ISSUE 37 | APRIL 2019
TRICKS OF THE TRADE Cybersecurity due diligence
HOW TO BUILD A SECURITY-AWARE CULTURE Thwarting data manipulation attacks
2CRSI CEO & FOUNDER ALAIN WILMOUTH
THE POWER OF ONE MIDIS GROUPâ€™S HUSNI HAMMOUD ON EXPANDING BUSINESS GROWTH AND ACCELERATING CYBERSECURITY INNOVATION
CONTENTS FOUNDER, CPI MEDIA GROUP Dominic De Sousa (1959-2015) Publishing Director Natasha Pendleton firstname.lastname@example.org +971 4 440 9139 EDITORIAL Managing Editor Michael Jabri-Pickett email@example.com +971 4 440 9158 Online Editor Adelle Geronimo firstname.lastname@example.org +971 4 440 9135
Contributing Editors James Dartnell email@example.com +971 4 440 9153 Janees Reghelini firstname.lastname@example.org +971 4 440 9167 DESIGN Senior Designer Analou Balbero email@example.com +971 4 440 9140 Designer Mhar Delaben firstname.lastname@example.org +971 4 440 9156 ADVERTISING Group Sales Director Kausar Syed email@example.com +971 4 440 9130 Senior Sales Manager Sabita Miranda firstname.lastname@example.org +971 4 440 9128 Business Development Manager Youssef Hariz email@example.com +971 4 440 9111 PRODUCTION Operations Manager Shweta Santosh firstname.lastname@example.org +971 4 440 9107 DIGITAL SERVICES Web Developer Jefferson de Joya Abbas Madh Photographer Charls Thomas Maksym Poriechkin
THE POWER OF ONE
Midis Group’s Husni Hammoud on enabling cybersecurity innovation
email@example.com +971 4 440 9100 Published by
Registered at Dubai Production City, DCCA PO Box 13700 Dubai, UAE Tel: +971 4 440 9100 Fax: +971 4 447 2409 Printed by Al Ghurair Printing and Publishing
MAKING THE GRADE
How can university CISOs keep cyber threats at bay?
19 TRICKS OF THE TRADE
Why a cybersecurity due diligence is vital in M&A deals
10 THE NEXT WAVE
30 THE NEW BATTLEGROUND
A STRONG 16 BUILDING SECURITY CULTURE
How to spot and stop data manipulation attacks
HP ME’s Peter Oganesean on boosting endpoint security
Regional partner of
© Copyright 2019 CPI All rights reserved While the publishers have made every effort to ensure the accuracy of all information in this magazine, they will not be held responsible for any errors therein.
Mimecast’s Jeff Ogden explains the employee’s important role in security
UP AND AWAY Why companies must defend themselves at every layer of their IT environment
FACEBOOK ADMITS TO LEAVING MILLIONS OF PASSWORDS UNENCRYPTED
MANIKANDAN THANGARAJ, MANAGEENGINE
MANAGEENGINE INTRODUCES NEW USER AND ENTITY BEHAVIOUR ANALYTICS SOLUTION
The passwords of millions of Facebook users had their account passwords stored in plain text and searchable by thousands of Facebook employees, according to a report. The passwords were unencrypted and were accessible to as many as 20,000 Facebook employees and dated back as early as 2012, cybersecurity blog KrebsOnSecurity, which first reported the security misstep. Facebook has confirmed the issue and discovered it in January during a “routine security review.” The company acknowledged that a bug in its password management systems had caused hundreds of millions of user passwords for Facebook, Facebook Lite, and Instagram to be stored as plaintext in an internal platform.
ManageEngine has announced that it has introduced user and entity behaviour analytics (UEBA) into its SIEM solution, Log360. With score-based risk assessment, threat corroboration, anomaly detection powered by machine learning, and other new capabilities, the Log360 UEBA addon helps security professionals identify, qualify, and investigate internal threats and anomalies by extracting more information from logs for better context. “In today’s IT security landscape, The Dubai Police has reportedly made rigid alert rules and conventional threat over 300 arrests in Dubai with the help detection systems no longer make the of AI-powered CCTV cameras. cut. The need of the hour is a system According to local media reports, that can learn and adapt to continuous Dubai Police has nabbed 319 suspects change,” said Manikandan Thangaraj, across the emirate last year. director of programme management at The AI-powered cameras are part of ManageEngine. “Log360 UEBA does just Dubai Police’s Oyoon (eyes) project, which that and improves the accuracy of threat has approximately 5,000 cameras covering detection, helping SOC personnel a number of tourist sites, qualify and investigate public transportation threats that actually merit and traffic. investigation.” The AI network Log360 UEBA monitors connects all the user activity captured security cameras in logs to identify across the city behavioural changes. and enables SAUDI CEOS ARE PREPARED FOR User activities that them to relay A CYBER-ATTACK ON THEIR would otherwise go live images of ORGANISATION unnoticed are flagged, security breaches reducing the time it takes to to the Central Source: KPMG Al Fozan & Partners detect and respond to threats. Command Centre.
MARK ZUCKERBERG, FACEBOOK
“To be clear, these passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them,” the company wrote in a blog post. Facebook says the issue has been resolved and it will alert “hundreds of millions” of people whose passwords were visible. The company has also reportedly set up a small task force to conduct a broadbased review of anywhere this might be happening. It said that it would enforce a password re-set if its taskforce looking into the issue uncovered abuse of the login credentials.
DUBAI POLICE NABS 300 SUSPECTS WITH AI-POWERED CAMERAS
ONLY 4 IN 10
First Lieutenant Ali Al Shehi from Criminal Investigation Department highlighted that the Oyoon project will tackle crimes in the city as using AI and latest technologies will help realise zero crimes in the future. The network is continuously being developed to meet the Dubai 2021 Vision requirements of a smart city, according to Dubai Police.
CYBERCRIMINALS MOST LIKELY TO BE CAUGHT ON SERVERS: REPORT IT managers are more likely to catch cybercriminals on their organization’s servers and networks than anywhere else, according to a recent study by Sophos. According to the study, IT managers discovered 37 percent of their most significant cyber-attacks on their organization’s servers and 37 percent on its networks. Only 17 percent were discovered on endpoints and 10 percent were found on mobile devices. “Servers store financial, employee, proprietary, and other sensitive data, and with stricter laws like GDPR that require organizations to report data breaches, server security stakes are at an all-time high. It makes sense that IT managers are focused on protecting business-critical servers and stopping attackers from getting on the network in the first place and this leads to more cybercriminal detections in these two areas,” said Chester Wisniewski, principal research scientist, Sophos. “However, IT managers can’t ignore endpoints because most cyber-attacks
start there, yet a higher than expected amount of IT managers still can’t identify how threats are getting into the system and when.” Twenty percent of IT managers who were victim to one or more cyberattacks last year can’t pinpoint how the attackers gained entry, and 17 percent don’t know how long the threat was in the environment before it was detected, according to the survey. To improve this lack of visibility, IT managers need endpoint detection and response (EDR) technology that exposes threat starting points and the digital footprints of attackers moving laterally through a network. “If IT managers don’t know the origin or movement of an attack, then they can’t minimize risk and interrupt the attack chain to prevent further infiltration,” said Wisniewski. “EDR helps IT managers identify risk and put a process in place for organizations at both ends of the security maturity model.”
CHESTER WISNIEWSKI, SOPHOS
On average, organisations that investigate one or more potential security incidents each month spend 48 days a year (four days a month) investigating them, according to the survey. “If IT managers have defense-in-depth with EDR, they can also investigate an incident more quickly and use the resulting threat intelligence to help find the same infection across an estate. Once cybercriminals know certain types of attacks work, they typically replicate them within organizations. Uncovering and blocking attack patterns would help reduce the number of days IT managers spend investigating potential incidents,” said Wisniewski.
CYBERSECURITY A POPULAR CAREER CHOICE IN UAE AND SAUDI ARABIA
NED BALTAGI, SANS EMEA
Students in the UAE and Saudi Arabia are looking at IT, including cybersecurity, as a prospective career, according to the latest study by SANS Institute. The latest research from global IT security training company SANS
Institute noted that student between the age of 14-18 across seven countries in the Middle East and Europe are interested in a career in IT. A majority of students across EMEA had heard of cybersecurity (81 percent), the results show that those countries with higher awareness of the subject could potentially have a competitive advantage when it comes to building out talent in the longer term, the report noted. SANS also highlighted that given the prolific nature of cybersecurity and the media attention it attracts today, it is perhaps surprising that no country achieved 100 percent awareness. It also found that 32 percent of students across EMEA are considering IT as one of their top five career choices.
