The year in threats: NME 2017 Security Survey
Network Middle East Security Survey highlights the never ending battle for supremacy between IT and cybercrime
It has been a busy year in cybersecurity-for all the wrong reasons.
Barely a month passes without some major cybersecurity incident making headlines. It is against this backdrop that the Network Middle East sought to gauge the cybersecurity preparedness for Middle East organisations through the annual Security Survey.
The year 2016 saw increased spending in security solutions from 2015, in line with projections.
More than a fifth of survey respondents (21%) said their organisation spent more than 500,000 in overall security spending in 2016, rising from 10% who said their organisation spent more than 500,000 in 2015.
This is consistent with IDC predictions, which forecasted worldwide revenues for security-related hardware, software, and services to grow by 8.3% in 2016.
Additionally, 12% expect to spend more than 500,000 USD in security spending in 2017.
When asked what percentage of their organisation's IT budget is dedicated to cybersecurity, 28% said 10-25%, rising from 23% of respondents from the year before.
Nicolai Solling, CTO at security consulting firm Help AG, said the rise in spending is consistent with industry sentiment, with organisations spending more of their IT budgets on security.
But is it really enough? Solling ponders.
By 2019, it is estimated that IT security will be a $100bn industry, but at the same time, the actual costs associated with cybercrime are expected to exceed $2 Trillion. “These are staggering numbers and it is thought-provoking that we are only spending 5% of the actual cost of the issue we are trying to protect ourselves against,” Solling observes.
Generally, budgets are increasing on an average of 18%, so this value is consistent with what the industry is seeing, says Rajpreet Kaur, senior research analyst at Gartner.
Maxim Frolov, managing director for Middle East, Turkey and Africa, Kaspersky Lab says cybersecurity budgets also need to factor in the acquisition and building of skill-sets within the organisation to address – and prevent – incidents that can damage resources or hinder operations. “There needs to also be a culture of education, which reaches all the staff, preparing them on how to respond to a cybersecurity incident – from identifying them to escalating to the experts,” says Frolov.
Ransomware and phishing were the most familiar threats among our respondents at 83% and 75% respectively. This is not surprising as ransomware attacks such as WannaCry dominated the headlines this year.
Solling observes that as a result of massive cyber-attacks in 2017, some which specifically impacted the region, ransomware would naturally rise to the top of people’s imagination. “I remember November 2016 and January 2017 as being very active months, and not in a positive way,” says Solling.
“The remarkable part about the attacks is that even organisations which were protected by state-of-the-art solutions were impacted. This is indeed concerning, but of course also shows the level of effort cybercriminals take in circumventing existing protection,” he adds.
This is not uncommon, Kaur concurs. “With recent ransomware attacks all over the news in the recent past, CIOs know about ransomware, and are working towards securing their organisations against them.”
Due to the attention paid to ransomware, this particular type of threat seems to be most top-of-mind, notes Frolov. However, although ransomware attacks can cripple a business and generate losses, there are other types of attacks that individuals and government bodies should be more aware of. “Attacks on the critical infrastructure that target a power grid of a city could affect a whole nation. As much as it is important to be aware and stay protected against ransomware attacks, it is even more crucial to understand that cybercriminals have taken to the internet space to make it their battlefield and in return, we must be extra cautious and more alert in order to stay safe," Frolov says.
In the past 12 months, 46% of respondents said they have received or experienced spam at work. This is closely followed by phishing at 42% as the most popular methods for cybercriminals to target victims. A surprisingly higher percentage, 38%, said they encountered Trojans.
In the Kaspersky Lab spam report for Q2 2017, one of the key triggers for spam was the global ransomware issue. Spam and phishing attempts were masked beneath seemingly genuine offers for help against ransomware such as WannaCry, notes Frolov. These included fraudulent offers for software and security upgrades, with links to phishing pages from where personal details of the victims would be collected. The same quarter also saw an increase in mass mailings with malicious Trojans disguised as emails from international delivery companies. "Overall, in the quarter, we noted an increase of 17% in malicious mass mailings, and the survey response captures this growing trend,” Frolov notes.
The industry has been discussing spam, phishing, and awareness about the same, for years. A lot can be done from a technical perspective to reduce the recurrence of these old-school type of attacks, Solling says, but reckons it would be impossible to completely eliminate such menace.
