Cybersecurity concerns: Is the GCC well protected?

In 2019 alone, the GCC was hit by more than 5.5 million malware attacks, according to a report released in March by cybersecurity expert Trend Micro.

Malware refers to a broad group of malicious programmes which affect day-to-day computer and internet usage, including coding for bugs, bots spyware, adware and digital worms. However, much more prevalent over the same time period were ransomware attacks across the region. Trend Micro highlighted a 10 per cent increase of ransomware attacks across the GCC, with the cybersecurity solutions company reportedly blocking over 61 million ransomware attacks over the time period.

“Despite the prevalent ideals of digital transformation, the lack of basic security hygiene, legacy systems with outdated operating systems and unpatched vulnerabilities are still a reality,” according to Moataz Bin Ali, vice president, Trend Micro, Middle East and North Africa.

“As long as the ransom scheme continues to be profitable, criminals will continue to leverage them,” he explained.

Indeed, although these figures may seem high, they fit with the global outlook: “The Middle East is like any other developed region. More often than not they are not getting the basics right, partly due to complex products and difficult management tools for midsize IT departments to handle,” states Harish Chib, vice president, Middle East and Africa, for cybersecurity company Sophos.

“IT security remains a highly challenging and complex area for organisations across the globe including those in the Middle East. This has been fuelled by the ever-increasing complexity of malware attacks and the financial incentives for attackers. The gap is growing between the knowledge and skills of the attackers, particularly around the areas of ransomware and exploits, and that of the IT professionals charged with stopping them. Cybercrime is a big business and is well-funded – criminals don’t need to be IT experts in order to be successful. Toolkits with support services can be bought on the dark web, as well as ransomware, which is marketed on the dark web by enterprising cybercriminals who sell kits complete with technical support and other options.”

In recent years, the cyber landscape has exploded in terms of connectivity, from e-commerce to the Internet of Things (IoT) and cloud-based applications. This has gained particular traction in the GCC.

“With no shortage of ambition, smart technologies and innovations can already be seen across much of the region. This is evidenced from initiatives such as numerous ‘smart city’ developments throughout the region, Bahrain’s ‘cloud first’ policy, the progression of a ‘gold-based cryptocurrency’ in the UAE, and the emergence of blockchain technology as the preferred method for transactions,” explains Jonathan Miles, head of Strategic Intelligence and Security Research at Mimecast.

“However, with these same opportunities, comes the potential for associated vulnerabilities, risks, and threats,” he continues. “The observed growth in technology paired with a concentration of wealth in the region has made it a natural target for cybercrime and malicious activity from a range of hostile actors. While technology, strategies, and processes have been put in place to combat this threat, protecting perceived weakness is still affected by a lack of skilled cybersecurity professionals in the region.”

Despite that, many cybersecurity issues fall into the same group, irrespective of national boundaries.

“Cybersecurity issues are much the same internationally. Rapid digitisation in the Middle Eastern countries has given rise to many connected devices. However, this connectivity has increased the vulnerabilities that today’s enterprising cybercriminals have enthusiastically embraced. They use a range of connected techniques in their malware attacks: a phishing email leads to an initial foot in the door, followed by a malware infection through the exploitation of a known or unknown defect, then an escalation of privileges or a lateral movement across the network to spread the infection across different devices. A single compromised device can mean your network and connectivity are held hostage or used for malicious intent. Essentially, they exploit our IT connectivity to achieve their malicious ends,” adds Chib.

Government strategy in the GCC
Governments around the world have played a key part in terms of legislating to protect businesses and individual users. However, according to Maher Jadallah, the regional director for cybersecurity firm Tenable, cyber threats are an issue which are likely to “worsen rather than lessen” over the coming years.

“The reality is that cyber risk is a business risk, which means cybersecurity is a critical business function and needs to be treated as such.

“It’s part and parcel of doing business today and getting it wrong can be extremely expensive and inconvenient. It’s not just about protecting customer data, although that’s obviously a key element, organisations also rely upon it for critical business functions,” he explains.

In the UAE, the government has focused primarily on development programmes and driving regulation.

As Jamie Lyne, the chief technology officer of SANS Institute explains: “Regulation and education are crucial to the ongoing safety and security of the region. The government’s investment in building the right talent is a key step. As the type of skills and practitioners in the region diversify with the burgeoning industry, it is important that governments continue to focus on developing youth talent, or the ‘next generation’ to secure future digital borders. The most important role the government can play is to ensure a good ecosystem of skills development within its own organisations and within the enterprise. The talent pool needs to be expanded and diversified and the government is in a unique position to target and mitigate this problem.”

How companies in the GCC can protect themselves
According to security experts, the key threats which companies in the GCC face fall into several areas, notably: making sure cybersecurity is streamlined company-wide, and ensuring staff are regularly trained and kept up-to-date regarding the anti-malware and firewall software they should be using.

“The most important thing any company can do is to ensure company-wide streamlining of data being encrypted and backed up,” explains Chib. “Backup all files regularly and keep a recent backup copy off-site.”

Another key area, he explains, is ensuring that there is a workplace culture which understands the importance of cybersecurity, from contract workers to inhouse staff.

“It’s important to take a user-centric view to company security. Anti-malware and firewall software should be something that each member of staff can easily take part in, regardless of their skill level. Make sure to simplify – complexity is the enemy of security. In the same way, companies must train all users as cybersecurity software is often a weak point within individual teams. Finally, ensure that any contractors, outsourcers or third-party partners take cybersecurity as seriously as you do at your company; an organisation’s cybersecurity is only as strong as its weakest link.”

Interestingly, according to Tenable’s security expert Jadallah, social engineering has become a key issue for companies, with employees’ social media data providing a weak spot in overall cybersecurity.

“There are numerous ways that facilitate identity thefts. Social engineering is one common method. All too often, individuals will expose intimate details in social channels – be it Facebook, Instagram, or other social media platforms that allow a threat actor to piece together key information. For example, many security questions will include mother’s maiden name, date of birth, first street or pet. Another is for an attacker to contact an individual, either by email or phone, and trick them into revealing personal information. Another is that information stolen during data breaches is pieced together. We’ve seen massive databases of compromised information published on the dark web – the most recent being 620 million stolen online accounts offered on the Dream Market cyber-souk.”

Chib also highlights that individual employee scrutiny and vigilance play a key role in company-wide protection:

“I would advise all employees, when you receive a document attachment via email, don’t enable macros [disguised as download attachments, which often look suspicious]. Microsoft, a partner of ours, deliberately turned this off as a security measure. Be cautious about unsolicited attachments, and when in doubt, don’t open them.”

To address personal security data threats, many security firms now advise using two-step programmes which require password validation through a second portal or device. “In addition to VPNs, password managers are another way for users to safeguard themselves online.

“We live in a world where the need for passwords can be in the hundreds for the average user. If an individual relies on just one or two that are reused across multiple accounts, the likelihood of one being discovered and used in a credential stuffing attack is highly likely.

“An easy option to self-protect is to enable two-stage verification on accounts, where they are possible, as it dramatically increases the difficulty for a malicious user to take over your account,” says Jadallah. “Ultimately, the best advice is to never do or say anything online that you wouldn’t in the physical world.”