The need for IT to invest in compliance

Lucy O'Brien


Cyber-crime came back under the spotlight once more in the Middle East in early May with news of a cyber-attack on Qatar National Bank. QNB admitted that clients in Qatar had been targeted, but assured the public that its systems were “fully secure” following the attack, which potentially exposed the names and passwords of tens of thousands of customers.

Often when people think of the Middle East and cyber-crime, pictures of ISIS militants spring to mind – and this is a fair impression, considering the Islamic State’s successful acquisition of the technical tools to wage war in cyber space. Several security vendors have stressed that while the global community should be concerned about cyber-attacks from ISIS-affiliated groups, the hackers are poorly organised and seem to have limited abilities. While the jury is out on their technical capabilities, it is clear that the threat of cyber-attacks by ISIS have a powerful effect on communicating their ideology and advancing their cause. The recently announced intention of pro-ISIS hacking groups to join together to form the United Cyber Caliphate has seen some focus on coordinating and elevating the levels of cyber-attacks.

While this is clearly a significant global problem that governments and organisations need to address, the image of ISIS hackers waging war in cyber space can detract from the more mundane but very real threat of cyber-attacks waged in the Middle East for monetary gain – where the money gained is either stolen directly from consumers or, less tangibly, takes the form of industrial espionage. The Middle East seems to lag behind other parts of the world in terms of recognising the risk of cyber-crimes, according to several recent surveys conducted by vendor and consultancy brands.

A significant issue globally is the fact that phishing remains the king of data access issues, followed by payment card data theft, point of sale etc. Companies are getting better at protecting their servers and networks, but worse at protecting user devices and limiting human failures. The latest annual Data Breach Investigations Report by Verifone, a client of FleishmanHillard in the US, found that about 30% of phishing messages are being opened by targets, and 12% go on to click the malicious attachment or link, thus enabling the attack to succeed. This continued rise in human failings offers an opportunity for companies to better educate employees.

Speed of theft is alarmingly on the rise, with some 82 percent of data breaches analyzed compromising the victim in a matter of minutes. When it comes to communicating with the public, brands need to recognize that the first few seconds of a cyber-attack, like any kind of crisis, are precious moments that will not come again. If they take too long to communicate, trust is eroded. Even if the facts are not yet known, it is essential to keep pace with the rapidity with which information is shared online, between customers and the general public. This is even more true in the Middle East, where social media platform usage is booming.

Companies used to have time to manage crises, now they don’t: communication takes place at the speed of its audience, and that audience acts within minutes. We know from experience the market makes its decision about whether a company is a winner or loser in the first 7-10 days after a crisis event, to which the first 48 hours are critical. With 41% of social media users in the region using Whatsapp, and Snapchat recording the highest annual growth, how can brands stay ahead of what’s being said about them across all social media platforms. Sophisticated social media listening and monitoring tools should no longer be seen as an optional investment.

Aside from speed of response, it is also essential to think through how we can better educate employees about the risks, and think of cyber-attacks as potentially being driven from within an organisation, either through error or privilege misuse, where an employee might coordinate with someone on the outside, rather than being a random unavoidable attack against which  IT needs to build adequate defences.

Most employees think IT handles cybersecurity, even though their bosses and customers ask them to handle more and more data every day. As more employees interact with data, the chances for mistakes and misuse escalate exponentially. Chris Nelson who leads FleishmanHillard’s crisis management team says that companies will need to invest more in training employees about their responsibilities in handling data, compliance with evolving laws, regulations, and company rules, and how to make good judgments in situations where there isn’t yet a playbook. They will have to invest more in oversight and compliance as well.

Lucy O’Brien is the General Manager of FleishmanHillard UAE