“We are currently on the brink of a cybersecurity crisis. By 2020, there will be approximately 24 billion Internetconnected devices installed across the world. However, reports show that in the next year or two, unfilled cybersecurity job openings globally will run into several millions, meaning we are severely short of professionals to secure all those devices and systems we are putting online. Given the enthusiasm and aptitude of the iGeneration for digital technologies, the answer to our cyber crisis could lie in enthusing and educating younger generations about cybersecurity now, to arm our future workforce,” said Ned Baltagi, managing director, Middle East, SANS Institute.
MAKING THE GRADE
AS DIGITAL ENVIRONMENTS BECOME INCREASINGLY EMBEDDED IN HIGHER EDUCATION INSTITUTIONS THEY BECOME MORE SUSCEPTIBLE TO CYBER-ATTACKS. WITH ELEMENTS SUCH AS OPEN NETWORKS, LARGE VOLUMES OF DATA AND INCREASING ENDPOINTS, HOW CAN UNIVERSITY CISOS KEEP CYBER THREATS AT BAY?
niversities are key players in the battle against cyber-attacks as they both carry out research that advances cybersecurity while also training the next generation of cyber-defence specialists. They can, however, fall victim themselves to hackers who may, for
example, be interested in getting their hands on the sensitive data they store. It is an issue of particular importance in UAE given the huge expansion of the university sector in the Emirates over the past two decades. Like some other GCC nations, the country has seen the growth of its own higher education institutions as well as the launch of campuses linked to overseas universities, such as the University of Birmingham Dubai and New York University Abu Dhabi.
Morten Illum, vice president, EMEA, Aruba, a Hewlett-Packard company, highlights several reasons why advances in technology have created new vulnerabilities. According to Ilum, while mobile connectivity, the cloud and IoT (which may be represented at universities by everything from security cameras to smart laboratory equipment) have brought benefits, they have also “provided hackers with a plethora of opportunities” to exploit gaps in cyber defences.
Morten Illum, Aruba, HPE
“CAMPUS SYSTEMS PROCESS AN ABUNDANCE OF RICH DATA INCLUDING PAYMENT INFORMATION, PERSONAL DETAILS AND MEDICAL RECORDS OF APPLICANTS, STUDENTS, ALUMNI AND FACULTY.”
The explosion of IoT devices has left organisations of all kinds vulnerable to infected devices, says Illum, adding that this is particularly true of universities, which rely heavily on bring-your-owndevice (BYOD) environments. “Educational institutions typically have vast campuses and user bases, a large variety of devices trying to connect to their networks at any given time, and a huge amount of data passing through their systems, all of which presents a very real security risk,” he says.
“In addition, younger generations (i.e. students) tend to be early adopters of new technologies, which means that their odds of being exposed to scams and other social engineering attacks is significantly increased. “It is also not just their own members that universities need to worry about. By their nature, universities are intended to enable frequent international collaboration and will regularly host global visitors, all of whom want to connect to the network.
This only increases the risk of having the network exploited.” In a briefing document published last year, Craig Badrick, the CEO of Turnkey Technologies, a United States-based networking and cybersecurity company, reported that more than half of students take at least two internet-connected devices to the university campus. More than a fifth bring three or four. University networks are large and complex, and are being used 24 hours a day, seven days a week, another factor that makes them vulnerable to attack. Cybersecurity breaches may be especially harmful because universities hold large amounts of information that others may want to get hold of. Universities produce knowledge, some of which could be of great monetary value, evidenced by the fact that many successful companies have been spun out of higher education institutions. Illum says that companies or governments looking to gain a competitive advantage would be keen to get hold of this data. Dr Shamal Faily, a principal lecturer in systems security engineering and coordinator of the cybersecurity research group at Bournemouth
University in the United Kingdom, says that it is easy to overlook the importance of this intellectual property that universities create. “If you’re working with a spreadsheet, you might not realise how valuable that is. Over a period of time a simple text file can become sensitive information. That’s the case with companies. It’s particularly the case with universities because we’re in the business of creating things,” explains Faily. Other data that universities keep and must protect relates to their many
Dr Shamal Faily, Bournemouth University in the United Kingdom
“IT’S MUCH EASIER TO CARRY OUT A TARGETED ATTACK ON ACADEMICS THAN [PEOPLE] WORKING IN A COMMERCIAL ORGANISATION” thousands of staff and students. Aruba, HPE’s Ilum notes that the retail and healthcare industries are normally thought of as being the most obvious targets for hackers since they store “a wealth of lucrative financial and medical data”, but universities “actually store just as much valuable information”. “Campus systems process an abundance of rich data including payment information, personal details and medical records of applicants, students, alumni and faculty,” he says. Some of this material is the type that criminals will be willing to pay for on the “dark market”, putting a premium on ensuring that it is secured. “The university has to protect the
sensitive data – really detailed information on students, sensitive information and about each student and each staff member – where they live [for example] – no different from any organisation,” says Professor Kevin Curran, a professor of cybersecurity at the University of Ulster in the United Kingdom. “They have to have the proper intrusiondetection systems; endpoint security; stateof-the-art monitoring of the network.” However, some observers say that, with less money to spare than many corporations, universities may have more limited budgets for cybersecurity. There have been cases where universities have fallen victim to cyberattacks, leading to damaging publicity and, potentially, harmful consequences for those affected. The University of Wisconsin-Madison, for example, announced last year that it was introducing a new cybersecurity risk management policy following a 2016 check incident in which more than 1,000 social security numbers of former applicants were stolen, and a 2009 hack of computers in the chemistry department. The new policy involves categorising information on university databases according to its sensitivity. A challenge facing universities is, says Illum, ensuring that their networks are secure without student productivity being impeded. He advises them to have a network that is granular enough to show the individual people and devices that are connecting to it. “The devices people choose, the locations they work in and the people they send data to are always in flux – and the network has to be able keep up with all this change,” he says. “This requires it to monitor how many devices are connecting each day, and
how quickly patterns of network uses are changing, and then adapt its policies in real-time.” Illum suggests that universities employ behavioural analytics to enable them to analyse their entire network collectively. “Machine learning can be employed to find the small changes in activity that will highlight a likely breach, allowing institutions to avoid breaches that could result in a loss of personal information,” he explains. In a blog published in 2016 ResilientIQ’s Erin Brady said the universities and colleges should consider using a third-party vendor to carry out a risk audit and determine where vulnerabilities lie. Another key point, and one that many universities act upon by providing online advice to students and staff, is the need to educate users. “Universities must ensure they continue to remind users of the security risks, as well as the processes and tools that have been put in place to prevent them – but in a way that doesn’t position IT as a barrier,” says Illum. Bournemouth University’s Dr. Faily also points out that aside from the risk to the institution’s network, individual academics may be particularly vulnerable to fraudsters because of the amount of information about them that is available online. “Academics put their lives out there because they want to find collaborators,” he says, adding that even personal details such as marital status may be found in a search, allowing hackers to build up a detailed knowledge of individuals. “It’s much easier to carry out a targeted attack on academics than [people] working in a commercial organisation making it more important for them to take a highly precautionary approach to cybersecurity,” says Faily.
HOW TO PREVENT DATA MANIPULATION ATTACKS BY TIM BANDOS, VP OF CYBERSECURITY, DIGITAL GUARDIAN
onventional wisdom says that once an attacker is in the system, moving laterally from network to network, the damage is already done. The adversary has found a way in and more than likely identified the data they’re after. They simply need to exfiltrate it—the last step of the kill chain—to land the final blow. In some scenarios, however, it’s what the attacker doesn’t do that could have a more devastating outcome on the enterprise.
Data manipulation attacks—attacks in which adversaries don’t take data but instead make subtle, stealthy tweaks to data usually to elicit some type of gain—can be just as, if not more crippling for organizations than theft. The ability of attackers to manipulate and shift data around is a real threat, one that could cause widespread financial and even physical harm, if done successfully.
