Insights – Cybersecurity: How vulnerable are you?

The rapid digitalization in the United Arab Emirates and Saudi Arabia, has triggered an increase in connected devices and opened new gateways for cyberattacks. The cybersecurity market in the Middle East and Africa was valued at US$1,103 million in 2020 and is expected to reach approximately US$2,893 million by 2026. As the digital realm becomes the norm, we bring you a panel of experts who look at cybersecurity from different perspectives on the risks and how to be proactive in preventing a data breach. Moderated by Thomas Paoletti, Owner & CEO, Paoletti Law Group.

Key Takeaways

✔ Corporations are moving functions and systems from on-premises to the cloud, which makes them more vulnerable.
✔ The trend reported for mode of intrusion and cybercrimes is: #1 Ransomware #2 Hacking #3 Emails.
✔ Over 50% of attacks take place through stolen credentials, and cyberespionage is extremely prevalent, both on State and Corporation level.
✔ The human behaviour aspect is not given enough focus in ensuring that your company is more secure. The leadership needs to make employees feel safe to report a mistake ‘click’ so that the problem does not spread.
✔ It is impossible to think you can be 100% secure. You can get the highest level of security, yet you cannot rely solely on your IT department for protection. Cybersecurity needs to be part of the business risk budget.
✔ The goal is to make sure that any cybercrime incident stays localized, and you have adequate defence response mechanisms in place.
✔ When attacked, having a back-up system does not eliminate the threat completely. Unless a thorough investigation has been conducted to understand how the attack took place, and you verify that the back-up system is clean, you could face a bigger problem later. The malware can be deployed and embedded into the organisation triggering the threat to multiply in the system.
✔ Cybersecurity measures are weak in SMEs, which is a real problem for the GCC region, with threat gaps that affect the entire supply chain.
✔ With an increase of ease of doing business and entrepreneurial activities on the rise, the UAE is very exposed. According to one report there are 630,000 websites here, but over 60% are hosted outside the region, exposing the country to the world.
✔ The need is to move from tech focus security to service focus, with more managed service providers (MSPs) in this space.
✔ More compliance measures are needed for certain minimum cybersecurity standards to be in place for all organizations.

Thomas Paoletti:  What is cybersecurity today?

Giuliano Tomiazzo: In this age of digital transformation, we live in a hybrid world. There is no difference between the private and professional. Before cybersecurity was a technological problem but now it is social with the human in the centre and technology is just the tools. We must find ways to minimize human errors.

Thomas Paoletti: What is the trend in the Gulf region in terms of attacks?

Duncan Fairley: From a bank perspective, fraudsters are always trying to scan our perimeter and firewalls to find vulnerabilities, but the focus of direct attacks and threats tend to be on customers who are more vulnerable with how they protect their data and passwords, etc. Now that banks are online and you can open accounts through a mobile app, it increases the chances of cybercrimes. People’s email accounts are compromised, or their suppliers are compromised via payment instructions, and the customer is left liable. Companies need to improve their onboarding process for new suppliers, by validating the IBAN accounts, doing their own KYCs, etc. If you go to existing suppliers and they suddenly change their bank account details, that should be a red flag. If a customer is negligent and gives their bank account details away to a fraudulent scheme, they end up having a liability. We have seen a lot of that in the last few years, because, culturally, people here are more trusting than in many other countries. Another issue in the digital transformation is about moving away from on-premises to the Cloud, which again, increases your vulnerabilities.

Thomas Paoletti: I remember a client who had received a phone call from somebody pretending to be from Etisalat telling him he had won a prize for which he had to go to the ATM machine. He inserted his debit card and followed the instructions, which resulted in change of mobile phone to recover the password. The fraudster now had access to this person’s bank account and withdrew AED10,000 and then managed to even get a loan on the credit card another larger sum and was able to withdraw that amount as well! When he realised his mistake, he went to the branch, but they refused to freeze his account at that time. The court then decided that the bank also had some level of responsibility, and so he ended up losing only the first transaction of 10K from his account, with the bank being liable for the rest.

Thomas Paoletti: There are human behavioural aspects that need to be considered for cybersecurity measures to work. Are there any preventative mechanisms to counteract incorrect email attachments being opened for example?

Ramamurthy Venkatesh: Companies need to look at people’s behaviours and not expect the IT department to take care of all the security issues through technology alone. Control needs to be understood from various angles. The SME ecosystem is even more at risk because they normally do not have the budgets or correct knowhow. It is important that there is a compliance mechanism from the government for cybersecurity.

