Connect with us

Expert Speak

GCC Cybersecurity in 2022: Seven Predictions Every Enterprise Should Digest

Published

on

Written by John Hathaway, Regional Vice President, iMEA at BeyondTrust

In 2020, enterprises across the Arab Gulf region adopted a justifiable set of priorities. First, protect employees from the pandemic. Second, deliver business continuity. Both were achieved by a necessarily hasty migration to the cloud. Unfortunately, this led to ill-defined digital perimeters, and a slew of new, rogue personal devices. The corporate network that was previously well understood was replaced with a mysterious hybrid fog.

The results spoke for themselves. The Head of Cybersecurity for the UAE government reported a 250% increase in cyberattacks in 2020, citing digital adoption in the wake of pandemic-related lockdowns. And Saudi Arabia defended itself against 7 million cyberattacks in the first two months of 2021, with national media citing attacks on remote access protocols (used by work-from-home employees to access corporate environments) as the most common.

And so, we arrive at our main challenge for 2022: cybersecurity is more important than ever and yet skills gaps remain, resources are tight, and strategies have yet to mature. Even as Saudi Arabia ranks second and the UAE fifth in the ITU’s Global Cybersecurity Index for 2020, work remains to be done. So let us examine what challenges may lie in wait for organizations in the coming year.

Space Scams
Yes, that is outer space, as in the extraterrestrial domain. Who hasn’t looked up at the night sky and dreamed of venturing into the great beyond? And it is that sense of whimsy that attackers will use to hook their victims in 2022. Now that the UAE’s Mars mission has gripped the imagination and trends of space-made movies and star-bound tourism are “taking off”, expect to see “opportunities” to send your DNA or personal effects — perhaps even yourself — off-world.

All you would have to do for these once-in-a-lifetime opportunities is pay a small fee or forward personal details. Those with stars in their eyes may be tempted to bite.

That Skills Gap Again
While the region’s shortage of qualified security professionals is nothing new, associated factors will exacerbate it in 2022. For shortages to get worse all that needs to happen is that demand outpaces supply. And next year, that is what we are likely to see across the region.

We will need more talent to manage the expanding attack surface brought about by remote workers using their personal devices to join enterprise networks. Hybrid clouds mean more corporate data will find itself travelling through infrastructure that is not owned or controlled by the IT team that is responsible for its safety. And digital transformation initiatives will introduce new technologies and applications that need to be accounted for in the security posture.

And yet, still not enough young people are choosing to be trained as security professionals.

5G Everywhere
As more and more consumer devices have become cellular-capable, new use cases have become available to companies that previously faced the daunting cost of proprietary hardware and connectivity for their mobile solutions. The launch of 5G in the region promises even more use cases, as the technology solves lingering latency issues.

But the connectivity boon allows a merging of cloud, IoT, and potentially sensitive back-office data. And all components of 5G may not be entirely secure, given the range of hardware involved.

Ransomware: The Revenge
The dreaded digital rascal shows no signs of tiring. Like an indestructible movie villain, it keeps coming back for the sequel. According to data published by Statista, 38% of UAE organizations and 17% of those in Saudi Arabia were victims of ransomware in the 12 months prior to February 2021. Elsewhere in the world, record-breaking payouts have made it into the headlines this year.

The practice is evolving. Where before it was a pay-to-unlock model, now cybercriminals have begun “kidnapping” sensitive data – exfiltrating it and threatening to release it to the public. We already know that ransomware attackers spend a lot of time researching targets before a campaign. In 2022, we can expect more personalized attacks that hit IoT infrastructure or company contractors.

Supply-Chain Attacks Will Evolve
Supply chain attacks — such as the one famously used against Miami-based network infrastructure company Kaseya this year — show signs of maturing. While acknowledging that they are a relatively uncommon approach, a recent report by Abu Dhabi’s Digital14 identifies supply-chain attacks as one of the top threats faced by UAE organizations.

In 2022, we should watch out for an expansion in scope and sophistication, with third-party solutions and well-known development practices being leveraged by attackers.

Cybersecurity Insurance in Jeopardy
As if stakeholders did not have enough to contend with, their fallback risk position may simply vanish. Insurance providers may look at the bottom line and decide that — given the monumental costs of recovery and the failure of modern threat postures to allow for the evolving capabilities of bad actors — there is no sound business case for their cybersecurity products. Some insurers have already drastically increased premiums while others refuse to ensure high-risk clients, and some have abandoned the cyber-insurance market altogether.

Without more organizations taking out policies, or better cyber-hygiene across the board, it is difficult to envisage a future for cybersecurity insurance.

More White Noise Means Greater Opportunities for Stealth
Because of the rise of VPN technology used to deliver remote-working facilities, threat hunters now have considerably more data to sift through when looking for suspect processes. Because this makes intrusion detection more difficult, next year’s malicious parties will enjoy more time between entering an environment and being discovered.