As e-mails are now the primary malware infection vector, e-mail security should be a prime focus of any organisation, says Help AG’s Solling. “I still think that most organisations are far too lenient in what they allow people to receive on mails. Why should anyone need to receive a document with Macros, scripts or other advanced functions that can be abused for delivering malware over e-mail? And instead of trying to identify if the document is malicious or not, why not simply remove these functions while we process it? We call it ‘data sanitisation’ and unfortunately this is underutilised today,” Solling laments.
Half of the respondents said their organisations had not suffered any form of loss or damage from IT security incidents in the past year as far as they knew.
That 50% of It users said they have not been harmed is not unusual for the Middle East region, as many organisations are not even aware if they are breached or not, says Gartner’s Kaur. “Moreover, if a breach takes place, it is often not publicly disclosed, and only known to management and other senior executives,” she observes.
Indeed, 21% of respondents to the survey admitted they didn’t know if the companies they worked for experienced any damage from hackers.
Use of work computers for personal functions is widespread with 65% admitting they browsed websites not directly related to their job (for personal interests). 61% said they checked personal e-mail on work computers while 57% admitted to doing personal online banking or bill paying (i.e. checking balances, transferring funds, paying bills). Social media access on work PCs is also very common with 65% admitted to checking their Facebook, Twitter etc.
This is an extremely important deduction, as it shows that organisations allow personal transactions on work machines, Solling observes. “We have moved very far from applying IT controls from the perspective of increasing productivity to now focusing more on allowing the users to utilize IT systems also for private work,”.
“I guess it is related to how the lines between work and private life are being blurred,” Solling says.
Allowing this kind of access opens up corporate networks to major security issues as the channels individuals use may not be governed or controlled by the organisation. Private emails are a good example, says Solling. “We may have protected the corporate email system, but if the user can download or access private emails on the same laptop, then we are exposed to the same risk,” he warns.
This private/work crossover is a normal way of life now, and there are few companies that manage to totally limit all access to social media and personal work on the Internet during working hours or on company devices, notes Kaspersky Lab’s Frolov. “When companies provide laptops and smartphones to employees, it is natural to expect that they will use them for some personal work as well – no one can be expected to carry one laptop for work emails, and another one to pay their bills!”
“Once again, it is the investment of time and effort in educating and sensitising users to the critical need for security consciousness at all times that can make the difference,” Frolov says.
More alarming is that 22% percent admitted downloading or installed executable files (such as software programs, updates or add-ins) for non-work reasons. This is particularly worrisome because a lot of phishing attacks spread through executables.
Asked if they have saved data on USBs and or CDs or transferred using personal cloud services or sent to non-work email addresses, the majority said no (52%).
Solling contends that the actual number is likely much higher. Unstructured data saved on uncontrolled media is a huge problem as it bypasses almost all security controls an organisation can put in place, says Solling. One course of action is to block USBs and access to private cloud services. However, there may be valid business reasons for these services.
Furthermore, users are clever, observes Solling, so even if IT blocks one thing, they will figure out other another way. “I would recommend that organisations look at securing the services requested by users and delivering security, governed alternatives instead of just blindly blocking access,” Solling recommends.
Companies that do not provide users with the necessary tools to function most effectively will find that their staff are forced to create their own shortcuts, eventually opening the door to potential security issues, says Frolov.
More employees seem to be increasingly cautious at work. Although 22% admitted opening spam on work computers, accidentally or otherwise, and 13% opened an email attachment from an unknown source, 61% said they did were not that careless.
This answer reflects employees’ desire not to deliberately endanger their workplace IT systems, says Asrar Mirza Baig, founder & CEO of CTM360. “Reality may be very different-we are all humans- and some spam is always smart enough to bypass our email filters. I would not expect individuals to be vigilant 100% of the time and not to click on random links. Additionally, we receive messages and links over social networks that we gladly click on the assumption that they are harmless just because it came from someone within our network.”
Kaur of Gartner says the majority declaring they did not click on malicious links could be either they are not sure if they ever opened any phishing emails, as phishing emails look like genuine email, or, if they do open, they fail to report it to the concerned team afraid of being penalised.
