To help answer this question, we took part in a recent panel discussion on the subject at the Capital Club in the heart of Dubai’s DIFC
The seven panelists were selected from different industries that each have a unique perspective on the issue: either from an insurance, IT security, legal or banking point of view.
The event was attended by dozens of local and global business leaders from a variety of industries, eager to learn more about the challenges and potential solutions to a problem that is high on everyone’s agenda.
Our moderator for the evening was Thomas Paoletti of Paoletti Legal Consultants and the discussion involved the following experts:
The discussion first focused on the trends in the Gulf region and the most common types of attack. From ransomware to data breaches and phishing attacks, panelists highlighted the recent explosion of incidents and the increase in sophistication, especially since the COVID-19 outbreak.
When the discussion turned to the banking industry, Duncan Fairley highlighted the two types of attacks that can take place. The first are against the bank’s IT infrastructure and services, and the second type are targeted at the bank’s customers. The panelists stressed the importance of the human factor in all types of attack and the need to raise the general level of cyber security awareness. This can be a challenge in smaller companies, especially in the UAE where SMEs make up most of the economy, a fact highlighted by Ramamurthy Venkatesh. Larger enterprises, however, are starting to focus more on cyber security awareness. Duncan Fairley mentioned that CBD does regular phishing awareness campaigns targeting all roles, from C-suite down to the tellers.
Cyber security is a cat-and-mouse game where technology and solutions providers are constantly trying to keep ahead of increasing sophisticated methods of attack.
Providing tips on security practices and awareness measures that everyone can implement today, Pinto highlighted the importance of restricting admin rights, using stronger passwords, applying Multi-Factor Authentication and paying special attention to usage of computers after working hours by children, especially in the now common work-from-home setting.
Providing tips on security practices and awareness measures that everyone can implement today, Pinto highlighted the importance of restricting admin rights, using stronger passwords, applying Multi-Factor Authentication and paying special attention to computers used after working hours by children, especially in the now common work-from-home setting.
Get insurance, but keep your skin in the game
On the subject of the insurance industry, Zainab Khatib explained what a typical cyber insurance policy covers such as access to legal specialists and the cost of forensics. For a cyber insurance policy to cover a ransom payment, providers expect the policy holder to meet a minimum standard of cyber security. This is an attempt by insurers to make sure the policy holder has ‘skin in the game’ and to encourage them to take a stake in their own cyber security. Most insurance companies do not encourage the payment of ransoms. Thomas Paoletti also highlighted that from a legal perspective, some jurisdictions don’t allow ransom payments.
Data breaches are often bigger in their impact than ransomware, and the reputational damage caused by a data breach is something that a cyber insurance cannot cover. This points to cyber risk being something that organizations can’t just pass on to third parties and must deal with head-on. Jarret W. Kolthoff pointed out that in many cases, even after a ransomware payment, if the underlying threat is not fixed the attackers will come back under a different guise for a second bite at the cherry.
Duncan Fairley highlighted how enterprises can benefit from using external Managed Service Providers (MSPs) and Security Operation Centers (SOCs) to take advantage of all the different skillsets and expertise instead of trying to do everything in-house. This is the approach adopted by CBD.
Smaller business on the other hand need to step up their efforts when it comes to cyber security. Jarret mentioned that relying solely on antivirus software is a recipe for disaster. Antiviruses are the first thing to be turned off by attackers once they gain access. Getting into Endpoint Detection and Response (EDR) solutions is something SMEs can explore, in addition to investing in cyber security awareness.
Lester Pinto suggests a two-pronged approach for organizations to tackle cyber security awareness:
In either case, Lester stresses that training and testing should be tailored for each organization. There’s no one-size-fits-all approach that will work.
During the Q&A section, the audience inquired about actionable steps that they can take to protect themselves and their business. One question was about new technologies such as the blockchain and whether they can help in improving cyber security. The panel agreed that while this digital transformation is helpful in many ways, it is also increasing the attack surface and it might be too early now to tell if it works. Another question was about medical records theft and what attackers might do with such stolen data, especially if it was related to politicians or high net worth individuals. Jarret W. Kolthoff pointed out that early cases of medical records theft have been mainly aimed at selling the stolen data on the dark market, but as the prices for such data is now so low, criminals have switched to a ransom model, demanding payments from healthcare providers.
To learn more about these topics and ways you can protect yourself and your business please speak to one of our consultants today.
You need to be logged in to LinkedIn to be able to see the event recording.