By Niraj Mathur, Managing Director– Security & Privacy, Protiviti Member Firm for the Middle East Region
The post covid “new normal” world is driving organizations towards adopting cloud computing as a critical pillar of their digital transformation strategies. In fact, Digital Transformation (DX) efforts have been accelerated as more businesses aim to offer flexibility and ease of use to their customers. However, at times, if security is not thought through, it leads to new risks and certain other risks being reprioritized. With remote working being the norm, employees are increasingly working with a mixture of office-owned and personal devices and this is also adding to an additional layer of security concerns.
Some of the key risks facing companies in the Middle East are:
- Application security risks – The core outcome of many DX projects are the end user or internal employee management applications. These applications are a direct window to enterprise core resources and must be protected from ground up i.e., at the source code level to ensure they are secured and comply to international and local guidelines.
- Cloud Data and Identity Security – Cloud computing adoption has massively increased in the GCC region as an unintended outcome of the pandemic. As many organizations move towards the flexible and scalable cloud environment, ensuring that data remains secure throughout its lifecycle is a critical risk that organizations must address. Coupled with the data security issues, organizations have also suffered from inadequate controls around identity and access for a long time. Ensuring that the “least privilege” concepts are implemented are top of mind for many organizations.
- Risks to the distributed workforce – As people continue to work from home, more adversaries are trying to attack the home networks of employees or sending out mass phishing emails
Cybersecurity concerns differ across industries
Various industry sectors face their own peculiar cyber security concerns. For example, the healthcare sector had to completely transform the way it connects with patients during the pandemic as non-covid patients needed to connect with their doctors. This required healthcare organizations to invest in digital connect platforms and the creation of applications that could help schedule appointments, maintain digital records of patients etc. The core concerns that healthcare sector today work towards is, ensuring privacy and data security of patients’ records as compromise of this sensitive data can lead to severe non-compliances and reputational issues.
In 2020 the retail sector witnessed a surge of many e-commerce platforms being introduced in the GCC region, from major retail brands to the corner grocery stores. Though these platforms often rely on a payment gateway to process the payments, retail organizations are majorly concerned about ensuring their applications are securely designed, developed, and rolled out as application compromises can have direct financial impact.
Banking sector has predominantly depended upon face-to-face interactions in branches and employees working on controlled workstations to comply with regulatory and international guidelines. With the advent of Covid, the banking industry had to reform certain business functions and workflows to continue supporting employees and customers by introducing digital services. Banking continues to focus on ensuring the security of their applications and addressing security risks on their distributed workforce.
The Energy and Utilities sector has been targeted by hackers for a long time, the convergence of OT and IT, and the security issues that emanate from the same need to be addressed. Organizations are aligning to innovative new technologies that are helping them in detecting, preventing, and responding to OT cyber-attacks.
Common vulnerabilities and exploits used by attackers
Sentiment – It is often observed, and more so in these pandemic times that many adversaries have created unique ways of using the sentiment of people. One recent example is of worldwide covid cases tracking application, which was a malware. Many such examples have been observed during the pandemic and these will continue to change and evolve.
Lack of patching – OEMs across the world go through a detailed process of ensuring that they identify and issue patches to vulnerabilities identified in their systems and applications through internal assessments or those submitted through their bug bounty programs. Yet, many organizations delay the patching process within their environment, causing an increase in number of vulnerabilities that are just waiting to be exploited.
Security as an afterthought – Unfortunately, in many organizations, security is not yet a business function and often involved at a much later stage. Whereas, if the approach is reversed, organizations will have the chance of addressing security at much earlier stages of architecture or development.
Should you subscribe for cyber insurance?
With the considerable increase in the number of targeted attacks in the region such as ransomware attacks that leads to direct financial impact to the organization, cyber insurance is a viable means of mitigating the financial risk for the affected organizations. The biggest advantage of a cyber insurance, apart from transferring some of the financial risks to a third party, is motivation and the requirements of baselining security controls that must be maintained in the organization.
Implementing cybersecurity measures to make remote working less risky
Just as DX has forced innovation in organizations, remote working has evolved into a distributed workforce where a 2FA (2 factor authentication) and a VPN will not suffice. Though they are a tremendous starting point to support the distributed workforce, they cannot help protecting the vast threat landscape of an organization today. In one of our webinar polls conducted during April 2020, over 80% of the respondents faced a substantial increase in attacks during Covid. Some of the issues that organizations are facing today are:
Ensuring consistent device security – As many employees continue to use their personal devices to carry out their daily work, ensuring that a vast array of devices maintain the same baseline of configuration and security is a challenge that organizations are trying to address. This also extends to securing the home networks that employees are using to connect.
An explosion of phishing and ransomware emails – Since targeted attacks have increased, organizations are facing a challenge in maintaining the traditional level of email security to filter out malicious emails.
Achieving the fine balance of security and productivity – A ‘block everything’ approach is not possible to achieve with a distributed workforce and can often hamper productivity of business functions. CISOs today are trying to address this challenge and find a balance, so business functions can be as productive while maintaining baseline security.