Consider the stock market. Hypothetically speaking, if an attacker were to successfully breach the IT systems and databases responsible
for updating a stock ticker symbol and manipulate data to show a billiondollar tech giant like Apple, Microsoft, Google, or Amazon taking a nose dive, it would cause immediate chaos, and panic would ensue. It could result in people selling off their stocks in a frenzy—the culmination of a deliberate and effective attack. Data manipulation attacks don’t always have to result in a tangible financial gain. If an attacker managed to carry out a similar attack against health record information for patients in hospitals and altered critical data like drug dosages and prescriptions that need to be administered, it could result in sickness or even death. These types of attacks are commonly carried out by malicious insiders, individuals who have privileged access to critical data in the first place. If an insider got their hands-on blueprints for a manufacturing facility that was being built, they could make minor modifications to drawings that could set the organisation up for systemic failure. Understated and difficult to detect, an attack like this could ultimately put a company out of business and give a competitor, perhaps in a nation state, the ability to take over market share. I’ve seen this play out firsthand. When you have a ‘trusted’ insider as the culprit, it makes it all that more difficult to detect and track down. Attackers like data manipulation attacks because they’re hard to detect and they undermine trust and
“TRADITIONAL SECURITY PROCEDURES ARE NO LONGER ENOUGH FOR A MOBILE, DIGITAL WORKFORCE.” www.tahawultech.com
confidence; if there’s no way to verify that data, like blueprints, documents, or source code are legitimate, it can erode trust from the inside out. Attacks that compromise integrity can jeopardize an entire supply chain. It only takes one flaw, far down a chain, to disrupt or delay the production of goods in an organization’s cashflow. Carmaker Tesla sued a former employee last summer after CEO Elon Musk alleged the insider stole confidential and trade secret information after he failed to get a promotion. While the employee purportedly exported gigabytes of confidential data, he also made changes to the Tesla Manufacturing Operating System, the set of basic commands for Tesla’s manufacturing lines—under false usernames—apparently in an act of sabotage. Manipulating sensitive data, like source code, isn’t flashy but is something that can cause the market to slowly unravel over time. For organizations, it’s inevitable that attackers will take data; it’s more of a challenge to determine when an attacker makes a small change to data, then leaves the scene of the crime. For threat hunters, from a digital forensic perspective, there’s typically always a trace left behind. Anomalies in system logs, edits to files at suspicious times, and alarms on threat signatures to detect suspicious techniques and malicious behavior, can be telltale signs of data manipulation. To combat these types of attacks, organizations need to ensure they have endpoint visibility on their IT systems. If an outsider successfully penetrates a network, they’ll need to move laterally through the environment to find the data they’re after. It’s critical for incident responders or threat hunters to be able to follow in their proverbial forensic footsteps, to proactively hunt and detect this type of activity before something
“COMPANIES NEED TO SHIFT TOWARD INTELLIGENT SOLUTIONS THAT CAN HELP THEM BETTER PREDICT, PREVENT, DETECT, AND RESPOND TO THREATS.” irreversible is done. The MITRE ATT&CK Framework has generated buzz about across the industry lately for good reason. The knowledge base—a living, breathing breakdown of adversary TTPs and behaviours—outlines in great detail each phase of a cyber attack and the best methods for detecting and mitigating each technique. The framework can greatly help threat hunters looking to speed up their hunting cycle. While attackers may not necessarily leave the endpoint with data in these types of attacks, organizations would benefit from using endpoint detection and response tools to gain better visibility into behaviors and data movement. Organizations can also use file integrity monitoring solutions to identify and track real-time changes to files, folders, and other settings. Logging activity can also help but it’s not a silver bullet. IT teams need to develop internal controls to audit this information and ensure they constantly have eyes on the glass, triaging logs generated by their environment. Data manipulation attacks can have disastrous consequences and cause significant disruption to a business, country, or even the world in some circumstances. Being prepared is the first step to potentially limiting or preventing the impact of these attacks.
THE POWER OF ONE
HUSNI HAMMOUD, MANAGING DIRECTOR FOR MIDDLE EAST, CEE AND TURKEY AT MIDIS GROUP HAS ENJOYED A SHARP TRAJECTORY OF SUCCESS IN HIS CAREER AND HAS PLAYED A KEY ROLE IN SUCCESSFULLY LEADING THE BUSINESS GROWTH OF MULTIPLE IT OPERATIONS AND CYBERSECURITY VENDORS UNDER THE COMPANY’S PORTFOLIO.
“THE PROGRESS OF TECHNOLOGY THROUGH THE YEARS HAS AFFECTED PEOPLE’S PROFESSIONAL DNA.”
ith almost three decades of experience in the regional IT and security space, Husni Hammoud is as one of the foremost figures in the industry. A man of many hats, Hammoud performs a double duty of managing both the business development and pioneering innovative initiatives of
multiple global cybersecurity and IT operations firms under Midis Group’s purview. These include Barracuda Networks, Ivanti and Cradlepoint with others more in progress. Hammoud’s interest in technology was stoked at a young age during his secondary education studies. “I have always been passionate about electronics,” he says. “I enjoy seeing how different parts come together to build a useful gadget.” This passion has inspired him to take up a course in electrical engineering, which he finished at the American University of Beirut. Determined to shore up his education, he expanded
“WE WANT TO PROVIDE ORGANISATIONS WITH END-TO-END SOLUTIONS ENABLING THEM TO ACHIEVE A HOLISTIC APPROACH TO SECURITY.” his knowledge and skills in technology and took up courses in software development, IT audit, industrial automation and cybersecurity. Graduating in 1990, Hammoud started his career at the Red Cross in Lebanon as the IT manager. He was responsible for establishing the IT function and operations at LRC, a role that lasted for almost two years. Following his stint at the Red Cross, Hammoud continued to pursue roles in technology and eventually set up his own business focused on industrial automation.
With Hammoud’s career already gathering momentum in its early stages, he decided to begin his first stint working abroad, joining the Midis Group as part of one of its subsidiaries in Saudi Arabia. “In 2000, I moved to the Kingdom to join MDS Saudi under the systems integration arm of Midis.” “I started as one of the early team leaders at MDSCS. As part of my role, I managed the first and largest Security Operation Center in Saudi Arabia and other GCC nations at Saudi Telecom Company. We catered to a number of industries such as telecommunications, finance and public sector, and delivered solutions around IT security, network infrastructure, storage and consultancy among others,” he says. Hammoud then moved on to become the firm’s general manager overseeing the overall growth and operations of MDSCS in the Kingdom. After almost two decades in the company, Hammoud’s positive trajectory continued as he was offered the role of managing director for Midis Group’s Local offices operations in the Middle
East, CEE and Turkey, which brought him to Dubai in 2015. Hammoud is responsible for managing multiple initiatives and business development related to Midis Group’s technology partners in the fields of security, networking and enterprise solutions. “I oversee the business development of multiple organisations under the MIDIS Group. These vendors include IT operation and cybersecurity firms such as Barracuda Networks, Ivanti and Cradlepoint,” he says. “A big part of my role is focused on positioning these companies’ offerings in the markets where we are present in the Emerging EMEA such as GCC, Levant, Turkey, CEE and Africa. In addition, I’m responsible for making sure we deliver these technologies to the right market through the right people,” he explains. A firm believer in continuing professional development, Hammoud ensured that he is adept in every facet of the Midis Group’s operations starting from the technical aspects to pre-sales and sales. More than that he
“WE WANT TO BRING IN ONLY THE BEST SOLUTIONS TO HELP BUSINESS TRANSFORM AND SECURE THEIR BUSINESSES. WE ALWAYS UPHOLD THE HIGHEST STANDARDS IN OUR INITIATIVES AND WE ALWAYS CHALLENGE OURSELVES TO EXCEED EVEN OUR OWN EXPECTATIONS.” made sure that he has well-rounded knowledge on the latest developments in the different technologies that they offer in the region. “I’m managing quite a large organisation that’s catering to different areas of IT across multiple countries. Staying up-to-date with the latest demands and trends in the market makes me more effective in leading my team and, in turn, the business.” With over 30 years of experience in the IT industry, Hammoud saw the space evolve significantly over the years. “I remember using devices like the IBM PC XT back in the day. We also used to utilise dial-up connectivity and didn’t have the same quality of Internet connection and resources that we enjoy now. “A lot of that has changed over the years,” he adds. “Today, we are enjoying accelerated connectivity thanks to technologies such as 4G and developments around 5G are underway. We are also enjoying the benefits of cloud, machine learning and virtual reality. Increasingly, we are witnessing technologies around artificial intelligence and automation come to reality.” He adds, “The progress of technology through the years has affected people’s professional DNA. We live at a time where a person’s literacy is not just based on their ability to read and write but also on their capability to adapt to new technology. It’s a totally different era and we have to be quick to learn or we risk getting behind.” Looking ahead, Hammoud believes that as the technologies around us become more integrated, data will play a key role in redefining the way we do
business. “We are entering the era of the Internet of Things where everything will be interconnected, and data will be the fuel for accelerating business intelligence to help modern enterprises succeed.” With all these developments on the horizon, security will play an important role in technological evolution. “It’s important to remember that interoperability between multiple machines does not come without risks,” he says. “Organisations need to be ready for different kinds of threats from passive attacks where the perpetrator monitors and exploits your network; to active attacks where a cybercriminal is trying to break your defences outright.” Hammoud underlines that because of security threats like these can occur at a variety of levels, organisations need to set up security measures that provide multiple layers of defence against these risks. “This is why, through our cybersecurity partners – Barracuda Networks, Ivanti and Cradlepoint, we aim to assist regional firms from, both private and public sectors, in securing the different layers of their IT infrastructures,” he says. “We want to provide organisations with end-to-end solutions, enabling them to achieve a holistic approach to security.” Building on this promise, Hammoud says Midis Group will continue to grow its capabilities, expand its market reach and invest in the best skills during the course of 2019 and beyond. Another big focus for the company will be onboarding new solutions and vendors that it believes will cater to the evolving needs of enterprises in the region.