It’s Not All Bad
It goes without saying that while all the challenges listed here apply to all organizations in the region, not all will experience damage or loss. Some will have security policies in place that build a comprehensive asset register, a cogent risk assessment, and a mature and consistent workflow to circumvent the bad actor. But their less-prepared peers should not expect a happy new year.

Cyber Security

Measuring and Mitigating Cyber Risk

Published

on

Written by Saket Modi, Co-Founder, and CEO at Safe Security

As businesses continue to invest in digital transformation and base their business models on technology, cyber threats only become more imminent. Cyber Risk is no longer an IT problem, but a boardroom concern. With cyberattacks disrupting business continuity, they pose a direct impact on the top and bottom line of an organization’s balance sheet. Thus, making cybersecurity one of the top priorities of every organization.

Challenges with traditional cybersecurity approach
The evolving breach trends verify that complying with frameworks alone can no longer holistically safeguard organizations. Frameworks such as ISO, NIST, PCI DSS, and others are used as reference checklists for cybersecurity and risk management practices, however, they provide limited visibility. Cybersecurity must be aligned in every organization; threats and mission-critical business needs, provided by products that deliver holistic and actionable insights.

The Frameworks approach to risk-posture assessments is subjective, labor-intensive, and only offers point-in-time snapshots/assessments. They rely on a qualitative scale without any objective and quantitative measure to assess the security posture of an organization.

Similarly, Security Rating Services represent an independent source of publicly accessible data to support some use cases. However, these services don’t provide a complete assessment of security controls, as their information is primarily sourced from publicly accessing internet IP addresses, honeypots, analyzing Deep and Dark web content, and individual proprietary data warehouses.

A new approach to cybersecurity
Today, the delegation of risk decisions to the IT team cannot be the only solution and has to be a shared responsibility. The board and business executives are expected to incorporate the management of cyber risk as part of their business strategy since they are accountable to stakeholders, regulators, and customers. For the CROs, CISOs, and Security and Risk Management Professionals to be on the same page, there has to be a single source of truth for communicating the impact that cyber risk has on business outcomes, in a language that everyone can understand.

This is where Cyber Risk Quantification becomes a game-changer. There is a need for a solution that integrates with the entire security stack and gives a measurable analysis that supplements decision-making. This comprehensive information empowers CISOs and executives to make informed and timely data-backed decisions to ensure the cybersecurity of the organization.

Continuous Assessment of Cyber Security is the need of the hour
Compliance and government guidelines mandate the move to go beyond periodic assessments and into continuous monitoring of sensitive and critical information. In such situations, a CISO may often be unable to quantify the maturity of the Information Security measures deployed in the organization. Continuous Assessment of cybersecurity risk posture lets an organization prioritize the key focus areas across their Critical Assets and most vulnerable technology, third parties, or employees. This ensures that adequate measures towards holistic Cyber Security maturity are adopted throughout the organization.

Objectivity and simplicity should be at the core of a cybersecurity strategy
Cybersecurity posture cannot be represented by lengthy reports anymore. It needs to become objective and help decision-makers across the organization truly understand the risk posture and the financial value of the risk that the organization faces. It also needs to be free from IT jargons to enable the boardroom to have a clearer view of the risk posture, thereby facilitating data-driven and informed decisions. Executives can get overwhelmed with excruciating details from multiple tools or people. They can now rely on all the data that has been collected and converted from these sources into a simple yet comprehensive risk metric that they can use to track and build their trust on.

Benefits of Cyber Risk Quantification
With quantified cybersecurity risk management practices, organizations have:

  1. A unified cybersecurity strategy: Cybersecurity that is presently siloed, will have a single pane of glass view for security leaders to make quicker, data-driven decisions.
  2. An objective metric of communication: The potential financial impact of a cyber attack converts its risks to a direct business threat. It becomes a simple and effective means to communicate risks to all internal and external stakeholders.
  3. Real-time visibility: Dynamic visibility of what is going well and what needs improvement is enabled by a real-time cohesive output – breach-likelihood across people, process, technology, and third-party.
Continue Reading

Cyber Security

Top 10 Bad Cybersecurity Habits to Shed in 2022

Published

on

Written by Phil Muncaster, guest writer at ESET

The new year is a new opportunity to rewire your digital life. An increasingly important part of this is cybersecurity. In fact, 2021 is already shaping up to have been one of the most prolific years yet for cybercriminals. Almost 19 billion records were exposed in the first half of the year alone. Better security should mean you’re more insulated from the risk of identity fraud and financial loss. The cost of these scams reached a record $56bn in 2020, with most of this coming online. Although the organizations you interact with have a duty, and often a legal responsibility, to keep your data protected, it’s important to do your bit.

