Sony Pictures Entertainment headquarters in Culver City, California. Some cybersecurity experts say they’ve found striking similarities between the code used in the hack of Sony Pictures Entertainment and attacks blamed on North Korea which targeted South Korean companies last year. Nick Ut / AP Photo
Sony Pictures Entertainment headquarters in Culver City, California. Some cybersecurity experts say they’ve found striking similarities between the code used in the hack of Sony Pictures EntertainmentShow more

Business

The cyber security threat from within

It is not just systems being hacked that we have to worry about. Internal threats from disgruntled or careless staff are also growing concerns.

Ian Gomes

March 05, 2015

Today in the UAE, cybersecurity is still seen from the perspective of an external threat. Emphasis on the internal attacker is neglected, yet research shows that the risk from such internal attacks has been an increasing worry across the world.

A recent case in point is that of the whistle-blower Edward Snowden, who leaked highly sensitive and classified information from the National Security Agency to the media in 2013.

Cybersecurity needs to be tackled from both the external and internal perspective. This is a business issue, and business leaders must own it. However, cyber crime is a new phenomenon and most business leaders have not grown up with it.

To stay ahead of the increasing sophistication and pace of cyber attacks, awareness among employees is a must, as is the integration of cybersecurity into overall risk management and continued education for all board members.

Dealing with cyber threats is a complex matter. As the information security landscape evolves, a shift of focus from protection and compliance is critical.

Relying solely on defence will not stop a determined adversary to get through to confidential information. Public and private organisations must be informed of what risks they face so that at any time they can assess the nature, timing and the occurrence of an attack. The insight that the attack provides is at the heart of the next generation of information security.

In many large, complex global organisations, moving from a reactive to proactive operating mode requires transformative change.

Technological vulnerabilities are only part of the problem. It requires organisations to address core people processes, culture and behaviours. It also requires firms to overcome significant trust barriers and collaborate with competitors and law enforcement agencies to effectively target the threats.

Many organisations act only when a serious breach occurs. Taking a proactive security stance can slow the attacker’s progress and identify their actions early.

The adaptive approach can prevent downtime, avoid expensive disruptive responses to incidents. Thinking through the threat landscape can help organisations to understand how their business might be targeted and how to configure defences.

The recent Sony cyber attack is an example of how organisations need to be more vigilant about data breaches. Historically, some organisations perceived to be foolproof have found themselves victims of cyber attacks.

Citibank was hacked in 1995 by Vladimir Levin who transferred $3.7 million illegally. In 1999 $1.7m worth of information was stolen by a 16-year-old hacker at Nasa, and RSA Security spent at least $66m on remediation after its network was breached in 2011.

In the UAE, the Government has taken the cybersecurity challenge seriously and has drafted standards and frameworks for organisations. The challenge lies in the implementation of these standards to enhance the cyber security of the state and should not be seen as a tick-the-box compliance.

Organisations have yet to adopt a collaborative approach to cybersecurity, whereby information about near-misses is shared within a community to enhance defences.

The digital environment presents many opportunities for businesses that want to find new markets. The last 10 years have seen a rapid emergence of new technology and greater connectivity for organisations and individuals.

However, this has left many firms behind the curve and struggling to achieve their aspirations without feeling exposed to cybersecurity risk.

Every day we hear of new vulnerabilities, attacks and incidents. A recent report by the Washington-based think tank The Centre for Strategic and International Studies quoted annual losses of US$375 to $575 billion, and suggested that cyber crime, through fraud and espionage, might extract up to 20 per cent of the global economic value created by the internet.

The Middle East is not immune. In 2012, Shamoon malware affected about 30,000 workstations at Saudi Aramco. In 2013, about $45m was stolen due to a credit card heist from banks in the UAE and Oman.

Understanding the external threats from hacktivists, organised criminals, industrial spies and, increasingly, nation states is important.

However, it is easy to ignore the insider risks posed by careless, disgruntled or malicious employees. Attackers are frequently gaining access to employee’s accounts through phishing emails and other socially engineered attacks.

The UK government is regularly implementing initiatives to boost awareness of cyber threats.

More regional and international boards need to challenge their teams to gain answers to the right questions before they themselves are challenged by stakeholders about their capability. Being able to identify, prioritise and protect the information life cycle helps you to move securely.

Ian Gomes is the head of advisory at KPMG Lower Gulf

business@thenational.ae

Follow The National's Business section on Twitter

UAE currency: the story behind the money in your pockets

Mercer, the investment consulting arm of US services company Marsh & McLennan, expects its wealth division to at least double its assets under management (AUM) in the Middle East as wealth in the region continues to grow despite economic headwinds, a company official said.

Mercer Wealth, which globally has $160 billion in AUM, plans to boost its AUM in the region to $2-$3bn in the next 2-3 years from the present $1bn, said Yasir AbuShaban, a Dubai-based principal with Mercer Wealth.

Within the next two to three years, we are looking at reaching $2 to $3 billion as a conservative estimate and we do see an opportunity to do so,” said Mr AbuShaban.

Mercer does not directly make investments, but allocates clients’ money they have discretion to, to professional asset managers. They also provide advice to clients.

“We have buying power. We can negotiate on their (client’s) behalf with asset managers to provide them lower fees than they otherwise would have to get on their own,” he added.

Mercer Wealth’s clients include sovereign wealth funds, family offices, and insurance companies among others.

From its office in Dubai, Mercer also looks after Africa, India and Turkey, where they also see opportunity for growth.

Wealth creation in Middle East and Africa (MEA) grew 8.5 per cent to $8.1 trillion last year from $7.5tn in 2015, higher than last year’s global average of 6 per cent and the second-highest growth in a region after Asia-Pacific which grew 9.9 per cent, according to consultancy Boston Consulting Group (BCG). In the region, where wealth grew just 1.9 per cent in 2015 compared with 2014, a pickup in oil prices has helped in wealth generation.

BCG is forecasting MEA wealth will rise to $12tn by 2021, growing at an annual average of 8 per cent.

Drivers of wealth generation in the region will be split evenly between new wealth creation and growth of performance of existing assets, according to BCG.

Another general trend in the region is clients’ looking for a comprehensive approach to investing, according to Mr AbuShaban.

“Institutional investors or some of the families are seeing a slowdown in the available capital they have to invest and in that sense they are looking at optimizing the way they manage their portfolios and making sure they are not investing haphazardly and different parts of their investment are working together,” said Mr AbuShaban.

Some clients also have a higher appetite for risk, given the low interest-rate environment that does not provide enough yield for some institutional investors. These clients are keen to invest in illiquid assets, such as private equity and infrastructure.

“What we have seen is a desire for higher returns in what has been a low-return environment specifically in various fixed income or bonds,” he said.

“In this environment, we have seen a de facto increase in the risk that clients are taking in things like illiquid investments, private equity investments, infrastructure and private debt, those kind of investments were higher illiquidity results in incrementally higher returns.”

The Abu Dhabi Investment Authority, one of the largest sovereign wealth funds, said in its 2016 report that has gradually increased its exposure in direct private equity and private credit transactions, mainly in Asian markets and especially in China and India. The authority’s private equity department focused on structured equities owing to “their defensive characteristics.”