FOCUSED PARTNERS: BARRACUDA NETWORKS Key solutions: security, application delivery and data protection solutions 2019 plans: Expanding operations in the CEE region with special focus covering Poland, Czech Republic, Hungary and Romania among others; on-boarding more people on-ground IVANTI Key solutions: IT asset management, IT service management, endpoint security, supply chain management 2019 plans: collaborating with major GCC firms in sectors such as telco, aviation, finance and government; top focus on partnering with government firms in Saudi Arabia to accelerate and support Vision 2030 initiatives around security and digital transformation CRADLEPOINT Key solutions: cloud-managed business continuity, primary and parallel networking, mobile, and M2M/IoT networking solutions 2019 plans: delivering security projects for organisations in the retail, law enforcement and banking industry in UAE
“We want to bring in only the best solutions to help enterprises transform and secure their businesses. We always uphold the highest standards in our initiatives and we always challenge ourselves to exceed even our own expectations,” he says.
EMPLOYEES: THE CHAMPIONS OF A STRONG CYBERSECURITY CULTURE JEFF OGDEN, GENERAL MANAGER, MIMECAST MIDDLE EAST
et’s face it, employees don’t experiences perceived as having greater care about security awareness importance and relevance are more likely training. That’s because to be remembered — and that’s especially most companies are still an issue in cybersecurity awareness approaching it in the wrong training, which often fails to give way. Employees join a company and are employees sufficient reasons not to forget. thrown into long and boring security So what advice can I give you for training straight away. The training is not cybersecurity awareness training? very interactive or engaging, it usually Persistent cybersecurity awareness includes pages of daunting documentation training helps you build enterprise security. and often makes use of low budget videos that barely get the message across. And then, once that initial training is done, that’s it. The box is ticked, and employees get on with their new roles. The point is, that employees must immediately go through large numbers of modules, to achieve “compliance.” And while compliance is obviously important, it needs to be tightly connected to business value, enterprise security, and employees’ personal motivations. But too often, those connections aren’t made. In many organisations, there’s little follow-up after an employee’s first Your training programme will achieve cybersecurity awareness training. better results if you’re persistent. Don’t Some employers offer a “refresher” try to get all your training out of the way the following year, reminding them in a single onboarding class or annual of all they’ve forgotten. However, this refresher session that demands hours approach is flawed and inevitably sets of focused attention. Instead, have the programme up for failure. regular engagements. Mimecast’s 2018 State of Email Teach in short bursts of no more than Security report indicated that only 11 a few minutes. percent of organisations continuously Stay within the attention spans of train employees on how to spot cyberactual employees in the real world, attacks while 24 percent admit to while still covering all they need monthly training, and 52 percent to know over time. perform training only Tightly focus each quarterly or once a short burst of year. This isn’t good ONLY learning on a big enough. idea in corporate Research cybersecurity. suggests that That helps people forget learners a lot in a year. integrate Bahrick et al OF ORGANISATIONS CONTINUOUSLY TRAIN EMPLOYEES ON HOW TO your message found forgetting SPOT CYBER-ATTACKS into longrates of 19 percent term memory. to 36 percent one Then, immediately year after instruction. reinforce what you’re We also know that
“IF YOU OFFER CONTENT WITH RELATABLE CHARACTERS AND SITUATIONS, YOUR EMPLOYEES WILL LEARN HOW TO HELP BUILD A STRONGER CORPORATE CYBERSECURITY CULTURE.”
teaching with an engaging, interactive activity and instant feedback. Space out your learning sessions — but not too much. According to one careful research study (Bahrick, Phelps, Roedinger), optimal recall occurred when retraining occurred at 30-day intervals. And don’t stop after one or two training sessions: make sure they’re regular. This approach is usually called microlearning. We know it is what employees want. But does it change employees’ security behaviour? Yes. Not all microlearning are equal Of course, short microlearning modules can be boring, irrelevant, and forgettable, too. So, it’s important to make training funny and appealing and tell stories. Humans love stories. This helps build a holistic understanding of corporate cybersecurity in real-world context. It’s designed to help people truly internalise how and why people make dumb mistakes, what happens when they do, and how to avoid it. It’s time to do away with the boring presentations that no one cares about. If you offer content with relatable characters and situations, your employees will learn how to help build a stronger corporate cybersecurity culture.
TRICKS OF THE TRADE
AS SECURITY INCREASINGLY BECOMES A BOARDROOM ISSUE, CYBER RISKS SHOULD BE A FOCAL POINT IN M&A TALKS. SECURITY CORRESPONDENT DANIEL BARDSLEY SPEAKS TO INDUSTRY EXPERTS TO DISCUSS WHY CONDUCTING A CYBERSECURITY DUE DILIGENCE IS NECESSARY BEFORE SIGNING ON THE DOTTED LINE.
n September last year, Colorado Timberline, an American printing company that worked in the promotions industry, posted a message on its website to say that it had ceased operations following a ransomware attack. The abrupt closure was not just bad news for the dozens of people who worked there – it was also a disappointing outcome for two private equity firms that, in 2017, had bought Colorado Timberline. A promising investment had quickly turned sour.
There have been numerous highprofile examples of cyber breaches that came to light only after an acquisition. Among them is the leak involving 1.4 million users revealed after TripAdvisor had spent $200 million buying Viator in 2014. TripAdvisor’s share price suffered as a result. Such unfortunate cases illustrate the cyber risks associated with mergers and acquisitions, and bring to the fore the importance of cybersecurity due diligence, which involves carrying out a comprehensive audit of the cybersecurity status of a target company.
“It’s only been within the last three to five years that cybersecurity has become a fundamental part of the diligence process,” says Steven Chabinsky, a Washington, DC-based partner with the law firm White and Case. “The rationale is a growing understanding of the impact of cybersecurity for the protection of financial business interests, combined with a growing reliance on technology by companies as part of their value.” There are multiple reasons why cybersecurity due diligence could be considered. A key factor is the protection
Steven Chabinsky, White & Case
“AS DATA PRIVACY PROTECTIONS HAVE BECOME MORE IMPORTANT AS A BUSINESS DIFFERENTIATOR AND AS REGULATORS HAVE INCREASED THEIR FOCUS ON THE PROTECTION OF CONSUMER AND EMPLOYEE DATA, CYBER DUE DILIGENCE IS INCREASINGLY BECOMING PERTINENT AMONG BUSINESSES.” of the potential acquisition’s intellectual property rights (IPR). “If the main driver of the acquisition is the IPR, cybersecurity due diligence is vital in ensuring that the buying company doesn’t walk out of the door,” says cybersecurity specialist James Arthur, who recently returned to work in the UK as head of cyber consulting for Grant Thornton after a five-year spell based in Dubai.
