Many UAE companies remain critically vulnerable to cyber-attacks because of a failure to maintain basic cyber-hygiene practices, according to Alexander Blom, head of broker and client management at AIG MEA (the Middle East and Africa)
Over the past two years, AIG has seen a doubling of cyber insurance queries and purchases in the UAE. In 2017, the number of claims notifications in the EMEA region was higher than in the previous four years, equivalent to one request per working day.
While market awareness of cyber threats is improving, the company’s experts still frequently come across businesses with poor governance and controls in place.
This reinforces the evidence that the UAE is high on the list of cyber-attack exposure at a time when the proliferation of attack-and vulnerability-exploitation tools have helped create an ecosystem that is catering to both petty criminals and organised crime entities.
AIG’s claims reveal ransomeware to be the biggest single threat, followed by phishing, data leakage and hacking.
Blom said, “Cyber-attackers today have a very low entry barrier into this ‘market’, because the tools needed to cause maximum disruption are readily available and do not require in-depth technical knowledge. In addition, data vulnerabilities can now be exploited at an incredibly fast pace-what once might have taken months can now be achieved in a matter of hours.
“In the context of this cyber environment, it is vital that businesses comply with data protection rules. Not only will this minimise the risk of attack, but it will also safeguard them against the impact of the European Union’s GDPR regulations. If applicable UAE companies suffer a data breach and are found not to be compliant with the regulation, they could face a fine of US$20mn or 4 per cent of their total worldwide annual turnover,” he added.
AIG conducted a briefing for leading UAE businesses, providing hands-on information on how to manage cyber risk and best practices for responding to cyber incidents. The event was organised by AIG and co-sponsored by a panel of industry experts from KPMG, NYA and Norton Rose Fulbright.
AIG has also developed CyberEdge-a policy which can assist with the financial and reputational ramifications that can result from a data breach and minimise business disruption.
AIG has also shared the following five key cyber-risk management strategies businesses in the UAE should adopt to help reduce the threat:
1) The final responsibility for all cyber risks resides with the business executives and the board, and yet far too often this layer of management is the least knowledgeable. AIG addresses this, in collaboration with the Internet Security Alliance, in its directors’ handbook for cyber risks.
2) Cyber-risks are business risks. It is therefore recommended that companies have a clearly identified Chief Information Security Officer with sufficient budget and personnel to accomplish the job, and ideally with a direct reporting line to the CEO and/or active membership in the executive team.
3) More than 80 per cent of all threats in cyberspace can be mitigated by doing a few things “right”. Good cyber hygiene, i.e. a timely patching, close control over user accesses, asset control, etc, prevent enterprises from becoming a random victim of widespread attacks coming from the Internet.
4) Attackers are always at the forefront of finding new ways to achieve their objective, i.e. breaking into organisations. Therefore, it is important that enterprises react and adapt quickly to new threats. Individual excellence in security operations, as well as the collaboration with peers, NGOs and GOs is an important success factor.
5) Cyber-risks, like all business-related risks, need to be analysed in the context of the actual business. It is key to understand the impact a cyber incident can have on the value generation of the business, i.e. business interruption or denial of service attack, and what costs are associated with a data breach. Additionally, the impacts to the reputation or stolen information, in the case of industrial espionage, are important cyber risks.