Think holistically: How to approach information security
Organisations in the Middle East must take a holistic view that encompasses people, processes and technology
Security has arguably never been a higher priority in the C-suite, thanks largely to extremely high-profile data breaches that seem to be reported on each month. But whereas before, security would be tackled in siloes — a firewall for networks, an anti-virus for endpoints, etc. — organisations are now looking to develop security strategies that can be applied to the entire corporate structure. Vendors have responded by providing holistic security solutions that monitor traffic, provide anti-virus, provide information for digital investigations, and so much more. But perhaps more importantly, organisations are looking to integrate these solutions with finely tuned business processes that help to ensure data security.
Historically most IT spends were focused specifically on malware and preventing worms and viruses from spreading, according to Chester Wisniewski, senior security consultant at Sophos. He says that the high-profile attacks in the news have shifted the focus more toward data protection and encryption now. The latter is actually a big boon for enterprises, because it means that things may be compromised, but if the information cannot be copied it is of no value.
However, he adds that, in the Middle East, we’re still playing catch-up with a lot of this technology.
“It would seem that the Middle East is playing catch up with some of the more industrialised countries. Certain industries, like energy, are more up to date, whereas smaller and mid-sized companies are falling a bit further behind,” he explains.
Wisniewski’s testimony is corroborated by Illyas Kooliyankal, director of information security at ADS Securities. As an end user in the Middle East finance industry, he says that his line of business can be compared to the best in the West. However, he adds that other industries still have a way to go in terms of their security strategies.
“Security is gaining ground in the region especially in the finance and government sectors. But other sectors are still playing catch-up and are still at the level of forming an IT security function rather than having one team which handles everything,” he says.
“Recent security breaches, increased governmental and industry regulations are helping to raise the problem. Some corporates are now setting up more structured organisational information security environments, which add business value and can also handle risk.”
You can see why. According to Corporate IT Security Risks 2014 survey conducted by Kaspersky Lab worldwide, including in UAE and KSA, a serious incident can cost a large company an average of $649,000; for small and medium-sized companies the bill averages at about $50,000. As a result, companies have started investing in state-of-the-art cyber security solutions with the realisation that recovery costs much more than prevention.
“We have seen a rising awareness about cybersecurity in the Middle East. In general I would say local enterprises are getting close to global corporations in terms of cyber security — they are taking cyber threats seriously and making efforts to equip themselves against attacks — but it seems there is still a gap in terms of consistency of these efforts and employee education,” says Ovanes Mikhaylov, managing director in the Middle East for Kaspersky Lab.