Securing the Middle East

Information security has become an increased priority for businesses in the Middle East over the last two years. As a result, a number of organisations have initiated measures to enhance their security. Despite this good work, the number of threats lurking in cyberspace has increased. As such, local operations have to reassess their situation once more and ensure they are not vulnerable to attack

  • E-Mail
By  Matthew Southwell Published  September 29, 2003

The PwC & ACN IT Security Survey 2003 I|~||~||~|Information security has become an increased priority for businesses in the Middle East over the last two years. As a result, a number of organisations have initiated measures to enhance their security. Despite this good work, the number of threats lurking in cyberspace has increased. As such, local operations have to reassess their situation once more and ensure they are not vulnerable to attack

Last year’s PricewaterhouseCoopers & Arabian Computer News IT Security Survey established that although the Middle East was becoming more aware of the threats presented by cyberspace, the majority of companies had yet to act on this knowledge.

As of September 2002, 53% of local companies had either no information security policies or only informal guidelines in place. Furthermore, only 36% of local companies measured the effectiveness of their IT security solutions and a mere 28% of organisations had a separate information security department.

Despite this glum outlook, there were positive signs that the situation was changing. An increasing number of companies were attempting to obtain the support of senior management for information technology security projects, while an impressive 84% of users connected to the internet had implemented antivirus software.

This year’s survey set out to assess whether or not the Middle East had moved on in the past 12 months, establish whether the region’s weaknesses had been addressed, and find out if its strengths have been built upon.

However, unlike the first two PwC & ACN IT Security Surveys, this year’s effort took place against a backdrop of increased scrutiny as political and economic crises forced security to the forefront of many people’s minds. Another factor worthy of consideration is the continually evolving technology landscape within the region.

Businesses are racing to integrate with the rest of the world and incorporate technologies that help them bring about cost savings and efficiencies. For instance, 22% of respondents this year, compared to 15% in 2002, had at least one integrated enterprise application, whether it be an ERP solution, a data warehouse, a call centre or a customer relationship management (CRM) package.

Furthermore, more than 45% of 2003 respondents had web sites integrated with back end apps or with business partners, a 13% improvement on last year. In addition, the average respondent organisation had the minimum of a local area network (LAN) and at least three different operating systems.

Despite this growing reliance on technology, 50% of businesses that participated in the survey revealed that they did not perform risk assessments before implementing technology solutions. Furthermore, a third did not have a dedicated IT security function and more than 20% did not have a formally documented information security policy.

These factors, when combined, make a compelling case for urgent action in the Middle East when it comes to assessing IT vulnerabilities and boosting security levels. However, the solution is not simply more expenditure, but recognising the need for, and learning the ability to make, sound decisions based on expertise, risk factors and security considerations.||**||The PwC & ACN IT Security Survey 2003 II|~||~||~|

On the brighter side, businesses in the local market are gearing up to meet the challenges posed by security threats by increasing their spending on information security (55%), improving security awareness of their employees and business partners (19%), procuring security technology components (11%) and hiring security experts (12%).

ACTUAL ATTACKS

For the first time this year, the survey asked respondents to provide details of security incidents noted by them over the past year. Participants were also asked to provide details of how severely these incidents impacted their organisations.

The results were both startling and alarming, as 55% of respondents admitted that viruses and disruptive software have impacted on their organisations in the past 12 months. Systems failure/data corruption and inappropriate use of computing resources by employees (50% combined) remain serious security threats in the Middle East.

In terms of the impact security breaches have throughout the region, the survey revealed that 56% of all organisations and 65% of large businesses in the Middle East could be severely impacted by a security breach. Furthermore, 35% of respondent organisations admitted simply not having the mechanisms in place to monitor the misuse of computers and networks.

When attacks did occur, 54% respondents to the survey revealed that the theft of data was one of their biggest concerns following a security breach, while around 40% of survey respondents cited financial losses as the most severe impact that a security breach could have on their business.

While not painting a particularly pretty picture of IT security standards within the Middle East, these results do at least reveal that enterprises in the local market have the same concerns about IT security as the rest of the world.

STRATEGIES & TACTICS

The Middle East’s end users are adopting a number of strategies and tactics to address the very real IT security concerns that they have. Foremost among these strategies is to increase spending on information security within the overall IT budget. In fact, 56% of respondent organisations that provided information on security spending have increased budgets compared to 2002.

Within this spending, organisations both big and small are directing their security thrust towards areas such as enhancing end user awareness, protecting vital organisational data, obtaining expert advice from security consulting firms, procuring security components and hiring an increased number of qualified staff.

Furthermore, organisations are moving towards more sophisticated security technologies such as biometrics, PKI and digital certificates to contain the threats of identity fraud and unauthorised access to data and information processing facilities. There is also a notable increase in the use of firewalls and intrusion detection systems over 2002 figures.
||**||The PwC & ACN IT Security Survey 2003 III|~||~||~|

SECURITY POLICIES

An information security policy is the
basic building block for information security. For information security to be effective, security policies should be documented, communicated to employees and others who use information. They should also be reviewed periodically, monitored for compliance and supported by strong commitment from senior members of the business.

While an overwhelming 82% of respondents to the survey confirmed that information security was indeed a high priority, around 60% did not have a dedicated information security function, or were unaware of its existence. Furthermore, over 40% of respondent organisations did not have a formally documented information security policy.

Of the respondents that did have policies, they reported that electronic mail was still the preferred choice for disseminating information within respondent organisations, despite the notoriety of mass mailers and spam for diluting the effectiveness of e-mail as a medium of communicating important corporate information.

RESPONSIBILITY

Traditionally, information security has been viewed as the responsibility of the IT department, owing primarily to the significant dependence by organisations on technology solutions and the constant innovations in storage and telecommunications that impact the way organisations do business.

However, information security permeates through an organisation’s people, business processes and technology and is embedded in the way people go about their tasks or interactions with customers, vendors and business partners. It extends beyond the realm of IT.

This aspect of information security has not been understood or appreciated within the Middle East and therefore security continues to be viewed as the responsibility of the IT department (57%). The pitfalls of this approach are that viewing information security as just another technology component ignores the importance of people in the overall context of organisational security. It also puts undue pressure on an already burdened IT department.

Local organisations that do have security policies still continue to have significant areas dedicated to information technology activities, such as system administration, network administration and security architecture. Unfortunately, this means that the more important areas of risk analysis, information classification, technical standards and incident response are neglected.

While this is understandable considering the significant influence that technology wields over information security, a well-rounded information security policy goes a long way in achieving the objectives of information security and protecting corporate data.

Furthermore, it is essential that the information security policy is reviewed periodically and revised to reflect changing business circumstances. However, only 42% of organisations with a security policy review and update it annually, while 20% of organisations have never revisited their security policies since they were created.

In a break from last year’s PwC & ACN IT Security Survey, the questionnaire was designed to gauge the effectiveness of security policies by asking participants about whether or not their company’s employees were required to formally review and accept a security policy. Only 36% of respondent organisations actually had such a process in place for staff and, of those, less than half were formally required to accept it.

People are often the weakest link for security, yet many Middle East businesses are failing to address this. Security risks from staff are becoming greater as a result of higher levels of staff turnover, changing staff roles and significant levels of expatriate hires. It appears that many Middle East businesses are concentrating their efforts on implementing technology solutions without developing a security awareness culture within their organisation to support it.

||**||

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code