Zainab Khatib: When we talk about the human factor, leadership needs to be aware that many employees can be embarrassed to come forward and confess that they have made a mistake in opening a potentially fraudulent email attachment. From a cybersecurity insurance perspective, when looking at claims or past incidents, we have seen that staff clicked on a phishing link and do not report it for fear of repercussions. And then the problem is so much larger than if they had come forward, reported it immediately, and then it could have been better managed and stopped from spreading. If the culture in your organisation is not conducive to this human factor, then no amount of training and technology will stop the attack.

Jarrett Kolthoff: We have thousands of incident response cases on a yearly basis with different companies. Intrusions often come from users clicking on a link inadvertently, and hopefully organizations take some corrective action after a couple of mistakes. Though there may be several types of intrusions, such as business fraudulent emails, ransomware attacks, or other type of nefarious activity… however, it is not that hard to defend against these attacks. It is basic blocking and tackling by deploying technology. But it is also understanding how to leverage discussions around the human factor, continuously monitoring, and watching anomalies. Too often organizations will deploy technology, but they are not vigilant enough. You cannot be 100% impenetrable. That is impossible. The goal is to make sure that the incident stays an incident on the one host, that you see the alert or anomaly that could or even get to the point where there is a breach or a compromise…but keep it to that incident and react quickly.

Lester Pinto: Often the impetus is on the user. We have had instances where even with all the security in place, the user triggers a breach. For example, one company was paying a high subscription license of US$80 per user for security, but they were relying completely on the IT department, believing that no spurious links could get through attachments. There was a targeted attack with a link sent. The attacker created a legitimate website which a company employee clicked on, which then prompted a request for his credentials. The employee thought since this must be legitimate or it would not have come through the tech firewalls. Additionally, this user had chosen not to enable the multifactor authentication, and so after giving his credentials, in seconds somebody logged in from another location with the credentials and sent an email to everyone else in the company. Furthermore, the fraudster even created a rule in his Outlook email that ‘any email with a dot would be forwarded to his RSA feed.’ It took a while for even the IT department to realise that this was a criminal activity.

Thomas Paoletti: What are typical measures that can be put in place to reduce risk?

Lester Pinto: One important change that has exacerbated the security issues is remote working. The work computer at office and the laptop you use at home should have the same optimum security in place and no admin rights given to anyone outside the IT department. Furthermore, make sure that all your email accounts are protected by multifactor authentication.

Jarrett Kolthoff: Turning on multi-factor authentication is one of the most critical things and having a password store type of tool so that it forces you to have new passwords for each account. The type of attacks that we are seeing today, are more elevated attacks. They are turning off the security tool sets on the hosts and then spread laterally, especially if it is more targeted attack. It is an automated process once it gets the initial hook into an organization. On-going monitoring is critical because there could be a scenario where you may not get an alert from a security tool, but you notice improper use of credentials. Organizations often decide it is better not to invest in cybersecurity measures and instead pass that risk off to cyber insurance.

Thomas Paoletti: What does cyber insurance cover?

Zainab Khatib: An insurance policy could cover the monetary loss that stems from a ransomware incident, which is split into two aspects. It could be the actual ransom payment itself and then it could be all the other costs associated with this, including trying to manage the incident and terminate it. From an insurance perspective, context is important. About 10-15 years ago, ransomware coverage used to be added on as a freebie to cyber insurance policies. The main piece of that policy was data protection and liability. However, in the last five years, we have seen an unprecedented amount of losses from ransomware. The insurance market has had to study the claims, so now we are seeing that when you want to go through the insurance process, you must meet minimum requirements, such as multifactor authentication and other technical measures.

But not all policies are the same. Some insurers will cover you across the board for the full ransomware loss, but the insurer will never decide whether you pay the ransom or not on your behalf. The policy gives you access to legal specialists who can help you in determining what is viable for your company. You would also pick up all the associated costs, such as forensics, people on the ground trying to mitigate the incident, and those that will help you to get your systems back up and running. We do see clients choosing not to pay the ransom and as a result, they take the hit of having their network disrupted. This would cause an operational disruption and loss in revenue. The cyber policy will pick up all this cost as well. There are insurers who will cover the costs of terminating and mitigating the incident but will not cover the actual ransom payment or others will supplement the ransom payment.

