The security safety net

Two industry experts give their verdict on what Middle East companies can do to protect themselves against cyber threats.

“The banking industry is ahead in terms of having a better understanding of information, storage and security”
-Mahesh, Vaidya, ISIT AE

BM. IT security is a key aspect of most organisations today. Could more be done by businesses in the Middle East to protect themselves and their networks?
Mahesh Vaidya. None of us would want our company making headlines for the wrong reasons, especially regarding a breach of extremely sensitive information. These breaches can be extremely expensive and even embarrassing. There have been very well publicised incidents of these breaches in the Middle East in recent times.

The Middle East might be slightly behind the Western world in implementing sophisticated information storage and security solutions. Security is still seen as a technological issue by several companies and people and process people IT functions are not given due importance. However, the situation is changing and the banking industry is ahead in terms of having a better understanding of information, storage and security. In the absence of any regulations this issue is likely to continue as an afterthought for most organisations.

Nigel Hawthorn. Initial security threats were aimed broadly worldwide and they often targeted US internet users. Now we are seeing threats that are ever more specific and addressed to individuals or specific organisations and countries, including in the Middle East. We can’t assume “it’s not happening here” and turn our heads away from the problem. Middle Eastern organisations need to look at phishing and spyware as well as hackers. Many threats are based on financial gain and as the world economy stumbles, more people may be drawn to internet-based fraud, and so the threats increase.

BM. What would you say are the main challenges organisations face today when keeping networks secure and warding off dangers?
MV. IT governance, risk and compliance, confidential data leakages, unauthorised intrusions, viruses and worms still continue to be a problem. Incorrect/incomplete processes and limited end user awareness is also a problem in several companies. ISIT is adept in the use of information security standards, such as ISO 27001 and having a thorough understanding of these guidelines helps us to position ourselves as a trusted advisor to our customers and to help them overcome these challenges.

NH. There’s been a lot of talk about hackers getting into organisations and outsiders are certainly a problem. However as we know, most fraud is conducted with the knowledge of someone inside the organisation. We need to ensure that we don’t allow disgruntled employees to cause damage to the organisation or external attackers to use lax security or social attacks to hit at our weakest point. It’s amazing how successful a phone call saying “this is the head office IT group, we have heard of problems with your network access, can you tell me your password please”, can be. So organisations need to train staff to recognise the potential threats as well as introducing policies and technology that can look for inappropriate use of data or accessing applications or websites that may harbour threats.

BM. How can companies protect themselves in today’s climate where storage devices are becoming smaller and the risk of staff walking off with confidential data is growing?
MV. We have a set of data loss prevention (DLP) solutions, which are creating quite a vibe in the market, especially in a business climate where lay-offs are commonplace. DLP technology, for example, can monitor and sometimes block employees as they try to send, modify or copy potentially sensitive data. We also have a range of solutions for remotely backing up data even over low bandwidth links using technologies like deduplication and encryption. Data on laptops can also be configured to self-destruct in the case of theft of the device hence minimising the risk of data loss.

NH. Remote workers can use similar technologies to those inside the organisation (such as web filtering against phishing sites and downloading spyware), in addition technologies that lock down PCs and restrict the use of RAM sticks and even remote printing can be implemented. But before that, the organisation needs to define policies about who can access what types of data and (as before) train staff to recognise the dangers lurking on the web.

BM. Do you have a recent example of where your services were implemented successfully for an organisation in the Middle East and what the outcome was for the client?
MV. Yes, we have recently completed an Information Security Management System (ISMS) audit for a large enterprise in Abu Dhabi. This helped in uncovering gaps in both technical and non-technical aspects affecting the security of the company and developing a roadmap towards implementation of a secure information infrastructure. Tools like the risk radar charts and heat maps helped to depict their security landscape in an easy to understand but comprehensive manner. We also implemented the first electronic tape vaulting solution for a major bank in the UAE. The backup data is electronically moved between sites using sophisticated inline deduplication technology. This eliminated the risk of physically moving tapes between sites. We have also implemented a “storage as a service” solution for another financial institution whereby they are backing up remotely to our partner data centre. This helped them eliminate the exorbitant costs of disaster recovery by having their data in an extremely secure location with the highest SLA’s but in a very cost effective manner with a pay as you go subscription based model.

NH. One interesting example is Woods Bagot, the architects who designed Dubai Waterfront properties, used Blue Coat’s WAN optimisation solutions to allow employees to share content globally. They reduced WAN bandwidth by 60% while speeding up delivery of Microsoft Sharepoint 300 times and CAD files 50 times. A further unplanned benefit was management meetings, which can be conducted via videoconference, saving US$120,000 in travel costs (and a lot of wasted travel time) each time senior management meet.

The panel:
Mahesh Vaidya – CEO of ISIT AE
With two decades of experience, Vaidya has been a pioneer in bringing innovative solutions to the Middle East to help customers store and secure their digital assets. He is also the Chairman on the SNIA Europe ME committee. His leisure interests include martial arts, where he has earned a black belt.
Nigel Hawthorn has over 25 years experience of computers, security and networking.  He has a strong technical background, has presented at security, e-commerce and networking forums in over 50 countries and contributed to a number of computing books on protocols and security. He has worked for Blue Coat Systems for over 10 years.

“Most fraud is conducted with the knowledge of someone inside the organisation”
-Nigel Hawthorn, Blue Coat