Another issue is ensuring that the potential acquisition complies with privacy legislation, such as that associated with data protection. Without appropriate cybersecurity, it is not possible to have compliance with data protection laws, says Chabinsky. “As data privacy protections have become more important as a business differentiator and as regulators have increased their focus on the protection
of consumer and employee data, and have enhanced the fines in the event of non-compliance, cyber due diligence is increasingly becoming pertinent among businesses,” he says. Chabinsky highlights a third reason why a cybersecurity audit is important: to ensure that there are adequate financial controls in place. A company must be able to protect its accounting systems to ensure their accuracy, and to avoid potential litigation and regulatory fines. The pervasiveness of digital technology is a fourth reason for a comprehensive cybersecurity audit. “It’s easy for people to understand that traditional technology companies require cybersecurity diligence, but people have only recently realized that companies we don’t traditionally view as technology companies are increasingly dependent
on technology, and the cybersecurity needed to protect it, for manufacturing all of their products, communicating with their customers, and delivering their services,” says Chabinsky. Sometimes during diligence, cybersecurity technical audits are conducted by people with a mix of technology and risk-management backgrounds. Simultaneously, commercial specialists many consider the potential impact of weaknesses on valuation, while legal experts explore regulatory and contract compliance gaps. Chabinsky says that it is ideal if cybersecurity and data privacy are considered together by the same team during the due diligence process. However, if intellectual property, privacy and cybersecurity are looked at simultaneously by the same diligence experts, which they often were in the past, it will expand the role of those specialists. The audit will aim to determine not just whether a company has been compromised in the past, but whether there are current, active threats. As well as penetration testing to check cyber defences, Arthur says the process will typically include a “paper trawl” that looks at what information may have been breached. Searches on the dark web or deep web may also be carried out to see if the target company is being talked about in closed forums. Cybersecurity auditors will, says Arthur, try to gather information from the organisation itself and conduct a thorough threat hunt within the network. More cybersecurity-aware companies may be better able to disclose
NEXT STEPS When a cybersecurity audit highlights problems in a company, there are several options open to the potential purchaser of that firm. One is simply to back out of the deal, although Steven Chabinsky, of the law firm White and Case, says that cybersecurity issues alone are “very rarely” the reason why a potential merger or acquisition falls through. They are sometimes found among myriad problems. If things are in “such disarray” on the cyber side, it can suggest management failures, says Chabinsky, and these could be a reason why the acquisition should not proceed. “Often when that’s true, other specialist teams, they’re seeing the same thing,” he says. James Arthur of Grant Thornton says that, if something as serious as an intellectual property leak has been highlighted, the acquiring partner may reconsider a deal. Aside from scrapping a deal, another outcome is that the transaction is delayed while problems the audit identified are remedied. “The third, more likely [outcome is that]
vulnerabilities. Experts say that those without formal procedures in place, and that have not yet fallen victim in a significant way, may understand less about the threats.
James Arthur, Grant Thornton UK
“IF THE MAIN DRIVER OF THE ACQUISITION IS THE IPR, CYBERSECURITY DUE DILIGENCE IS VITAL IN ENSURING THAT THE BUYING COMPANY DOESN’T WALK OUT OF THE DOOR.” www.tahawultech.com
the company doing the acquiring say this could alter the price, or they make some other demand,” says Chabinsky. The cost of remedying the problem, and potential future liabilities, will be taken into account when the price of the acquisition is determined. Consequences can be significant: Verizon Communications reduced the price it paid for Yahoo by $350 million, and split future costs and liabilities, when two data breaches came to light. “I think that lawyers are increasingly finding themselves in a position to help sellers understand how the cybersecurity programme and resulting gaps might impact a deal, and what they should be putting in place prior to going to market,” says Chabinsky. Security problems may increase the costs associated with integrating or deploying technology after an acquisition, and these may affect the purchase price. A common outcome is that the purchasing company has a plan in place to remedy issues immediately after the acquisition is closed.
In the five years that Arthur was based in the UAE, he carried out cybersecurity work across the GCC and elsewhere in the Middle East. From his experience, the importance of cybersecurity due diligence is increasingly being recognised in the region. “It is slowly but surely becoming a top priority for organisations,” he says. So, in the years to come, we can expect more businesses to be thinking about cybersecurity due diligence to ensure that there are no nasty surprises after they have opened their wallets for an acquisition.
GLOBAL MEETS LOCAL IN HIS MOST RECENT VISIT TO DUBAI, 2CRSI FOUNDER AND CEO ALAIN WILMOUTH SAT DOWN WITH SECURITY ADVISOR ME TO DISCUSS THE COMPANYâ€™S VISION TO BRING GLOBAL INNOVATIONS TO THE REGIONAL MARKET.
an you please give an outline of 2CRSI’s operations? 2CRSI specialises in designing and manufacturing servers, rugged solutions, high performance computing, data center and customised solutions. We have subsidiaries set up in the UK, US and in the UAE. We have more than 100 customers in 25 countries across multiple sectors. Our solutions are primarily aimed at industries that require robust and/ or embedded solutions and for data centers. We deliver computing solutions that not only offer high performance but are also energy efficient. Which market segments is 2CRSI focusing on? We primarily focus on three key market segments: Rugged and embedded, HPC, cloud and storage. With these technologies, we cater to multiple industries including public sector firms such as transport, Physical security, law enforcement and small and medium businesses (SMB). How important are the Middle East and North Africa markets for 2CRSI? Prior to setting up operations here in the region, we have conducted a comprehensive study on the different advantages and potential challenges we might face in this market. After doing so, we found that establishing a subsidiary in UAE will give us a strategic advantage
to reach various lucrative markets in the MEA region including the GCC countries, Turkey and Egypt among others. In addition, the UAE’s commitment to technological innovation is attracting many global organisations to invest as well as set up their business in the country. By making Dubai our regional hub, we believe we are wellpositioned to address the growing IT requirements of organisations across different industries. Over the past couple of years, we have placed a significant focus on enhancing our operations in the region. We have invested in onboarding the right people for our sales, technical and support teams. As part of our commitment to the region, we are strengthening 2CRSI’s foothold by opening our new headquarters in DAFZA, which will take place within this year. Following this, our next step is to establish our local production line. Our long-term goal is not just being able to sell our solutions here but also to develop and assemble products locally to be able to cater to our regional customers. How can your offerings enable organisations to strengthen their security postures? HPC is capable to improve security on both physical and digital fronts. It helps security systems to accelerate the processes such as analysing and correlating vast amounts of data. We develop server solutions for compute, networking, storage, IoT,
“BY MAKING DUBAI OUR REGIONAL HUB WE BELIEVE WE ARE WELL-POSITIONED TO ADDRESS THE GROWING IT REQUIREMENTS OF ORGANISATIONS ACROSS DIFFERENT INDUSTRIES.” www.tahawultech.com
“WE PLAN TO ROLL OUT INITIATIVES AROUND TRAINING AND KNOWLEDGE-SHARING TO HELP FOSTER LOCAL TALENTS WITH GLOBAL EXPERTISE.” hosting, and many other tasks that are not only energy efficient but also add an extra layer of security. We do this by making sure that our products are benchmarked against the highest international standards. We ensure that we meet all the requirements needed to attain all the necessary security certifications for every market we operate in. This makes our products not only high-quality, efficient and reliable but also secure. What can we expect from 2CRSI in the coming months? We are a very channel-focused vendor, so we aim to continue collaborating with our partners here in the region. In fact, we are working very closely with our distributors, with their wide-ranging expertise in the market and years of distribution experience, we believe that they are instrumental in helping us realise our vision in the region. In addition, 2CRSI firmly believes that expanding and imparting knowledge is the best way to fuel innovation no matter what industry you are in. That’s why a big focus for us in the coming months and beyond will be honing our expertise around consulting and research. In line with this, we plan to roll out initiatives around training and knowledge-sharing to help foster local talents with global expertise.
MIDDLE EAST DIGITAL TRANSFORMATION AND CYBERSECURITY IN THE FOURTH INDUSTRIAL REVOLUTION BY JODY PATERSON, FOUNDER AND CEO, ERP MAESTO
he UAE is one of the rapidly advancing countries for digital transformation and competitiveness. In the 2018 IMD World Digital Competitiveness Ranking, the UAE ranked 17th and ahead of industrial leaders, such as Germany, Japan, France, China, Russia and Italy. While originally slower to adopt cloud technology than other regions in the world, more UAE business have made cloud computing a top 2019 priority to harness their untapped digital potential. In addition, IDC predicts that spending on cloud services in the region will quadruple in the next four years.
