NME Security Report: Mixed bag of security strategies in ME
Network Middle East security survey assesses state of cybersecurity readiness among regional organisations
Most organisations in the region are looking to increase spending on IT security, according to the Network Middle East annual security survey 2018/2019.
Network Middle East conducted a comprehensive survey on the state of the security industry in the Gulf region, regarding policies, user behaviour and threat perception.
Asked how much money, in US Dollars, organisation allocated to IT security in 2018, 14% said more than 500,000 USD, while a further 14% said their organisation spent 50,000 to 100,000. 14% said they spent under 10,000 USD.
In 2019, the figure is the same, with 14% saying they plan to spend 100,000-500,000 USD, with a similar number saying they will spend 10,000-50,000 USD. Interestingly, none said they would spend more less than 10,000 showing a willingness to spend more on security at the lower end.
In the region, a relatively small percentage of the entire IT budget is dedicated to IT security, our survey shows. About 29% of respondents said less than 50% of their overall budget was dedicated to IT security. Only 14% said more than 50% is dedicated to IT security.
Security awareness is at an all-time high. More than 80% of respondents have heard of the more notorious security threats. More than 85% have all heard of DDoS, Phishing, Spam, Viruses, Trojans and Web Threats.
However, awareness is still low for APTs, with only 43% saying they have heard of APTs. This probably shows the vague understanding of APT as a term which could be because of the complexity of launching and defending against APT attacks.
Viruses/worms are the most common types of malware experienced by businesses in the region at 43%. No organisation reported being the victim of ransomware or a DDoS attack. Although extremely damaging, these types of attacks are relatively rare.
Cybersecurity attacks may seem abstract to the average employee until they are quantified into actual figures. That is why research in the last few years has put emphasis on enumerating the effects of attacks on businesses and individuals. We thus asked respondents if, according to their knowledge, their organisation has suffered any loss or damage due to cyber-attacks. 43% said they have suffered from a loss in productivity such as system downtime. A further 29% said they had suffered loss of data. Another 29% said they has suffered no damage at all, which is encouraging news.
The use of work computers for personal is widespread- I’m sure all of us have at least one time or the other used our work machines to check a social media update or to send a personal email.
Indeed, according to the survey, 57% of respondents said they had checked their personal emails while at work while 43% said they had browsed websites not directly related to their job in the last year. 57% said they had visited social networking sites using work computers. Most worrying is the fact that 29% reported using downloading or installed executable files on their work PCs. This, of course, is very dangerous as some of the most dangerous malware out there are spread using executable files.
The use of removable media at work is a tricky proposition for most organisations. While most organisations would like to empower their employees, security concerns mean restricting downloading work onto USBs and such. IBM famously put an outright ban on the use of USB within the organisation. A lot of organisations have similar restrictions.
However, 57% of the respondents reported saving work on USB to continue working elsewhere. The use of file-sharing services such as WeTransfer is also increasingly popular. There is technology out there that can restrict what goes out while ensuring security. The use of encrypted USB hardware is also recommended should such a USB fall into the wrong hands.
Basic cyber hygiene could go a long way in alleviating cybersecurity challenges.
Basic cyber hygiene could go a long way in alleviating cybersecurity challenges. Human error or negligence, based on the naive belief that the responsibility for security lies in IT staff has left many organisations reeling from data leakage.
According to our survey, 14% shared a password with third parties, whether it’s fellow employees or otherwise. The risk here is apparent; there’s a reason we all have personal passwords for our devices. Once that is mislaid, you lose control over your own destiny.
A good starting point to any effective security strategy is to have a (written) IT security in place. However, 43% of respondents said their organisation had no written IT security policy. For those that do, only 15% said they had been asked to sign it.
Enforcement of IT security policies, for those that have a policy, is patchy. Only 57% of respondents said their IT policy was enforced. This does not inspire much confidence in regional organisations’ ability to fight cybercrime.
Security professionals have been preaching the benefits of an effective awareness campaign for ALL employees, and not just IT. It has been shown that a vast majority of data breaches are due to human error, numbers that can be drastically reduced with regular awareness campaigns. However, only 57% have attended an awareness campaign session in the past two years.
Effectively implemented, a BYOD-friendly workplace can avail not just significant cost savings, but lead to a more productive workforce overall.
Unfortunately, our survey revealed that BYOD “policies” in the region range from 50% having no BYOD policy at all to 33% outlawing personal devices from accessing company data. Only 17% allow the use of personal devices, with controls.
Integrated security platforms are now highly recommended as opposed to point products. Our survey shows that although 100% of organisations have anti-virus in place, implementation of other products falls as you go down the list, with only 29% reporting having a UTM platform in use.
Cloud has revolutionized IT. While almost every organisation has some form of cloud application in place, cloud security remains a moving target. A majority of IT managers presume security for their cloud application is the responsibility of the CSP. Indeed, our survey revealed that 57% of organisations have no cloud security policy in place.
Thankfully, the lack of proper cloud security seems not to have caught up with businesses. Only 14% reported having had suffered an attack on their security applications in the past year.
Despite well-publicized mega-attacks, it is still a mixed bag as far as having an effective security strategy in place is concerned. Even the most robust security platform will fail if employee awareness is lacking.