Employees’ lack of understanding of basic security measures are leaving organisations in the region vulnerable to cyber attacks, security officials have said.
With 99 per cent of cyber incidents a result of “internal vulnerabilities” and an expected 26 billion devices in the world by 2030, they said more diverse and regular staff training was required to be able to counter the evolving digital threats.
“We see lots of social engineering attacks, which is something [where] we lag behind,” said Dr Fadi Aloul, head of computer science and engineering at the American University of Sharjah. “[The university] is very active in security awareness, which is something we lack in this region. People are so excited about technology and gadgets and completely forget about security.
“The Internet of Things is probably our next big threat; it’s a tsunami coming up very soon that will lead to cyber blackmailing.”
During a panel discussion about the GCC Cyber Threat Landscape at the Gartner Security Summit in Dubai on Tuesday, security officials spoke of internal vulnerabilities as the Achilles’ heel of today’s cyber-security environment.
“The financial sector is the most targeted in the world because it’s where the money is,” said Thabet Khamis, head of information security at the UAE Central Bank. “The type of attacks we get are mostly social engineering, fraud attempts and we see attempts from people who pretend to be CEOs and account managers in specific banks.”
Social engineering attacks are when the user is tricked into giving away information or breaking normal procedures. External cyber attacks involve cyber criminals able to hack into a system on their own and internal attacks are caused by an employee who assisted in allowing the hackers into their company’s system, whether unwittingly or not.
Mr Khamis said internal attacks largely occur when an employee helps the attacker due to their lack of understanding of the threats.
“These days, the one-click processes that most banks are trying to achieve for any kind of application they want to enhance customer experience actually lead to some of these incidents that we currently face in the financial sector,” he said.
“I always tell my team to go back to the basics, [especially when] organisations in the Arab world depend on people more than the process, so when that person leaves, it goes back to zero.”
Research has found that, of the successful internal cyber attacks that take place, 95 per cent of them are triggered by staff lacking education, perhaps clicking on a link in an email that they shouldn’t.
“Only five per cent are malicious,” said Sam Olyaei, senior research analyst in security and risk management at an American research and advisory firm providing information technology-related insight.
“We look at the first line of defence, which is the people. You can have the best defence in the world but you can’t do anything if it comes from the inside. People need to be educated.”
Many penetration vulnerability tests in the UAE have found ransomware and viruses hidden within the organisations' network.
“I tell them to start with the internal components first,” said Mohammad Bushlaibi, a forensic analyst at aeCert, the UAE computer emergency response team at the Telecommunications Regulatory Authority (TRA) and the country’s cyber security coordination centre. “They think they’re safe because there’s no movement but internal exposures in these types of security threats are more dangerous than external ones because you have firewalls for external threats while you don’t for internal.”
Regional studies have found that careless employees were the most significant challenge in facing these threats, followed by external cyber hackers, internal cyber hackers and then “hacktivists”.
“You need to think about human interaction as well,” Mr Bushlaibi said. “It could just be a human resources employee receiving a CV from someone he didn’t contact, open it, and you have a ransomware in your system. Employees think only their computer is affected but they don’t know it goes beyond that, so we’re working on awareness learning management.”
The GCC is taking these measures seriously, especially following cyber attacks on Aramco in Saudi Arabia in 2012 and attacks on American, Saudi Arabian and South Korean aviation and energy firms since last year, purportedly from a gang of Iranian hackers suspected of working for the government in Tehran.
“We see basics lacking a lot and it’s almost non-existent,” Mr Olyaei said. “Nation state attacks are the biggest threats - if you’re going to be part of the digital transformation and you don’t have the basics, you’re going to be in big trouble. Simple things like diverting surgeries, hospitals, airports not being able to issue visas – in the digital business world, it’s canny for hackers.”