ABOUT JODY PATERSON: Jody Paterson is a trusted advisor Advancements according to a and cybersecurity thought leader in the Internet Conference Board who is a Certified Information of Things (IoT), survey. Research Security Specialist (CISSP), a Certified Information Security Auditor (CISA), automation further cites a former director at KPMG, and and artificial insider threats as founder/CEO of ERP Maestro â€” intelligence are the biggest security provider of automated access controls for SAP. dependent on cloud concern because technology. To continue company employees advancing and innovating often interact with attack competitively, the UAE will need assets that cause them to make to keep increasing cloud as a primary mishaps and commit nefarious acts due business driver, making the country fully to weak access controls. immersed in and leading in the Fourth Business systems, such as enterprise Industrial Revolution. resource planning (ERP) solutions, are With new technologies come new a must-have to manage all business risks and cybersecurity is a top concern processes. Whether it be a system thatâ€™s for international and C-suite executives, on-premise or the cloud, there are
UAE LEADERSHIP FORUM Jody Paterson, Founder and CEO, ERP Maesto
Satish Sabnis, Vice President - Business Development, Metabyte, Technologies, Dubai, UAE
significant risk for incidents of fraud or internal breaches of sensitive company information. SAP, a market leader in enterprise application software, reports that 77 percent of the world’s transaction revenue touches an SAP system. That’s a big potential for risk. Companies to date haven’t taken internal threats as seriously as external threats for a number of reasons. Businesses may not take action until they have a serious breach, case of fraud or crisis. They don’t realize how prevalent internal threats are and how damaging they can be. The truth is internal attacks are on the rise, even though they aren’t as widely publicized. And that’s mainly because companies tend to keep them quiet. Yet, it’s far easier for an insider incident to occur at the hands of employees who already have access to systems than it is for external criminals to hack in to sensitive information. Companies—even those with the best of cultures—really need to implement a zero trust strategy when it comes to system security. To protect a company’s data and all of its assets, internal security tools need to be adopted and valued on par with
external security protection. Technology research firm Gartner states that clouddelivered security products are more agile and can implement new detection methods and services faster than onsite solutions. Plus, the maintenance of on-premise security systems is an unnecessary and often costly burden. However, as Gartner also explains, not all cloud security services are created equal, and the best solutions aren’t merely legacy solutions moved to the cloud. When considering securetech in the cloud, look for applications that have been built from the ground up as nativecloud technology that can scale easily and deliver seamlessly and continuously. A primary example is ERP Maestro’s access controls for SAP that can be installed in under 60 minutes and deliver valuable reporting rapidly. Additionally, automation, a Fourth Industrial Revolution feature, is critical for ERP access controls in terms of instant visibility, time-savings, and reduced audit failures. The cloud is superior for the automation of controls for SAP access. Companies need to consider associated external and internal
Salil Dighe, CEO, Metabyte, Technologies, Dubai, UAE
risks and adopt holistic strategies to be protected fully in this new era of innovation. No one likes to think their employees could be their biggest threat, but, today, all companies should operate with zero trust when it comes to the access of vital company data. Automated, cloud access controls offer the best defense. MetaByte Technologies, a technology and consulting firm based in Dubai, recently hosted the UAE Leadership Forum that brought together executives from the region to discuss digital transformation and cybersecurity trends in the UAE and highlighted ERP Maestro cloud security technology for SAP for its competitive advantages.
To learn more about ERP Maestro, contact MetaByte Technologies: firstname.lastname@example.org.
LOVE IN THE TIME OF CYBERSECURITY MOBILE DATING APPS ARE INCREASINGLY GAINING POPULARITY TODAY AS THEY EFFORTLESSLY HELP CONNECT PEOPLE WHO SHARE SIMILAR INTERESTS THROUGH THE PUSH OF A BUTTON OR SWIPE OF A FINGER. HOWEVER, THE AMOUNT OF SENSITIVE PERSONAL INFORMATION THEY CONTAIN IS CAUSE FOR CONCERNS WHEN IT COMES TO CYBERSECURITY, DANIEL BARDSLEY REPORTS.
quick Internet search will highlight many unhappy stories of people who have been scammed through online dating. It is not uncommon for individuals to lose their life savings by sending money to someone who was not who they said they were. There is no doubt that online dating sites, including specialist ones such as those catering to the needs of Muslims, can be good for meeting a future spouse, but the format is open to abuse. Professor Tom Buchanan, a psychologist who has studied the effects of fakery in online profiles, says the impact on victims is “pretty much devastating”. “More than the obvious financial loss, such incidents also cause victims very high levels of distress,” says Buchanan, who works at the University of Westminster in London. When someone starts asking for money, Buchanan says it is “a surefire sign it’s a scam”, but often, by this stage, the potential victim is so committed to what seems to be a genuine relationship that he or she does not back off. “Often, the rose-coloured spectacles are in the way,” he says. “But when the awful truth becomes apparent, victims face what we call a ‘double hit,’ wherein they suffer both financially and emotionally.”
Professor Tom Sorell, University of Warwick in the United Kingdom
“SCAM VICTIMS ARE OFTEN REPEAT VICTIMS: THEY GET SCAMMED BY VARIOUS PEOPLE AGAIN AND AGAIN.” www.tahawultech.com
The problem is vast – and growing. For example, the Federal Bureau of Investigation in the United States received 15,000 reports of romance scams in 2016, up about one-fifth on the previous year, and victims lost almost a quarter of a billion dollars. There are instances of people who pay out repeatedly to the same fraudster, and cases of individuals who have been scammed by one person, only to later fall victim to another criminal. “Scam victims are often repeat victims: they get scammed by various people again and again. You would imagine if people are scammed they would be put off, but there’s a huge proportion of people scammed by different people,” says Professor Tom Sorell, a professor of philosophy at the University of Warwick in the United Kingdom who has helped to co-ordinate a multi-university research project on fake online profiles. And fakery in online profiles is about trying to secure more than just money. Sometimes demands can escalate so that those targeted end up smuggling drugs or laundering money for criminals. In turn, this can lead to blackmail. Other fraudulent online profiles involve adults pretending to be of school age with a view to grooming and gaining access to children. Whatever warnings that lawenforcement agencies make about the risk of online romance scams or online grooming, trusting individuals will still fall victim, making it all the more important that social media companies find ways to identify and weed out suspicious profiles. Another academic who has researched fake online profiles is Professor Awais Rashid of the University of Bristol in the United Kingdom, who has carried out work as part of the
wider project that Sorell is involved with. Rashid says that social media companies “do make an effort” to remove fake profiles. Manual methods of detection, such as by other users flagging suspicious profiles, are, however, far from perfect. While Rashid says that sometimes a profile will be “very obviously fake and easy to detect”, this is not always the case. “In other circumstances, for example if [it is] a large social network, it’s a lot more challenging,” he says. As a result, new ways of employing technology to identify fake profiles for removal could prove highly valuable. Rashid and his co-researchers have developed software that can analyse the language in profiles to develop a “linguistic fingerprint”. This can help to identify profiles set up by an adult pretending to be a child. It is particularly effective when the adult is more mature, rather than being relatively young. “This can be used to alert users [as] to whether they’ve been the victim of fraud or a fake profile,” says Rashid. “But we have to be very careful if you have these tools. It’s challenging because of the lack of 100 percent accuracy.” There are likely to be “false positives”, when genuine profiles are mistakenly flagged as potentially fake. More recent work by Rashid and others has involved the creation of algorithms that use artificial intelligence (AI) to identify fake profiles by analysing the images, descriptions and demographic information in profiles. These methods are ideally used alongside human-based techniques to identify fake profiles. “We use a combination of machine learning and artificial intelligence [AI] techniques. They do offer quite a lot of
Professor Tom Buchanan, University of Westminster in London
“BUT WHEN THE AWFUL TRUTH BECOMES APPARENT, VICTIMS FACE WHAT WE CALL A ‘DOUBLE HIT,’ WHEREIN THEY SUFFER BOTH FINANCIALLY AND EMOTIONALLY.” value, but with any AI technique, there are limits to its accuracy,” says Rashid. “It’s an open research problem. AI and machine learning help, but we need more advances to be able to improve the accuracy of these tools.” There are a number of characteristics associated with fake profiles, and knowledge of these can be incorporated into technology-based methods of detection. It is typical, for example, for scam profiles that are aimed at middle-aged women to feature images of western military personnel. “It’s possible using this semantic profiling to distinguish profiles that are genuine and that are likely to be scamming,” says Sorell. The location of profiles is another clue, because some countries, such as Nigeria and Ghana, are associated with fake profiles. “What tends to happen, especially in the western African case, [is that] there’s an accumulated scam knowledge about what works. The profiles tend to be of a particular pattern,” says Sorell. Other countries are linked to the problem, with Sorell saying that eastern European or Malaysian scammers may target people in richer nations, such as Australia and Canada. “One of the things that emerges is that the scamming goes on from a very much wider variety of countries than
western Africa,” he says. “The geographical mapping suggests the dating sites could start themselves to have checklists according to where people are supposed to come from and what the risk might be of fraud coming from these places.” Aside from location, other clues come from the pictures in a profile. Reverse image searches and other technology can indicate when these have been taken from the internet, and when this process is automated it could be an effective way to cut down on fraud. “One of the things that could be done by the websites is using the insight of the project of when photos are fictional or appropriated from other sites. They could work on using face-matching technology, which is widely available,” says Sorell. “And technology can be handy when it comes to the money transfer. It can identify the source and destination as potentially fraudulent. “You have got the romance side and the money-transfer side; both lend themselves to technological interventions.” Sorell also says there could be a use for pre-emptive technology to offer particular safeguards to protect individuals identified as vulnerable. So although the scammers will continue their malign activities, technology could in future make life much more difficult for them.
