Data breaches and what it means for a Middle East Board of Directors

December 6th, 2017 by Stephen Jones Leave a reply »

The new wave of cyber-attacks does appear to be unstoppable. With the increase in data breaches across the world, the UAE holds the world’s highest increase in breaches. Data breaches in the region have risen by 20% from $4.12m in 2016 to $4.94m in 2017, according to a report by Ponemon Institute.

The Middle East also has the highest spend on data breach response, roughly costing $1.43m per organisation.
Early this year, approximately 15 government agencies and private institutions in the Kingdom of Saudi Arabia were attacked by the Shamoon virus. This was followed by a tidal wave of Wannacry and Petya ransomware attacks.

An IDC research states that organisations are expected to spend $101.6 billion by 2020 on security-related hardware, software, and services. Additionally, Gartner states that by 2018, 10% of all enterprise organisations will have adopted deception technologies into their security solutions. A board of directors must engage in a continuing balancing act between the cost of information security and potential risks.

Although information security is essential to corporate compliance with existing laws and regulations, directors are often required to focus less on ensuring “best security” in favour of “good enough” security. The lack of a clear definition of “best security” is largely responsible for this thinking.

What was previously viewed as good enough, will not keep up with the advanced or insider threats of today.

• Important messages that CISOs should communicate to their boards about the importance of focusing on information security:

Information security is now required, and disclosure is no longer solely at a company’s discretion. Between existing laws, insurance mandates, industry regulations, and shareholder demands, robust information security is now a corporate requirement.

• Information security is a significant corporate risk. It is nearly impossible to conduct any facet of a business today without a computer. As a result, the information that resides in an enterprise’s networks is the lifeblood of the business and if not protected, could result in financial damages and negative impact on the company’s brand. This makes information security a critical business issue. Any security strategy that does not include an adaptive security plan with in-network detection to detect attacks that have bypassed prevention solutions will result in a network breach sooner or later, if it hasn’t occurred already.

Some obvious things to consider:
- Policies, procedures, and awareness – Protection via data classification, password strengths, code reviews and usage policies
- Perimeter – Protection via firewalls, denial of service prevention, and message parsing and validation
- Internal network – Protection via transport layer security, such as encryption, and user identification and authentication
- Host/OS – Protection through OS patches and desktop malware
- Application – Protection through protocols such as single sign on (SSO) and identity propagation
- Data – Protection through database security (online storage and back up), content security, information rights management, message level security.

Do your systems still cater for the digital world of a mobile workforce with smart phones, BYOD social media, low cost, high capacity flash drives, and any time, anywhere connections?.

Advertisement

Comments are closed.