFZA. The corporation sees the Middle East as a growth driver and Network Power just signed an agreement with a regional distributor to boost its reach to small and medium-sized businesses in MENA.
But within the menagerie of their many ICT trials, regional companies have to contend more than ever with security challenges that range from confrontation with the never-before-seen to the dangers of complacency. Fortinet, a US-based network security company that serves Arab markets from a Dubai office, warns that certification according the International Standards Organization can lull companies into false perceptions of doing enough.
“Awareness has grown but a significant amount of customers in all economic sectors think they are covered when they are not because security is a continuous cycle. They don’t do the necessary check ups throughout the year and when the ISO renewal comes around they go into panic mode when [the check ups] should be a way of life,” says Bashar Bashaireh, regional director, Middle East, at Fortinet.
Head in the cloud
In dealing with their ICT needs, the cloud has been presented to the corporate world, and increasingly to small and medium businesses, as the best-ever advancement for improving their ICT performance and lowering costs. Optimists and companies providing services that are grouped under cloud computing in the Middle East have also argued that the cloud is a new rampart available in the defense against cyber criminals, because clients who concentrate data in the highly specialized hands of the cloud operators benefit from their constant security efforts.
However, the cloud has already seen its big security breaches and new cloud applications with wider integration options spell new risks. Increased security concerns loom for companies who follow the trend of empowering staff to “bring your own device” (BYOD). Under the BYOD approach, employees use their smartphones and tablets in work environments, but the larger number of devices and diverse usages constitute a risk that was highlighted by 14 percent of users in the Middle East admitting that their knowledge of online threats is only “in general terms”.
A BYOD policy could help a company optimize investment in hardware, but with a trade-off in higher technical cost to control security of devices and data, says Nicolai Solling, director of technology services at help AG, an IT security consultancy that is active in the GCC since 2004.
“I meet too many organizations that think that a simple investment in hardware and software will be the silver bullet for keeping them secure,” he says. “Of course the right technology is important, but you also need to have the governance for control of your users; without it you will never be able to create a secure information environment no matter how much money you spend.”
According to F&S research, corporations’ focus in terms of securing themselves is mostly on buying IT technologies (36 percent) to cover their backs, followed by compliance (27 percent) and business continuity (21 percent); only 6 percent of their attention is given to creating more awareness about security.
But it is not only corporations that need to be more alert. Cressey holds vendors equally responsible for weaknesses in the protective umbrellas. “Effective cyber strength is critical to the growth and sustainable prosperity of the UAE and the GCC countries. Most GCC-based organizations do take the cyber security threat seriously, but spending on protection can often be driven by what the vendor promises, not what the organization really needs,” he says.