If you’re still feeling reluctant to find new ways to protect your digital world, consider this: a third of US identity crime victims have claimed they didn’t have enough money to buy food or pay for utilities last year as a result of fraud, according to the U.S. Identity Theft Resource Center.

Be alert, be proactive and break these 10 bad habits to improve your cyber-hygiene in 2022:

Using outdated software
Vulnerabilities in operating systems, browsers, and other software on your PCs and devices are one of the top ways cyber-criminals can attack. The problem is that more of these bugs were discovered in 2020 than any year previously: over 18,100. That amounts to more than 50 new software vulnerabilities per day. The good news is that by switching on automatic update functionality and clicking through to update when prompted, this task needn’t intrude too much on day-to-day life.

Poor password hygiene
Passwords represent the keys to our digital front door. Unfortunately, as we have so many to remember these days – around 100 on average – we tend to use them insecurely. Using the same password for multiple accounts and easy-to-guess credentials gives hackers a massive advantage. They have software to crack weak encryption, try commonly-used variants and attempt to use breached passwords across other accounts (known as credential stuffing). Instead, use a password manager to remember and recall strong, unique passwords or passphrases. And switch on two-factor authentication (2FA) on any account that offers it.

Using public Wi-Fi
We’re all getting out-and-about more these days. And that brings with it a temptation to use public Wi-Fi. But there are risks. Hackers can use the same networks to eavesdrop on your internet usage, access your accounts and steal your identity. To stay safe, try to avoid these public hotspots altogether. If you must use them, don’t log in to any important accounts while connected.

Not thinking before clicking
Phishing is one of the most prolific cyber threats out there. It uses a technique known as social engineering, where the attacker tries to trick their victim into clicking on a malicious link or opening a malware-laden attachment. They take advantage of our hard-wired credulity and often try to force rapid decision-making by lending the message a sense of urgency. The number one rule to thwart these attacks is to think before you click. Double-check with the person or company sending the email to make sure it is legitimate. Take a breath. Don’t be pressured into taking over-hasty action.

Not using security on all devices
It goes without saying that in an era of prolific cyber-threats, you should have anti-malware protection from a reputable provider on all of your PCs and laptops. But how many of us extend the same security to our mobile and tablet devices? Research suggests we spend nearly 5,000 hours each year using these gadgets. And there’s plenty of opportunities to come across malicious apps and websites in that time. Protect your device today.

Using non-secure websites
HTTPS sites use encryption to protect the traffic going from your web browser to the site in question. It has two purposes: to authenticate that website as genuine and not a phishing or fraudulent web property; and to ensure cybercriminals can’t eavesdrop on your communications to steal passwords and financial information. It’s not a 100% guarantee nothing bad will happen as even many phishing sites use HTTPS these days. But it’s a good start. Always look for the padlock symbol.

Sharing work and personal lives
Many of us have spent a large part of the past two years merging a once clearly defined line between our work and our personal lives. As the line has become more blurred, cyber risk has crept in. Consider the use of work emails and passwords to register on consumer shopping and other sites. What if those sites are breached? Now hackers may be able to hijack your corporate account. Using unprotected personal devices for work also adds extra risk. Keeping business and pleasure discrete is worth the extra effort.

Giving out details over the phone
Just as email and SMS-based phishing use social engineering techniques to trick users into clicking, so voice phishing, also called vishing, is an increasingly popular way to elicit personal and financial info from victims. The scammers often disguise their real number to add legitimacy to the attack. The best rule of thumb is not to hand out any sensitive info over the phone. Ask who they are and where they’re calling from and then ring the company directly to check – not using any phone numbers provided by the caller.

Not backing up
Ransomware is costing businesses hundreds of millions annually. So it’s sometimes easy to forget that there are still variants lying in wait for consumers. Imagine if you were suddenly locked out of your home PC. All the data on it, and potentially cloud storage, could be lost forever – including family photos and important work documents. Regular backups, according to the 3-2-1 best practice rule, provide peace of mind in case the worst happens.

Not protecting the smart home
Nearly a third of European houses are fitted out with smart gadgets like voice assistants, smart TVs, and security cameras. But by fitting them with connectivity and intelligence, these devices also become a more attractive target for criminals. They can be hijacked and turned into botnets to launch attacks on others, or used as a gateway to the rest of your devices and data. To keep them secure, change default passwords on start-up. Also, be sure to choose a vendor who has a track record of fixing known vulnerabilities in their products and research potential security flaws before purchasing a gadget.

Continue Reading

Expert Speak

The Six Tech Trends Affecting the Security Sector in 2022

Published

on

By Ettiene van der Watt, Regional Director – Middle East & Africa at Axis Communications

The beginning month of any year is characterised by many articles listing the technology trends that will shape industry sectors in the next one. But over the years, one can see a pattern develop, a roadmap that reveals the sentiments, and technologies we should be prioritising.

