Cyber attacks are on the increase. So what can businesses do to protect themselves?

To help answer this question, we took part in a recent panel discussion on the subject at the Capital Club in the heart of Dubai’s DIFC


To help answer this question, we took part in a recent panel discussion on the subject at the Capital Club in the heart of Dubai’s DIFC

The seven panelists were selected from different industries that each have a unique perspective on the issue: either from an insurance, IT security, legal or banking point of view.

The event was attended by dozens of local and global business leaders from a variety of industries, eager to learn more about the challenges and potential solutions to a problem that is high on everyone’s agenda.

Our moderator for the evening was Thomas Paoletti of Paoletti Legal Consultants and the discussion involved the following experts:

  • Duncan Fairley – Head of Operational Risk at the Commercial Bank of Dubai
  • Jarret W. Kolthoff – CEO at SpearTip, a US-based cyber counterintelligence firm
  • Zainab Khatib – Vice President at Lockton MENA, a global insurance company
  • Lester Pinto – Regional Manager at Penta, a leading IT services firm based out of Dubai and Geneva
  • Giuliano Tomiazzo – CEO at IMQ Intuity, an Italian cyber security firm
  • Ramamurthy Venkatesh – CEO at NETS International Group, an IT and Telcom solution provider

Cyber security trends in the Middle East

The discussion first focused on the trends in the Gulf region and the most common types of attack. From ransomware to data breaches and phishing attacks, panelists highlighted the recent explosion of incidents and the increase in sophistication, especially since the COVID-19 outbreak.

When the discussion turned to the banking industry, Duncan Fairley highlighted the two types of attacks that can take place. The first are against the bank’s IT infrastructure and services, and the second type are targeted at the bank’s customers. The panelists stressed the importance of the human factor in all types of attack and the need to raise the general level of cyber security awareness. This can be a challenge in smaller companies, especially in the UAE where SMEs make up most of the economy, a fact highlighted by Ramamurthy Venkatesh. Larger enterprises, however, are starting to focus more on cyber security awareness. Duncan Fairley mentioned that CBD does regular phishing awareness campaigns targeting all roles, from C-suite down to the tellers.

Cyber security is a cat-and-mouse game where technology and solutions providers are constantly trying to keep ahead of increasing sophisticated methods of attack.

User awareness is key

Providing tips on security practices and awareness measures that everyone can implement today, Pinto highlighted the importance of restricting admin rights, using stronger passwords, applying Multi-Factor Authentication and paying special attention to usage of computers after working hours by children, especially in the now common work-from-home setting.

Providing tips on security practices and awareness measures that everyone can implement today, Pinto highlighted the importance of restricting admin rights, using stronger passwords, applying Multi-Factor Authentication and paying special attention to computers used after working hours by children, especially in the now common work-from-home setting.

Lester-Pinto-stressing-the-importance-of-user-awareness

Get insurance, but keep your skin in the game

On the subject of the insurance industry, Zainab Khatib explained what a typical cyber insurance policy covers such as access to legal specialists and the cost of forensics. For a cyber insurance policy to cover a ransom payment, providers expect the policy holder to meet a minimum standard of cyber security. This is an attempt by insurers to make sure the policy holder has ‘skin in the game’ and to encourage them to take a stake in their own cyber security. Most insurance companies do not encourage the payment of ransoms. Thomas Paoletti also highlighted that from a legal perspective, some jurisdictions don’t allow ransom payments.

Data breaches are often bigger in their impact than ransomware, and the reputational damage caused by a data breach is something that a cyber insurance cannot cover. This points to cyber risk being something that organizations can’t just pass on to third parties and must deal with head-on. Jarret W. Kolthoff pointed out that in many cases, even after a ransomware payment, if the underlying threat is not fixed the attackers will come back under a different guise for a second bite at the cherry.

Work with experts

Duncan Fairley highlighted how enterprises can benefit from using external Managed Service Providers (MSPs) and Security Operation Centers (SOCs) to take advantage of all the different skillsets and expertise instead of trying to do everything in-house. This is the approach adopted by CBD.

Smaller business on the other hand need to step up their efforts when it comes to cyber security. Jarret mentioned that relying solely on antivirus software is a recipe for disaster. Antiviruses are the first thing to be turned off by attackers once they gain access. Getting into Endpoint Detection and Response (EDR) solutions is something SMEs can explore, in addition to investing in cyber security awareness.

Lester Pinto suggests a two-pronged approach for organizations to tackle cyber security awareness:

  1. Carry out cyber security awareness training sessions for employees at all levels.
  2. Constant testing. eg phishing campaigns to ensure the effectiveness of training.

In either case, Lester stresses that training and testing should be tailored for each organization. There’s no one-size-fits-all approach that will work.

The audience asked

During the Q&A section, the audience inquired about actionable steps that they can take to protect themselves and their business. One question was about new technologies such as the blockchain and whether they can help in improving cyber security. The panel agreed that while this digital transformation is helpful in many ways, it is also increasing the attack surface and it might be too early now to tell if it works. Another question was about medical records theft and what attackers might do with such stolen data, especially if it was related to politicians or high net worth individuals. Jarret W. Kolthoff pointed out that early cases of medical records theft have been mainly aimed at selling the stolen data on the dark market, but as the prices for such data is now so low, criminals have switched to a ransom model, demanding payments from healthcare providers.

Key takeaways

  • Corporations are moving systems from on-premises to the cloud, which brings different vulnerabilities and countermeasures into play.
  • The most common forms of attack are: #1 Ransomware #2 Hacking #3 Emails.
  • Most attacks take place through stolen credentials, and cyber espionage is extremely prevalent, on both state and corporate level.
  • Companies need to make employees feel safe to report a mistaken ‘click’ so that the problem doesn’t spread.
  • No one should think they can be completely secure. Even with the highest level of security, you cannot rely solely on your IT department for protection. Cyber security needs to be part of the business risk budget.
  • The goal is to make sure that any cyber crime incident stays contained within the first computer, account or network attacked, and having adequate defenses in place.
  • When attacked, having a backup system does not eliminate the threat completely. A thorough investigation is required to understand how the attack took place and ensure that the backup system has not been infected.
  • Cyber security measures are often weaker in SMEs due to budgetary restrictions and priorities. This can be a real problem for the GCC region given the proportion of SMEs in the economy.
  • With an increased ease of doing business and entrepreneurial activities on the rise, the UAE is very exposed.

To learn more about these topics and ways you can protect yourself and your business please speak to one of our consultants today.

Event Recording

You need to be logged in to LinkedIn to be able to see the event recording.