EY’s latest Global Information Security Survey has found that explosion of connectivity fueled by the growth of IoT and ever-expanding digital footprint of organisations have all introduced new vulnerabilities. Clinton Firth, cyberleader at EY Africa, India & Middle East, discusses some keys trends in cybersecurity and the importance of cyber resilience.
Are businesses in the Middle East prepared to defend against cyberattacks?
The last several years have seen a pronounced shift in the overall understanding of cybersecurity threats and capabilities to counter them across the region. New government entities have been established to address the growing threats and more emphasis is being put on addressing the risk to critical infrastructures and government institutions.
However, many institutions and enterprises in the Middle East are still not ready or capable to deal with the rapidly advancing cyber-attacks.
While there are of course pockets of good practice, the perception among the threat actors is that the Middle East is seen as an easy target, with GCC states being among the highest globally ranked for cyber-attacks. While most organisations have invested heavily in technologies to address cyber threats, there is a lack of risk management maturity on how to deal with the cyber risk that digital technologies present at the strategic level.
Further, at the operational layer we do not see sound and continuous awareness programmes which manifest into a poor cybersecurity culture, along with two of the other major elements that are missing; being continuous cybersecurity monitoring and effective identity and access management programmes.
How do you see the threat landscape evolving in 2018?
The threat landscape is going to continue to expand and outpace the ability of organisations to counter it due to two key factors; the rapid adoption of digital technologies as part of the Fourth Industrial Revolution, and the inability of organisations to dynamically scale up cyber resilience to counter the new threats and vulnerabilities which the digital revolution is creating. The threats have been exponentially evolving over the past decade and 2018 will be no different, with a continuation of recording breaking cyber related events. Compounding the problem is the rapid explosion and adoption of digitally enabled technologies in commercial, government, industrial, and infrastructure applications. The digital enhancement of all aspects of life in the Middle East, and across the globe is creating a larger surface area for the attacks, and presents much more opportunity for threat actors such as criminal organisations, nation states, and insiders to have a larger impact. Additionally, cyber is a prime choice for threat actors as there is a level of plausible deniability and weak legal frameworks to enact any criminal or legal charges, especially across national borders, which makes it an ideal platform for nefarious activity from abroad.
Has security become a boardroom-level discussion now?
We need only look to what is happening at the executive level in response to cyber-attacks around the globe to find the answer to this. Constituents, customers, investors, and board members are holding the highest level executives responsible for the outcome of cyber incidents. CEOs have been forced to step down, and boards are being held accountable for the resulting financial losses and institutional failings from cyber-attacks. Given the magnitude of the problem, governments, regulators and even consumers are putting a lot of pressure on organisations to take responsibility for data, service quality and assets. This is putting cyber as one of the top risks that boards are now dealing with, especially as the consequences of not acting or positively addressing the threats continue to grow and key executives are held accountable. The key is now for boards to become cyber aware and for the executive teams to build a culturally aware cyber organisation, leading towards a cyber resilient organisation of the future. In conjunction with this, boards and executives need to adopt a new understanding of cyber resiliency and a culture that puts security as part of the business drivers and requirements for their organisation.
Will AI and machine learning shape the future of cybersecurity?
AI and ML will shape the cyber in two ways. The threat actors will see AI / ML as a great target – because if they are able to control, manipulate or bring its integrity into doubt that will further allow them to enact their goals. So, organisations will have to focus their protection around such assets, and treat them as critical. Furthering the threats to AI/ML is the ability for sophisticated threat actors to harness the power of such technologies to increase their effectiveness and capabilities in launching complex, multi-faceted attacks against the targets of their choosing.
On the defensive front AI/ML will certainly assist cyber functions from the providing better protection and detection technology allowing analysts to focus on more analytical related tasks and remediation. An example of this, is the Digital Security Operations Centre (SOC) being launched by EY in the GCC, that uses world leading and award winning machine learning to better detect anomalies and threat actors within a client’s environment. This allows the analysts to focus on investigation, rather than sifting through hundreds, if not thousands, of false positive events with traditional technology. Further, as AI and ML increases in its understanding of the cyber threats, the systems will be able to eventually alleviate much of the human response to cyber-attacks in favour of a more dynamic, predictive, and proactive response to cyber threats and attacks.
Do you think companies can avoid most of the breaches by following basic cyber hygiene?
Certainly companies need to address the basics as a minimum, which goes a long way to protecting them from the majority of cyber threats. Organisations are still struggling with basic patching of their infrastructure and applications, which if resolved, and coupled with a security minded configuration control programme would go a long way to providing a good core defense base. It is understandable that in some cases this is not possible for critical operational technology (such as industrial technology) due to the legacy nature of the asset, but in the majority of applications and cases, this is still an issue that can be more effectively addressed using basic cyber hygiene. Just looking to the largest cyber events of 2017, in many cases they could have been prevented by following basic cyber hygiene principles.
In addition, the other core principles – being security awareness and training, identity and access management reviews and audits, and lastly a good security monitoring solution – will really provide a good multi-faceted cyber defensive layer that will raise the security posture of any organisation and fend off a majority of the cyber-attacks, allowing organisations to provide more focus on more significant threats to their enterprise.
What does it involve to develop a risk-based security framework?
Cyber should be treated like any other risk and fit into an organisations enterprise risk management framework. For those organisations that don’t have a risk management function, simply providing accountability and authority of such a role and applying the basics like, risk registers, risk measurement, risk treatment (mitigation, acceptance, removal), and lastly tracking and reporting to an executive level, will go a long way to help maturing an organisation.