Hanging by a Threat

Trojan Horses, worms, sentinels – the scourge of the IT department. Computer viruses just refuse to die out, but there are new warnings that it may not just be computer viruses that CIOs in the Middle East need to guard against.

  • E-Mail
By  Duncan MacRae Published  February 1, 2007

|~|Brown,-Will----KPMG---Princ.jpg|~|Brown: A flu pandemic could take a significant proportion of workforce out for an extremely long time.|~|As representatives of KPMG, global provider of advisory services, settle down for a roundtable discussion on the findings of its recent business continuity report, the light-hearted banter quickly turns to a cautionary tale of imminent flu pandemics and poorly prepared businesses, amongst other unpleasantries.

Such a discussion had been instigated by the company’s CIO survey during which 80 companies in the UAE, with representation from all major industries, had 48 multiple choice questions fired at them in face-to-face interviews.

The results of the survey showed that IT security spending in the Middle East region is rising sharply in line with the ever-increasing and varying security threats.

The results also suggested that not enough companies are sufficiently prepared for unexpected breaks in business continuity.

According to the survey, 90% of companies increased their dependence on IT during 2006 with 75% of companies increasing their information security spending.

Although the spend on information security is on the up, KPMG says that not enough companies are taking a holistic approach to their business continuity and information security planning in the long term.

“86% of companies are not considering international security standards such as ISO27001 when implementing information security management systems, and 55% allocate funds to projects on a case-by-case basis,” comments Rajeev Lalwani, head of IT advisory practice for KPMG in the UAE.

“Organisations need to treat security and continuity issues as business issues and embed them in the larger context of risk management policies and procedures. When it comes to information security, there is no point in investing in expensive security technology tools to protect your digital customer information if the same information remains unprotected in paper form.

“Most organisations in the UAE are going beyond national boundaries - they are operating with different regions. What this means is that there is a step change in the risk profile of these organisations, but this also provides these organisations with an opportunity to become more resilient and use their regional or global reach to better manage.

“From an information security point of view, it is important to understand that organisations today do not operate in a vacuum. They operate in a seamless chain of vendor suppliers. Securing the company’s information is becoming very important - perhaps most important after people.”

Integrating a robust incident response mechanism is a significant indicator of an organisation’s readiness for security breaches, according to KPMG. The survey showed that only 15% of companies in the UAE had considered round the clock monitoring, with the remaining 85% ranging between purely reactive systems and informal levels of monitoring and logging.

Viruses were perceived to be the main security issue, followed by spamming and internal threats. Only 12% of the respondents claimed that their information security function lies outside the IT department, with direct reporting to the board. This again highlights the need for companies in the UAE to examine the extent to which their information security policies are interlinked with overall company policies.

On the business continuity side, only 20% of firms have a continuity plan that covers the entire organisation, and over half of the respondents focused their business continuity initiatives mainly on technology and related systems and processes.||**||People are key|~||~||~|KPMG also believes that a greater understanding is required on the need for geographic dispersion of disaster recovery sites. Most companies surveyed have, or plan to have, secondary recovery sites within the same city or location in which their business operates - leaving businesses vulnerable in the event of a major disaster in that same city or location.

The survey also reveals that organisations recognise people as by far their weakest links. Processes are exposed to risks due to human error, negligence, lack of awareness or even lack of staff during a disruption.

Will Brown, KPMG’s service leader for the centre of excellence for business continuity management, warns that one of the key aspects that now has to be considered is an emerging flu pandemic, which he says will force organisations to think about business continuity in a very different way.

“Traditionally, business continuity and disaster recovery sat in the IT environment,” he says. “It is now very much a business issue and it is understood that although organisations rely on their IT systems, people are the absolute key and people must come first in terms of business continuity and disaster recovery capabilities. This flu pandemic is a virus that could take a significant proportion of workforce out for an extremely long period of time. Best practice looks at having 25% of the workforce unavailable for a period of up to 18 months.”

Despite this, investment in business continuity appears to be constrained, with a majority of firms spending in the lower end of the investment spectrum. In fact, the key drivers in decisions to implement a business continuity management programme have been customer service, compliance and safety of staff.

As organisations in the UAE grow regionally and globally, KPMG says it is important that they start considering aligning their security and continuity programmes with internationally recognised security standards.

Lalwani adds: “One key finding from the information security perspective is that most organisations seem to treat it as a technology issue and apply technology solutions to manage information security.

“That’s good for IT security but when you talk about information security the context is much broader. You need to work on several other domains and these include working on security strategy and policy, ensuring that security function gets deployed across the organisation and not just within it.

“We’ve also discovered that most organisations in the UAE treat information security as a function - an IT function. The definition needs to be right. Business continuity and information security are business problems and business challenges with a lot of IT solutions out there.

“When you compare with leading practices, one of the questions we asked was ‘what kind of threats do you see with respect to information security,’ and the respondents in the UAE mentioned computer viruses as top threats, followed by spamming and phishing. When you compare this with colleagues in the West and the US, they mentioned threats relating to malware and adware - threats which are perpetrated for profit.

“So it’s no longer hackers playing a game but people in a co-ordinated fashion attacking for financial gain.”||**||

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code