By Niraj Mathur, Managing Director– Security & Privacy, Protiviti Member Firm for the Middle East Region
The post covid “new normal” world is driving organizations towards adopting cloud computing as a critical pillar of their digital transformation strategies. In fact, Digital Transformation (DX) efforts have been accelerated as more businesses aim to offer flexibility and ease of use to their customers. However, at times, if security is not thought through, it leads to new risks and certain other risks being reprioritized. With remote working being the norm, employees are increasingly working with a mixture of office-owned and personal devices and this is also adding to an additional layer of security concerns.
Some of the key risks facing companies in the Middle East are:
Various industry sectors face their own peculiar cyber security concerns. For example, the healthcare sector had to completely transform the way it connects with patients during the pandemic as non-covid patients needed to connect with their doctors. This required healthcare organizations to invest in digital connect platforms and the creation of applications that could help schedule appointments, maintain digital records of patients etc. The core concerns that healthcare sector today work towards is, ensuring privacy and data security of patients’ records as compromise of this sensitive data can lead to severe non-compliances and reputational issues.
In 2020 the retail sector witnessed a surge of many e-commerce platforms being introduced in the GCC region, from major retail brands to the corner grocery stores. Though these platforms often rely on a payment gateway to process the payments, retail organizations are majorly concerned about ensuring their applications are securely designed, developed, and rolled out as application compromises can have direct financial impact.
Banking sector has predominantly depended upon face-to-face interactions in branches and employees working on controlled workstations to comply with regulatory and international guidelines. With the advent of Covid, the banking industry had to reform certain business functions and workflows to continue supporting employees and customers by introducing digital services. Banking continues to focus on ensuring the security of their applications and addressing security risks on their distributed workforce.
The Energy and Utilities sector has been targeted by hackers for a long time, the convergence of OT and IT, and the security issues that emanate from the same need to be addressed. Organizations are aligning to innovative new technologies that are helping them in detecting, preventing, and responding to OT cyber-attacks.
Sentiment – It is often observed, and more so in these pandemic times that many adversaries have created unique ways of using the sentiment of people. One recent example is of worldwide covid cases tracking application, which was a malware. Many such examples have been observed during the pandemic and these will continue to change and evolve.
Lack of patching – OEMs across the world go through a detailed process of ensuring that they identify and issue patches to vulnerabilities identified in their systems and applications through internal assessments or those submitted through their bug bounty programs. Yet, many organizations delay the patching process within their environment, causing an increase in number of vulnerabilities that are just waiting to be exploited.
Security as an afterthought – Unfortunately, in many organizations, security is not yet a business function and often involved at a much later stage. Whereas, if the approach is reversed, organizations will have the chance of addressing security at much earlier stages of architecture or development.
With the considerable increase in the number of targeted attacks in the region such as ransomware attacks that leads to direct financial impact to the organization, cyber insurance is a viable means of mitigating the financial risk for the affected organizations. The biggest advantage of a cyber insurance, apart from transferring some of the financial risks to a third party, is motivation and the requirements of baselining security controls that must be maintained in the organization.
Just as DX has forced innovation in organizations, remote working has evolved into a distributed workforce where a 2FA (2 factor authentication) and a VPN will not suffice. Though they are a tremendous starting point to support the distributed workforce, they cannot help protecting the vast threat landscape of an organization today. In one of our webinar polls conducted during April 2020, over 80% of the respondents faced a substantial increase in attacks during Covid. Some of the issues that organizations are facing today are:
Ensuring consistent device security – As many employees continue to use their personal devices to carry out their daily work, ensuring that a vast array of devices maintain the same baseline of configuration and security is a challenge that organizations are trying to address. This also extends to securing the home networks that employees are using to connect.
An explosion of phishing and ransomware emails – Since targeted attacks have increased, organizations are facing a challenge in maintaining the traditional level of email security to filter out malicious emails.
Achieving the fine balance of security and productivity – A ‘block everything’ approach is not possible to achieve with a distributed workforce and can often hamper productivity of business functions. CISOs today are trying to address this challenge and find a balance, so business functions can be as productive while maintaining baseline security.