30th April, 2019
Jumeirah Emirates Towers Ballroom (Theme and dress code: Black & White)
Celebrating the 10th anniversary of Partner Excellence Awards, Reseller Middle East and TahawulTech.com is proud to present the 2019 edition on 30th April. The success of the Awards over the last decade is a testament to the triumphs of the regional channel industry. Every year, the event showcases and applauds partner accomplishments and business excellence.
tahawultech.com/resellermeawards/2019/ For sponsorship enquiries Kausar Syed Group Sales Director email@example.com +971 4 440 9130 / +971 50 758 6672
Youssef Hariz Business Development Manager youssef.Hariz@cpimediagroup.com +971 4 440 9111 / +971 56 665 8683
Sabita Miranda Senior Sales Manager firstname.lastname@example.org +971 4 440 9128 / +971 50 778 2771
ADVANCED COMPUTING PARTNER
Nasir Bazaz Sales Manager email@example.com +971 4 440 9147 / +971 50 101 2027
THE NEW BATTLEGROUND BY PETER OGANESEAN, MANAGING DIRECTOR, HP MIDDLE EAST AND EAST AFRICA
hen British businessman Gerald Ratner, chief executive of a high street chain of jewellers, stood up to address the London business community in 1991, he had little idea
that the next few minutes would wipe £500 million off the value of his company. By candidly criticising the quality of goods sold at his shops, Ratner prompted a mass consumer boycott and secured his own place in the pages of marketing textbooks for a generation – a case study on how to destroy a brand in seconds. While CEOs may be more media savvy today, the risks to a brand’s reputation
have never been higher. And top of the list of risks is cyber security – a disruptive force. Cybercrime is now a $600 billion problem globally, and showing no signs of abating. The right security keeps your business running, helps ensure customer trust, and avoids scrutiny by government, media, and other organisations. But poor security can wreak devastation on your firm’s standing, its operations and finances.
A data breach significantly damages a brand’s reputation, resulting in stock prices dropping an average of five percent and increasing customer churn by seven percent, according to a 2017 Centrify study. The biggest costs, however, are associated with lost business, estimated at up to $110 million. As we’ve seen from recent headlines over data breaches, consumers are no longer willing to stand by and watch companies recklessly handle their personal information. For brands, it should not take a crisis to inspire action, and organisations are beginning to realise it’s time to do things differently. The future of their brand could rest on the unsecured printer down the hall or the phone in the hand of their newest employee. To minimise the impact of losing sensitive data, now is the time for brands to re-evaluate and rethink their security. And it starts with two critical considerations: Endpoints are the new frontline in the cyber battleground Unsecured endpoints, such as PCs and printers, are a significant liability and can put an entire network and all of the company’s valuable data at risk. The
“UNSECURED ENDPOINTS, SUCH AS PCS AND PRINTERS, ARE A SIGNIFICANT LIABILITY AND CAN PUT AN ENTIRE NETWORK AND ALL OF THE COMPANY’S VALUABLE DATA AT RISK.” www.tahawultech.com
reason? Poor security network printers now hygiene. Many devices, represent high including printers, risk for many are left unsecured companies. With or are not a proliferation of updated with the devices, many proper security companies have ORGANISATIONS HAVE EXPERIENCED policies. Hackers a blind-spot in INCREASE IN ENDPOINT SECURITY know this and their security RISKS IN THE PAST 12 MONTHS frequently target strategies, and printers. In fact, don’t realise that seven out of 10 selecting the PC organisations report or printer to buy is their endpoint security risk actually the first security increased significantly during choice they must make. the previous 12 months and trust in A robust Device-as-a-Service (DaaS) antivirus software dropped considerably subscription model enables a company as 64 percent of companies experienced to ensure adherence to security an endpoint attack with 57 percent of protocols and automatically update endpoint attacks missed by anti-virus devices to keep them protected while while trust in antivirus software dropped reducing the time and labor required considerably as it minimises protection to manage them. DaaS also helps and maximises false positives for combat the risks of human error such businesses. as phishing or sending email to the Today’s IT threats strike businesses wrong recipient, which accounted for 17 from many places and from all angles. percent of security breaches last year. Security must cover every entry point With the number of connected devices with multiple layers of protection. dramatically growing, consumers and Embedded security in endpoint devices organisations alike are producing and is an investment that small business consuming an increasing amount of and enterprises alike must consider to valuable data - making devices at the properly protect data, detect malware edge vulnerable and attractive targets and recover potentially compromised for security breaches. data. For instance, both HP PCs and HP Analyst firms like IDC tell us there will printers are equipped to thwart attacks be up to 80 billion connected devices by as they are embedded with ‘self-healing’ 2025. Yet every 4.2 seconds, a new piece technologies that automatically install of malware emerges. In this context, updates to ensure the device and the every device decision is a security network containing valuable data and decision, and ultimately, a decision information are secure at all times. about the future of a company’s brand. Your customers, your employees and Leave security to security experts your entire supply chain demand you Security is not a place to take risks, act as a responsible steward of their especially as employee mobility and data, treating personal information with lifestyle shifts create new vulnerabilities scrupulous sensitivity and stringent with each device that enters or leaves security protocols. the office. Aging PCs that rely on Is your brand living up their security software and unsecured expectations?
7 IN 10
WHY CYBERSECURITY NEEDS BOTH AI AND HUMAN INTELLIGENCE BY AMIT ROY, REGIONAL HEAD, MEA, PALADION
â€œIT TAKES THE QUIRKINESS OF HUMANS TO EXPLORE AVENUES THAT AI MAY NOT KNOW ABOUT OR UNDERSTAND.â€?
ilots can no longer fly jetliners without computer assistance. There is too much data, there are too many parameters that must be constantly checked to ensure safety. The same is now true of cybersecurity. Expecting human beings to check every event in a system or on a network is foolhardy. The most dangerous threats to security are often the ones with the lowest profiles, the ones that people miss or gloss over. Artificial intelligence allows a different approach. One that combines speed with systematic checking not just for outliers,
but also for trends, connections, and probable threats. Machine learning programmes can sift through piles of data in minutes, where a human being might need days and still make potentially dangerous mistakes. Does that mean AI can do it all? We have self-stocking fridges and selfdriving cars. Why not self-protecting IT systems and networks? While this idea may sound attractive, it is by no means realistic. Huge strides in information technology hardware and software mean that AI is now a practical and affordable possibility for many organisations, either in-house or as a service. But relying
“RELYING TOTALLY ON AI FOR CYBER PROTECTION COULD BE VERY RISKY, EVEN FATAL.”
totally on AI for cyber protection could be very risky, even fatal. There are several reasons for this. First, even when AI is functioning well, it has limitations. Imagination, innovation, strategising, all these things are beyond the abilities of today’s AI. Second, AI needs periodic training to stay relevant and effective as the cyberthreat landscape changes. It is important to note that unsupervised machine learning programmes can
detect new patterns in data without intervention. But assigning meaning and relevance to those patterns is a step still best accomplished by human beings. Third, smart cybercriminals can “game” or even poison AI being used for cybersecurity. Just as it takes a pilot to tell a jetliner what to do and where do go, it takes a person, albeit a skilled person, to bridge the gap between AI’s results
and globally effective cybersecurity. This should not come as a surprise. Human intelligence (humint) is a vital part of penetration testing, for example, as well as software testing. It takes the quirkiness of humans to explore avenues that AI may not know about or understand. And just as it takes a thief to catch a thief, it still takes a human security expert to get inside the mindset of an attacker. So, AI and humans must work together. AI applies power and programming, while humint contributes judgment, imagination, and creativity. Meanwhile, AI continues to evolve. By building up vast banks of data on threats and best practices, AI develops its own faculties of judgment. It can describe, diagnose, and propose solutions for given threat situations. It starts to acquire human-like powers of insight. And possibly human-like problems as well. Researchers have already noted how inconsistencies can seem to arise spontaneously in very large software systems. There may even be a natural limit to the level to which artificial intelligence can rise in cybersecurity. Above this level, they may become too much like human beings, losing their advantages of reliability and turning into entities that make the same mistakes as human beings – but faster. Only time will tell. For the moment, however, both AI and humint are essential, working together but each bringing their own strengths.
UP AND AWAY DRAGAN PETKOVIC, SECURITY PRODUCT LEADER ECEMEA, ORACLE, DISCUSSES WHY CLOUD SECURITY IS NOW MORE IMPORTANT THAN EVER AND WHY COMPANIES MUST DEFEND THEMSELVES AT EVERY LAYER OF THEIR IT ENVIRONMENT.
overtime. With that being said, the time to consider innovating your security posture is now. Recent data breaches have largely been attributed to human error or cloud account misconfigurations. These attacks can be fiscally devastating, ruin brand reputation, and can even mark the end of a C-level executive’s time at the company. The stakes are high.