In this case, the keyword is ‘trust’, which is an interesting one. The 2021 Edelman Trust Barometer shows that among online survey respondents in 28 countries, trust in the technology sector is declining globally, along with concerns of climate change, job losses, and cyberattacks. Worries that are all valid to the global security and surveillance sector.

In the pursuit of realising a smarter, safer, and more sustainable world built on the back of a trustworthy and reliable ecosystem of innovation, these are the technologies and insights that will continue to transform security in 2022 and beyond.

A post-pandemic world
The impact of the COVID-19 pandemic continues to be felt in multiple ways. We see its physical manifestation in the challenges to supply chains, with global manufacturing brought to a near standstill and companies having to re-evaluate where and how they source key components and equipment for their respective products and services. We also see it in deployed technology – how intelligent solutions in video and monitoring are used to enforce social distancing and implement public health strategies.

A global shortage of semiconductors has also seen companies explore in-house manufacturing and the potential of systems on a chip (SoC) for relevant sectors. While this may be a very specific trend, combined with the substantial shifts caused by the pandemic, more businesses will consider SoCs for their security solutions going forward.

Embracing a sustainable future
Sustainability is no longer just a trend, nor should it be deemed as such. With a global focus and push towards environmentally friendly principles and practices, exemplified by initiatives such as the UN Sustainable Development Goals towards industry, human settlements, and consumption and production, a business must exhibit sustainability in its offerings and examine new possibilities through a sustainable lens.

Companies must pay closer attention to their processes from end to end. They need to scrutinise their products and services in terms of sustainability factors, such as power efficiency, building materials, and ethical deployments. These discussions are already taking place at events like Expo 2020, where the conversations have taken on a more forward-thinking position, and real progress is being made for long-term impact. More conversations like this need to be had, and it’s up to companies to facilitate them.

Healthy scepticism equals effective cybersecurity
|We don’t always think of scepticism as a positive trait, but in relation to cybersecurity it can be a prudent one. In a highly connected world with an increasing number of interconnected systems, comprehensive security strategies must ensure that if one area is compromised, the rest of the system won’t collapse.

A trend that’s emerged from taking a sceptical eye towards technology is zero trust networks. Built on the fundamental assumption that no device or entity connected to a network can be trusted, the deployment of these architectural setups is likely to accelerate and become the default approach. In turn, this will dramatically impact video surveillance in the form of encryption, identification, and hardware and software maintenance. COVID-19 has also played a role in forming this approach, as remote working solutions call for more connected devices in a wider context.

This high-impact technology conference at Expo 2020 further unpacks cybersecurity as the cornerstone of trust.

5G is connecting the world
What is commonly used as a buzzword for the next era of internet connectivity is starting to see real-world applications. With 5G networks projected to cover one-third of the world’s population by 2025, this technology is starting to make its way into the security and network video surveillance sectors, hinting at it being more than just a trend.

A specific 5G-related trend that is likely to grow in leaps and bounds is the deployment of private 5G networks – wireless networks that use 5G-enabled technology and dedicated bandwidth to serve as a closed solution for a company. They are faster than public networks, more reliable, and offer an ideal situation for specific industries. These networks also present security benefits that, when applied to the sector, could potentially streamline and improve solutions of varying size. This specific manifestation of technology is one to watch out for.

Artificial intelligence, formalised
No trends piece for the next decade would be complete without mentioning artificial intelligence (AI). In the case of security and surveillance, this ranges from image quality and analytics to camera configuration and performance. By taking a simple process and applying AI to it, you optimise that process to its full potential.

With more widespread use comes the need for regulation, specifically for the applications of AI. The solution is legislation on multiple levels of governance, ensuring AI is being used ethically and without bias. With a common agreement on local, regional, and international levels, we will be able to lay the foundation for the next industrial revolution and the growth of other technological trends, most notably smart cities.

Increased authentication measures
With the question of trust and increased scrutiny in cybersecurity, authenticity is becoming the next big hurdle in the age of data manipulation. This is valid for both hardware networks and video surveillance itself. How can you trust surveillance when you assign no value to its authenticity?

Deepfake technology is a growing threat. With improved methods of manipulating and altering images and videos, the authenticity of captured real-world events and people is compromised. This is not a problem exclusive to the security sector, but it is one that requires comprehensive solutions to overcome, such as applying digital signatures and verifying the source of data to specific hardware. The application of AI also shows promise in being able to detect when manipulation has occurred. Regardless, this is a challenge that multiple sectors have to contend with and work harder to combat.

All these trends factor into the need for businesses and other entities to rethink their security solutions for 2022 and beyond. With a focused and driven approach and by embracing the technology of the future, today’s challenges can be met head-on.

Continue Reading
Advertisement

Follow Us

Trending

Copyright © 2021 Security Review Magazine. Rysha Media LLC. All Rights Reserved.