Cyber security situation critical
Government organisations in the region are increasingly under cyberattack, driving the need for better security solutions and putting governments at the forefront of efforts to protect sensitive data and critical national infrastructure.
Information security has been an issue of concern for many IT professionals for at least a decade, but recent years have seen a dramatic increase in threats and the consequences of suffering a security breach. From a mere nuisance at the start of the century, cybersecurity threats have increasingly become a major problem for all types of organisations, but for public sector entities in the region, the situation has become particularly severe, and there is little sign that the tidal wave of threats is likely to abate.
Time and again, the government sector rates among the top targets for cyber attackers. According to FireEye’s Advanced Threat Report, nearly 20% of all malware recorded by the FireEye Dynamic Threat Intelligence (DTI) cloud in the first half of 2015, and over 15% of advanced persistent threats in EMEA were targeted against government organisations. Malware attacks nearly doubled between January and June 2015 in EMEA. In the GCC region, Government, Education and the Finance sector were the most targeted verticals across the region, accounting for almost 92% of all attacks.
Government is increasingly in the cross-hairs of cyber-attackers for a number of reasons. For one, they are often custodians of financially-sensitive data or identity data that has value. The FireEye study found that the majority of attacks against government are carried out by financially-motivated hackers, who are looking for sensitive data. Central agencies and institutions that maintain citizens’ data, are likely particularly at risk, due to the potentially valuable information stored on their networks.
Another factor is the rise in politically-motivated attacks. While there has been a political aspect to some hacking for a while, such as defacement of government websites, political attacks are becoming more targeted, looking for specific targets or data, in the case of cyberespionage, and are also growing in complexity. They are also increasingly linked to real world conflicts, with attacks launched either for propaganda purposes, or to actually target critical infrastructure as cyber warfare.
Mohammed Abukhater, regional sales director – Government, FireEye, commented: “Without a doubt, the most sophisticated attacks against governments have been sponsored by other nation-states. Cyber wars are very much a reality these days, and have ramped up in intensity in recent times. As per FireEye’s latest Advanced Threat Report, the most targeted sector in the region, after the financial sector, is the government. This is because cyber warfare presents a better alternative to the military option; a well-organised cyberattack can be as damaging — if not more — and involves lesser cost and risk to the attackers.”
The government sector in the region is not blind to the risks of cyberattack. In fact, since a number of high profile attacks on oil and gas companies in the region in 2012, most notably against Saudi Aramco, there has been a sharp rise in the level of security awareness among government organisations.
Nicolai Solling, director of Technology Service at Help AG explained: “In general, government spending on security has been increasing steadily, specifically since the Oil & Gas breaches we saw back in 2012. From 2013 onwards, we have begun to see governments allocate a dedicated information security budget as compared to before when it was mainly coming from the infrastructure departments which didn’t even have an information security department and/or practice in place. The increased emphasis on information security is also apparent from actions such as the UAE government making compliance with information security (ADSIC, ISR, NESA) and business continuity (NCEMA) frameworks mandatory.”
Giampiero Nanni, Government Affairs, EMEA, Symantec, added: “There is so much awareness of cybersecurity [in the UAE], more than many other places, that is a very good sign. The UAE is always mentioned as a high tech [leader], the fact that there is good attention to security is very valuable.”
Awareness of security among government entities can be seen in several areas. Many of the countries in the region have founded Computer Emergency Response Teams (CERTs) which are responsible for promoting information security and managing threats. Organisations such as the UAE’s aeCERT have played an important role in developing the security readiness of government organisations in the region, and increased awareness has also resulted in an increase in security spending. Spending on security has also shifted focus, according to Haytham AlOhali, public sector manager, Cisco Saudi Arabia.
“Needless to say since the Aramco incident, security has been top of mind for many CIOs. It is not only buying security solutions, but making sure that all the solutions they buy are secure as well, for example those who are thinking of rolling out an IP telephony or video conferencing solution, they want to ensure that it is secured and hardened,” AlOhali said.
In general, while government entities have adopted the right tools and procedures for good security, there are still some areas that are posing an obstacle to attaining the highest level of security. Some organisations are struggling with creating end-to-end holistic approaches, and to develop policies to govern all aspects of operation and keep them current. Another major stumbling block is the lack of skilled security personnel.
“It is a worldwide problem,” said AlOhali. “We have talked to our colleagues and customers that have global reach, and it is the number one need.”
According to Gartner, around 40% of all security positions are unfilled at present, predicted to rise to 50-60% within the next few years. Greg Young, Research VP, Gartner said that the issue was not one of spending on security, which continues to increase, but rather that there are simply not enough staff to make effective use of all the security tools and applications:
“One problem we have in security is there is almost too much spending, we have a shortage of people — the same number of people have to use more and more tools, and they can’t deal with it. In some of the biggest attacks we’ve seen, people had a lot of tools, but it was just too much for them,” Young said.
Another area where lack of skills and education is posing a risk is at basic levels of security awareness. Across many organisations, even low level staff have access to sensitive systems or data, but don’t have the basic understanding of security to stay safe. A study by IT industry association CompTIA found that human error makes up more than half of all data breaches. Around half of all business professionals in the US receive no form of training on security best practices.
Mark Plunkett, regional director, Europe and Middle East and Emerging Markets at CompTIA, commented: “Organisations have recognised for some time that the employee using the PC, laptop, tablet or smart phone is the weakest link in an organisation’s security defence. These employees often are responsible for sensitive customer information, intellectual property and other corporate data. Yet they are frequently the least prepared and trained when it comes to cybersecurity vigilance.
“One way to strengthen defences and reduce the risk of becoming a cybercrime victim is to train and certify employees to ensure they have core necessary security knowledge. This means everyone in the organisation — from the receptionist at the front desk to the business owner or agency head in the executive suite,” he added. “It’s critical that we move cybersecurity out of the realm of IT, and make it a responsibility for all knowledge workers. We’re seeing that in some government agencies — they’re requiring that all their employees go through such training.”
The role of government in the security sector does not stop at securing its own systems. As digitisation of business processes means more and more organisations are going online, so there is a growing need for the government to both assist, and to define by law, how companies should protect themselves.
At a basic level, the security awareness that is required for all levels of staff in government needs to be replicated across the wider public. Programs such as ICDL training courses are going some way to addressing this wider public need, but the need for training is becoming more widespread.
“When it comes to digitisation, awareness is more important than ever, when you talk about digitisation, your reach is going up to the users, anyone with a mobile phone, people who are not your common IT industry users,” AlOhali said. “I think it needs direction within the government to raise awareness.”
Gartner’s Young said that government needs to balance legislation on security with practical help and assistance.