There is a growing sense of familiarity with what typical spam emails look like, and people bring this awareness from their personal email boxes to their corporate ones, Frolov observes. However, many times people are unaware that the email they opened was spam. If there was any impact, people may also choose not to report or acknowledge it, considering it embarrassing and potentially harmful to their careers, Frolov observes.
Having a corporate IT security policy in place should be a basic cybersecurity undertaking. However, our survey shows inconsistencies not just in having a policy in place, but in enforcement as well.
Only 38% of the respondents said they were expected to sign an IT security policy when joining. Of those, only 14% have had to sign it within the past 12 months. A full 19% said the company they worked for had no IT security policy at all.
When we consider human behaviour as one of the weakest links in the chain of security, having a security policy in place should be considered as the most important, says Baig. “A security policy should be the starting point, to be practised by all, and which should be periodically revised with an adequate system to re-sign or acknowledged at each iteration. Without it, your IT security posture is standing on a very weak base,” says Baig.
A sustained education campaign can possibly address the awareness gap around IT rights and responsibilities more effectively than a one-time exercise or annual reminder, says Frolov.
Enforcement of IT security policies is also widespread with 71% of those with a security policy saying it was enforced with disciplinary action taken for breaches.
IT security professionals have been advocating for more awareness campaigns on risks to IT security for employees as a standard feature of any security approach. This may be simple as regular emails from IT warning of the risks of spam or malware. Slightly under half (48%) said their organisation had an ongoing awareness campaign.
This is a very positive development, says Solling. “The more we are aware, the better the protection will be. I still think that too often, we focus our security around detecting malicious activity. But once we understand that detection will be impossible, we will move towards real prevention.”
A good example here is sandboxing technologies, says Solling. “They are great at detecting, but at the same time we have the issue that cybercriminals are investing in how to become undetected in the sandboxes.”
Asked whether their company has in place a policy on allowing company data on personal mobile devices (BYOD), only 33% said company data is allowed on personal devices but with controls to protect that data. 19% said their organisation frowns upon any company data on personal devices. A further 14% have no BYOD policy whatsoever.
With the rising popularity of BYOD, the fact that only a third have in place proper systems and controls to ensure the security of company data on their personal device is quite alarming, says Frolov. “This shows that the IT security systems are often side-stepped, citing reasons such as speed, convenience, compatibility etc. Clearly, BYOD needs a much more security-mature environment within which to thrive, and it is the responsibility of the IT teams as well as the users to ensure that all personal end-points on the network are secure and compliant.”
Globally, the majority of organisations have a BYOD strategy, notes Kaur. “The Middle East has been slow in embracing BYOD because of security concerns, as the survey shows.”
Solling says the real concern with BYOD is how effective the control mechanisms are. “BYOD is an extremely complex topic, especially when the users may have paid for the devices themselves and then security controls are dictated by the organisation, how much can you really control in that situation?”
Having corporate email on smartphones makes this question very important as it becomes one of the major challenges for organisations, indirectly putting the company network at risk, yet a generally tolerated grey area, says Baig. "It is not just a question of ownership of the device but also about online profiles. One may be visiting social networks for work-related purposes, but to do so he/she may use their personal profile.”
“Therefore BYOD is now moving to COPE (corporate owned personally enabled) and the latest, COBO (corporate owned business only), Baig observes.
As expected, security solutions are universal, with anti-virus being the most popular at 76%. 14% of users said they did not know what security solutions their company had deployed, meaning that anti-virus is more or less everywhere. 62% said they knew they had firewall (software) and 43% anti-DDoS.
Beyond Anti-virus and Firewall solutions, companies also need to protect their on-premise and cloud infrastructure with specialised solutions that can be customised based on their industry sector, says Frolov.
For CIOs to develop concrete cybersecurity plans, Kaur advises them to include operational technology (OT) security as a part and plan of the entire cybersecurity strategy especially if the business runs industrial control systems (ICS).
Kaur also calls upon CIOs to manage cultural change to create a risk-engaged culture. “Help your non-IT counterparts to understand and consciously engage in good decision-making related to technology risks.”
“Additionally, transform technology risk and cybersecurity into a business function. Position accountability for security as a business unit issue, which allows business units to choose their level of investment and balance the needs to protect the organisation against the requirements of running their business,” says Kaur.