We have seen insurers selling US$10 million cyber insurance policy that would get you full cover for everything except ransomware which would be limited to 50% of your policy. The reason behind this is to get the client to cover part of the cover so they will ensure that the organization is enacting required minimal controls. If your company or country has a stance not to pay ransoms, then the insurance policy will not cover that piece, and you need to look for one that is tailored for your actual risk management strategy and risk appetite internally.

Thomas Paoletti: What are the trends of cyberattacks in this region?

Zainab Khatib: We are seeing that the main attack trend is ransomware, second a form of hacking, closely followed by business email compromise. More than 40% of all cyber insurance claims is a result of ransomware, and we support clients due to the further business fallout from this attack.

Thomas Paoletti: If a company decides not to pay ransom because it is against their policy or the nation’s law does not allow this, if having a backup sufficient to restore order and the business not be disrupted?

Jarrett Kolthoff: Hackers and terrorists keep rebranding themselves or renaming their groups. Identifying the threat actors is critical to determine whether the insurance carrier is going to be able to make that payment or make the claim and pay the ransom. A dual approach is needed. Respond to the intrusion and deal with the ransom issue. And if you do not pay the ransom, you may not be able to recover your data. Regarding your backup, it is possible that the initial malware infection has been embedded inside your organization, so will be in your backup system as well. Forensics is required to make sure that even your backup is scoured and analysed before you try to recover data. Simply having backups is not enough. Once you are attacked, you need to make sure that your backups are clean as well. If you do not pay ransom, they can come back because the threat is still embedded inside the organization and can be more destructive the next time around.

Thomas Paoletti: What kind of stress tests are conducted?

Duncan Fairley: In the bank, we send out phishing emails regularly to everyone, from C-suite down to the teller, trying to trick the staff to click on the link. and then follow-up with the help of a reporting tool. If they repeatedly click on these links, we remove their Internet access, external email access, and force them to go through the annual training again before they can get access. Sometimes even genuine emails are not opened with a suspicion that it might be a phishing attack, which is good because at least they are aware and questioning it. One of the biggest risks is staff clicking on those links and giving their credentials away.

Ramamurthy Venkatesh: Most organizations put cybersecurity as part of the IT budget, rather than business risk, which needs to change. The other issue is compliance. Legislation is needed where every company have minimum standards in place.

Giuliano Tomiazzo: We evaluate the response planning of our company through team activity practices and simulation attacks. We attack the infrastructure, the human side and attack physically, by entering the offices. There was vulnerability in the system. On the social media side, we used phishing, and social engineering. We found we could steal user credentials and enter the system and IT infrastructure without even sending an email or calling anyone. A recent Verizon report said that 50% of attacks are through stolen credentials.

Thomas Paoletti:  Why is cyber security becoming so important for SMEs in the country?

Ramamurthy Venkatesh: SMEs are a huge and integral part of the economy. I cannot do business without SMEs in my supply chain. The Global Entrepreneurship Monitor have listed controls that every country is putting I place for SMEs. With an increase of ease of doing business and entrepreneurial activities on the rise, the UAE is very exposed. According to one report there are 630,000 websites here, but over 60% are hosted outside the region, exposing the country to the world. The need is to move from tech focus security to service focus, with more managed service providers (MSPs) in this space. More compliance measures are needed for certain minimum cybersecurity standards to be in place for all organizations.

Thomas Paoletti: Is the Virtual Private Network (VPN) a secure tunnel or is Zero Trust Network (ZTN) going to replace the approach of defending the devices of end users?

Jarrett Kolthoff: Remote work has increased the need of utilizing technologies such as a VPN for a secure tunnel or an encrypted tunnel or communication between your system, your laptop, and your corporate environment. The bigger question is for what purpose and how are you operationalizing remote access? Do you have applications on your laptop, word documents, access to a database from your laptop inside the corporation or a cloud? We are seeing a push towards containing or leveraging virtual systems that leveraging VPN. Every time you open a session or terminal, it is a new resource, and it spins up a new operating system, new memory. Most corporations are moving away from heavy fat applications on laptops and using the old traditional VPNs from Cisco or Juniper checkpoint.

Audience 1: If a company’s website has been compromised and the customer/user credentials stolen, who is responsible – the company or the consumer?

Thomas Paoletti: Storing personal information must be the end user’s responsibility, especially when it comes to the user password. If the end user is an employee, then the responsibility will be on the company.

