UAE companies ‘wide open’ to cyber attacks due to lack of staff training

ABU DHABI // Companies are failing to provide their employees with basic cyber security awareness training, leaving their systems “wide open” to attacks.

Experts say that the vast majority of local organisations underestimate the “human factor” that allows online criminals to infiltrate companies’ internal networks, and many budget-cutting businesses do not see the value in investing in adequate training.

“If any organisation lacks the initiative to provide cyber security awareness as a part of their cyber security platform, they might as well remove the doors and windows to their offices and invite the criminals in,” said Amir Kolahzadeh, managing director of Itsec, one of the Middle East’s cyber security leaders.

“Cyber security awareness provides the basic knowledge of identifying the barrage of attacks on email boxes, networks and telephone systems.”

Mr Kolahzadeh said it was of “utmost importance” that every single employee completed a basic cyber security awareness seminar and be able to identify ransomware, which encrypts data on infected machines and demands a ransom to restore it.

He said because the UAE was an “extremely safe environment”, it made people too trustworthy online.

“This naturally causes people’s guards to be down, versus if we lived in New York or London,” he said.

“A cyber criminal can easily use a phone to call an employee and pretend to be a Microsoft engineer that has been assigned to upgrade the PCs for this company to the latest Windows and all the individual needs to do is allow a remote session for the three-minute install and, boom – suddenly the criminal has full access to the employee’s PC, files and the company’s networks.”

Research by Symantec and Deloitte found that more than two thirds of organisations in the Middle East were still incapable of protecting themselves from sophisticated cyber attacks.

Mr Kolahzadeh said there was a lack of will in organisations to invest in security measures.

“I would say 99 per cent of all IT directors are not looking to protect the organisation, they are simply looking for the cheapest compliance form they can pass on,” he said. “This is a major -security threat for the region.”

Mike Weston, vice president of Cisco Systems Middle East, said that no matter how many sophisticated security technologies were deployed within an organisation, a security solution was only as secure as its weakest link.

“UAE workplace security research conducted by Cisco and GBM showed employee behaviour is a genuine weak link in cybersecurity and becoming an increasing source of risk – more through complacency and ignorance than malice – because companies have so insulated employees from the scale of daily threats that people expect the company’s security settings to take care of everything for them,” he said. “Training employees to understand that they too are liable on an individual level is of critical importance.

“When data breaches are the result of an external attack, it is often the inexperience of employees that is exploited, whether it be by clicking on an email link they shouldn’t open or downloading an unapproved app.”

David Michaux, of online security company Whispering Bell, also said companies often underestimated the role their employees – from boardroom members to frontline workers – could play in preventing cyber crimes.

“Security awareness needs to be pushed down from the top and enforced,” he said. “This means it needs to be written into the HR policies and enforced by IT.”

Stephen Brennan, senior vice president of cyber network -defence at UAE cyber security company DarkMatter, said employers needed to have a rolling education programme for staff.

“You look back at the old day and it was ‘loose lips sink ships’ – the only thing we are really talking about now is transferring this mindset to the digital domain.

“[It needs] a constant programme of not just educating people but also positive reinforcement.”

newsdesk@thenational.ae