Keeping Pace The CTR goes into great depth on this concept. Traditional security procedures are no longer enough for a mobile, digital workforce. It is important to remember that cloud is all about choice and flexibility. This means that customers can retain aspects of their traditional on premises security solutions and begin to incorporate new cloud based solutions
Breaches and Regulations Everywhere you look there seems to be a new breach on the news, exposing sensitive personal information or company financial data. This issue is not unique to any industry and is a primary reason security has become a priority for so many organisations. Not to mention, harsh compliance regulations are continually cracking down on corporations. Organisations simply cannot afford to cut corners in today’s hybrid cloud environment. What can companies do to increase their security posture and remain compliant with regulations such as GDPR? First and foremost, “Transparency is key,” as Akshay Bhargava, vice president of the cloud business group at Oracle, mentions in 5 Strategic Priorities for Chief Security Officers in 2018. Bhargava later goes on to explain the importance of an incidence response plan, which can be used to quickly respond to an attack and minimise the damage. Companies should explore cloud security options that can help them better monitor their environments and protect them in the event of an attack. When working to comply with these regulations, it also important to maintain visibility into your entire cloud and on premises environment.
“TRADITIONAL SECURITY PROCEDURES ARE NO LONGER ENOUGH FOR A MOBILE, DIGITAL WORKFORCE.”
Threats Modern businesses thrive off of fast development and lowering costs, both undoubtedly accelerated by cloud. The threat landscape has also exploded through these innovations. Overall cloud adoption has created a lack of visibility leaving companies vulnerable to attack. The CTR explains that today’s threat
7% of respondents in the recent Oracle and KPMG Cloud Threat Report (CTR) reported having a cloud-first orientation within their organisation. The cloud is here to stay. However, with widespread adoption, comes an expanding list of challenges and new considerations. Customers rapidly adopting the cloud must also consider how their security solutions can keep pace.
“COMPANIES NEED TO SHIFT TOWARD INTELLIGENT SOLUTIONS THAT CAN HELP THEM BETTER PREDICT, PREVENT, DETECT, AND RESPOND TO THREATS.” landscape is diverse and hackers aren’t always sitting in a dark room millions of miles away. They are everywhere and they are after your data. Attacks can be brought on by nation-states, cybercriminals, and even insiders. Organisations face a wide range of threats including malware, phishing, and theft of credentials. Companies must defend themselves at every layer of their environment. They must also turn to a more Identity driven approach for cybersecurity. By shifting the focus to identity, companies have more control to isolate root cause of a breach or attack, especially those carried out by an insider or by a hacker using stolen, but authorised credentials. Tracking a user’s normal behaviour enables cutting edge technologies to automatically take action against anomalous behavior by sending out a Multi-Factor Authentication code to a user’s phone. Building a Defense Each organisation has a unique journey to the cloud. They must also discover the security solutions that will work best to protect their environment. As cybersecurity threats continue to rise, qualified talent has not been able to scale. Simply too many alerts and not enough expertise to keep up. Companies need to shift toward intelligent solutions that can help them better predict, prevent, detect, and respond to threats. Creating an innovative security environment allows you to gain visibility and intelligence - it is a vital component in the battle of cybersecurity.
Augmenting The World’s Happiness
THIS YEAR’S MOST ANTICIPATED AI SUMMIT Empowering governments, businesses, social enterprises & creative economy The region’s largest and most powerful Summit on public-private cross-industry collaboration, learning and networking in artificial intelligence. We unite the divided conversations in AI. Ai Everything. Learn | Collaborate | Breakthrough
REGISTER NOW. SUMMIT & FREE-TO-ATTEND EXHIBITION Strategic Enterprise Sponsor
Strategic Government Sponsor
Strategic Startup Sponsor
#AiEverything | #AiEverything2019 | www.ai-everything.com Gold Sponsors
A CLOSER LOOK
GETTING TO KNOW SANJAY ZAVERI, REGIONAL MARKETING MANAGER – MIDDLE EAST, GARTNER, ON HIS LIFE INSIDE AND OUTSIDE THE OFFICE.
WHAT IS THE FIRST THING YOU DO WHEN YOU ARE AT YOUR OFFICE DESK? A QUICK CATCH UP AND FRIENDLY BANTER WITH MY COLLEAGUES FOR A POSITIVE START TO EVERYONE’S DAY. HOW OFTEN DO YOU CHECK YOUR SOCIAL MEDIA ACCOUNTS? I CHECK LINKEDIN AND TWITTER EVERY COUPLE OF HOURS AND MORE IF WE’RE RUNNING SPECIFIC SOCIAL MEDIA CAMPAIGNS. WHAT’S THE BEST PART OF YOUR JOB? MEETING NEW PEOPLE FROM THE INDUSTRY AND WORKING WITH MY AMAZING COLLEAGUES.
CAN YOU NAME ONE DEVICE OR APP THAT YOU WISH EXISTS RIGHT NOW? EARBUDS THAT CAN SEAMLESSLY SWITCH BETWEEN MULTIPLE PHONES AND LAPTOPS – IF YOU KNOW OF ONE, LET ME KNOW! WHEN DID YOU GET YOUR VERY FIRST MOBILE PHONE? I GOT MY FIRST-EVER MOBILE PHONE IN 1999, IT WAS AN ERICSSON. IF YOU’RE NOT WORKING IN THE TECH/SECURITY INDUSTRY, WHERE WOULD YOU BE? A CONSULTANT TO COMPANIES LOOKING TO AMPLIFY THEIR MARKETING REACH HERE IN THE REGION. WHAT’S THE LAST THING YOU DO BEFORE YOU LEAVE THE OFFICE? PREPARE THE NEXT DAY’S ACTION ITEMS.
ABOUT Sanjay Zaveri spearheads the marketing strategy in the Middle East for Gartner, a global research and advisory company. With over 16 years of experience in the UAE, Sanjay has driven customer acquisition and revenue growth across a variety of industry sectors. www.tahawultech.com
ON THE WATCH
ONLINE EDITOR ADELLE GERONIMO SHARES HER VIEWS ON THE LATEST DEVELOPMENTS IN THE SECURITY LANDSCAPE.
MIND THE GAP
n expanding digital footprint and increasingly sophisticated cyber-attacks have created a growing urgency for organisations to secure their data and resources. Enterprise security teams need help, unfortunately, theyâ€™re having a hard time finding it. Predictions from Gartner have revealed that worldwide spending on information security is expected to reach $124 billion this year. However, in spite of all the potential investments, industry pundits expect the cost of cybercrime to reach $2.1 trillion by the end of 2019, surpassing spending on cybersecurity by over 16 times. According to cybersecurity and IT security certification firm (ISC)2, there are currently 2.93 million unfilled security positions around the globe. The reality is that there are simply not enough skilled professionals available to properly plan, manage, integrate, and optimise security tools and solutions. A primary reason behind this widening gap is the continuous expansion of the digital marketplace, which has generated more jobs than the current supply of security professionals can meet. Moreover, there is also a problem of scale as there are still no efficient way to
create skilled security practitioners at the same rate as the speedy pace of digital transformation. More than investing in new technologies such as automation and artificial intelligence, there is a big opportunity for enterprises and security vendors alike to diversify ways in plugging the security skills gap. For one, organisations can look into partnering with universities to amp up interests among undergraduate students to take up a career in IT security. In fact, a recent study by security training and certifications firm SANS Institute found that a significant number of students in the UAE and Saudi Arabia are looking at IT, including cybersecurity, as a prospective career. Security firms have an opportunity to promote cybersecurity as a career path and educate the next-generation of professionals on its importance in the digital world. A simple, yet often overlooked solution as well is retraining current IT staff. Instead of struggling to find new members for the security teams, organisations should seek out current employees who already possess the basic IT expertise and business acumen, and consider investing in upskilling them. Unless we take action now, we risk falling behind in the battle for cybersecurity, putting organisations from across the board in jeopardy.
Both Up and Out to Tackle the Biggest Datasets HPE
S u p e rd o m e
F l ex
i n d u s t r y â€™s
in-memory computing solution built with a modular design to scale easily and economically, turning astronomical data growth into real-time insights.
ÂŠ 2018 2017 HPED HPEDLP LP
To l e a r n m o r e , v i s i t h p e . c o m / S u p e r d o m e
The power of one