At a roundtable organised by the UAE Telecommunications Regulatory Authority (TRA) and UBM, the audience had an opportunity to discuss the subject of Cyber security in a mobile work force with members of UAE Computer Emergency Response Team (aeCERT), security managers from prominent organisations in the region and representatives of McAfee.
Experts at the roundtable predicted that security threats associated with mobile operating systems will continue to increase in 2012, as more organisation continue to give in to the culture of mobility to increase communications and productivity.
Meshal A Bin Hussain, manager operations, aeCERT pointed out, “It’s interesting to note that with an increasing mobile workforce across the region, organizations need to pay careful attention to threats associated with the loss or misuse of information stored on an employee’s mobile device in addition to monitoring the external environment .”
Tariq al Hawi, director, aeCERT said, “What we need to understand is that intrusion and data loss is no longer just a bunch of kids playing around, today, it is a well orchestrated and planned attack looking to cause financial loss and in worse cases may lead to irreversible damage to a person or organisation’s reputation. This is why, I believe there is huge difference between the term hacking which encompasses white, black and grey hackers and the term cyber criminals, people that we are dealing with today.”
Mohammed Sabah, executive director information security & network services, Dubai Holding recommended five basic steps that an organisation must put in place to cover end to end security of its network. “First and foremost, the company must invest in building awareness about security amongst its employees – new or old; this must be followed up with a stringent information security policy.”
According to Sabah, a comprehensive information security policy would include a basic set of dos and don’ts associated with the use of mobile devices within the enterprise, a set of guidelines for social media interaction- information that may or may not be shared and disciplinary action that will be taken in the advent of a breach of this policy.
“It is imperative that organisations make it clear to all the employees, regardless of seniority or job description that the rules stated within the policy are applicable to all as is disciplinary action. Once this has been made clear, the company must enforce the policy right down to the tee. The next step is to work on a detailed plan that sets out a procedure for if or when a security breach does happen. This step will determine an organisation’s ability to limit the damage associated with an attack. Finally, based on regular monitoring of network vulnerabilities and latest malware and cyber threats, the security team and decision makers must review the policy to make it adaptable to changes in the rapidly evolving environment.”
Experts gathered at the roundtable agreed that although the region has so far been lacking in its understanding and awareness of cyber security, the situation is fast changing as more organisations begin to learn from the mistakes of so many others in the past year.
Al Hawi said, “One of the primary concerns we have is that private sector organisations are less prone to disclose the advent of a security breach than their public sector peers, they often come forward and report an attack only once the damage is done. When they do report an attack they are not as comfortable to share details associated with their network and infrastructure in addition to which these organisations don’t often disclose numbers which limits the ability for regional law enforcement agencies to conduct thorough forensics and investigation.”
Professionals believe that this surge in the adoption of security solutions in the region is in part driven by the aggressive adoption of stringent security policies and measures by the private sector. “The private sector realises now, that the threats associated with cyber crime are very real having seen the likes of companies like Sony, Citibank etc,” concluded Hussain.
The UAE Telecommunications Regulatory Authority (TRA), represented by the UAE Computer Emergency Response Team (aeCERT), in cooperation with Khalifa University of Science and Technology and UBM will host the second edition of the, Black Hat, information security conference from the 12th of December 2011 through till the 15th December at the Emirates Palace, Abu Dhabi.