Duncan Fairley: Typically, fraudsters get credit card information from websites, and we tell companies not to store card information. The payment card industry standards and their security systems have put certain rules in place for customers who are using their cards to purchase your products. The reputational risk for companies is extremely high if damaged by this and cyber insurance will not cover this.

Giuliano Tomiazzo: How helpful are antivirus systems?

Jarrett Kolthoff: Many intrusions that are occurring today are not going to be seen by your antivirus system. Ransomware can turn your system off instantaneously. You need to have the antivirus system but be aware that you cannot be solely dependent upon this.

Thomas Paoletti: What about corporate espionage?

Jarrett Kolthoff: This is on the rise. We have had several cases where the malware was deployed inside of a corporation and was exfiltrating data, across an entire network. In the old days of corporate espionage, it used to be a death by one thousand cuts, and you never knew that it was occurring. This has changed to the point where it is extremely blatant and out in the open. Corporations are getting more aware that it is occurring and are responding to it. Even a salesperson can steal a tremendous amount of data, downloading terabytes of information from SharePoint on a hard drive or a cloud resource just prior to resignation.

The introduction of cyber insurance has changed the depth of investigation to go after the culprits. They want to know what happened, how it occurred, but the threat actors are also getting better. They are making less mistakes and leveraging various terrorist networks, with the ability to hide source IP address. Having said that many hackers are also getting lazy and arrogant, forgetting to turn on the ‘hiding’ technology, and we are able to find them.

Thomas Paoletti: What would be the percentage of the annual budget that a company should allocate for cybersecurity?

Zainab Khatib: You can keep on investing and eventually you will just have layers of controls that may not be effective. Cybersecurity budget gets questioned a lot. The insurance market is helping push SMEs to improve their security posture. There are basic controls that everyone can put in place, and we continue to advice clients on how the market is evolving so that they are protected to the best available.

Thomas Paoletti: What happens when ransom needs to be paid – does the insurer have a say or do they just retreat?

Zainab Khatib: At the end of the day, the insurer is looking to minimize loss to you as a company because as a result, they would be the ones paying that claim that comes forward. Every incident with a ransomware case is unique. When we talk to our insurer partners, it is a complex process, including the legal and forensics side. They will weigh the costs of operational fallout versus paying that ransom. Or they might feel that the controls are effective to carry out the decryption versus paying for it. In the market, there is a blend of paying the ransom itself, if it makes sense, or working with an organization to try and mitigate and terminate the event without paying.

Thomas Paoletti: One of the promises of blockchain is that it would make society more secure with transactions more transparent. Is this true or a myth?

Giuliano Tomiazzo: Every technology is vulnerable. We need to wait ten years to see if blockchain, artificial intelligence, machine learning, can do all we think it will. It is too early.

Ramamurthy Venkatesh: When the transactions moved to the blockchain, it promises more security than what it is today, but there is no guarantee.

Lester Pinto: Technology still needs to mature, and we will have to wait for a few years before we can rely on this.

Thomas Paoletti: Is it possible for cybersecurity tech experts, build more defensive measures into the modern technologies?

Giuliano Tomiazzo: We need to onboard different skilled personnel such as anthropologists, psychologists, and those who better understand human behaviour and biases. To be better at defensive measures in cybersecurity, we need to embrace more people that are traditionally outside of this sector, or we will always be more reactive than ready.

Jarrett Kolthoff: It is an ongoing battle. It keeps changing. There will never be a ‘security nirvana.’ Coders and developers are embedding security inside of tech development process, but it will never be to a point where security is guaranteed. More big corporations are now investing in protection measures rather than reactionary efforts when security is breached. The technology is improving, with cybersecurity being embedded inside applications and corporations in the US, with more focus on getting cyber experts on boards of large public companies.

This is due to the increasing costs of litigation and insurance, and laws are enacted pushing for additional regulatory parameters. But it continues to be a cat and mouse game with threat actors.

Thomas Paoletti: Can you comment on data security breach occurring in hospitals?

Jarrett Kolthoff: Hospitals used to be attacked, with the aim to steal and sell private medical data on the darknet. But traditional supply and demand has pushed the price point of people’s classified information. The small profit margin in selling confidential data on the darknet, makes it not worth it anymore. They are now attacking the hospitals for critical information and devices that are saving lives. They are after huge ransom from hospitals who will pay to retrieve access to apprehended and encrypted medical devices to save lives. Hospitals are easy targets because historically they have not invested in cybersecurity.