Security Review - July - September 2021 by Rysha Media

JULY-SEPTEMBER 2021 Volume 1 | Issue 1

WWW.SECURITYREVIEWMAG.COM

"The line between data security and data privacy has started to blur"

Claude Schuck, Regional Manager, Veeam

DATA SECURITY & COMPLIANCE What companies need to do to protect their data and be compliant?

Think beyond video. Think Genetec. Securing your organization requires more than video surveillance. To be successful, you need access control, intercom, analytics, and other systems too. This is where our Security Center platform excels. It delivers a cohesive operating picture through modules that were built as one system. So, whether you’re securing an airport, a parking structure, a multi-site enterprise, public transit or an entire city, you can access all the information you need in one place. To learn about the benefits of unifying your security operations visit genetec.com

>>>

DATA SECURITY & COMPLIANCE 23. Security Models Should be Simple to Make Them Easier to Implement 24. Data Security and Data Privacy Are Two Separate Elements

CONTENTS

26. Use Security Measures to Accomplish Privacy Objectives 27. Data Security Through Robust Cybersecurity Should Be Top Priority

30. CISOs Can Provide a Long Term Vision to Security 31. Security Practitioners Should Work Towards Preserving Users’ Privacy As Much As Possible 32. Integrated Cybersecurity Solutions Can Help Companies Protect and Monitor Data

34. Companies Have Started Focusing on Cyber-Risk Mitigation Strategies

35. Achieving Compliance can be a Challenging and Nuanced Process

>>>

EXPERT VIEW 18. How Access Control Plays a Vital Role in a Safe Return-to-Work Strategy

19. How the Disposable Nature of Tech is Putting your Businesses Data at Risk

38. Record-Breaking Year for Ransomware, 2021 May Just Be Warming Up 40. Risky Online Hehaviours to Avoid For a Safe Hybrid Workplace 41. Ten Reasons to Move to the Cloud

42. What to Expect When You’ve Been Hit with REvil Ransomware 43. Four Steps to Ensure Robotic Process Automation Security

// SECURITY REVIEW | JULY-SEPTEMBER 2021

36 4

EDITORIAL

A part of the Arabian Reseller Network

JULY-SEPTEMBER 2021 EDITOR-IN-CHIEF

Chris N. Fernando chris@ryshamedia.com SALES AND MARKETING

Ranbir Sen ranbir@ryshamedia.com ASSISTANT EDITOR

>>>

Edward Frank edward@ryshamedia.com

Chris Fernando

Welcome to the Inaugural Issue! It gives us immense pleasure to launch the first issue of Security Review magazine. Security Review is a quarterly magazine that focuses on the IT and physical security industry in the region. The magazine is for security professionals, C-Level executives, key decision makers, security consultants, security device vendors, security solution providers, distributors, resellers and so on. Key target industry verticals include Banking and Financial Institutions, Education, Automotive, Manufacturing, eGovernment, Construction, Smart Homes, Oil and Gas, SOCs, NOCs, FMCG, Retail, Transportation, and so on. The magazine is available in both print and digital editions, along with an up to date online portal that disseminates the latest and the greatest in the world of IT and physical security. We aspire to be the voice of the security industry in the Middle East and Africa region. Apart from our digital and print presence, we will also be launching a weekly newsletter that will provide articles,

opinions, feature stories and event listings. This month, the theme of the magazine revolves around "Data Security and Compliance". Read through the magazine, as industry experts speak about tips to keep data safe, ways to remain compliant with local and regional data policies in place, the thinning line between data security and data privacy and lots more. We would like to hear from you about what you would like us to write about. Let us also know what you think of the magazine and the portal at chris@ ryshamedia.com

COPY EDITOR

Priyan Sampath priyan@ryshamedia.com SENIOR WRITER

Nisha Seth info@ryshamedia.com WRITER

Vishal Jagani info@ryshamedia.com GRAPHICS DESIGNER

John Christy info@ryshamedia.com

EDITORIAL DIRECTOR

Prarthana Mary prarthana@ryshamedia.com DIGITAL TEAM

Context Media LLP, Chennai, India. info@contextgroup.net www.securityreviewmag.com

Happy reading!

C O N TA C T I N F O R M AT I O N Rysha Media LLC, Sharjah Media City (SHAMS), Al Messaned, Al Bataeh, Sharjah, UAE. sales@ryshamedia.com www.ryshamedia.com ALL RIGHT RESERVED While the publisher has made all efforts to ensure the accuracy of information in the magazine, they will not be held responsible for any errors whatsoever.

Cover Photo and Design by Ranbir Sen Copyright @2021

NEWS of fiscal year 2022, Pure’s subscription services revenue grew 35% year-overyear. “Organizations are increasingly turning to subscription-based, as-a-Service solutions to drive agility and eliminate the negative impacts of planned maintenance. The incredible momentum of Evergreen reaffirms our commitment to helping organizations achieve a high level of manageability and simplicity when it comes to their data storage needs.” -- Prakash Darji, VP and GM, Digital Experience Business Unit, Pure Storage.

Pure Storage's Evergreen Subscription to Innovation Reaches New Milestone Pure Storage has announced it has reached a new growth milestone for its subscription-based Evergreen Storage program, with over 2,700 customers having done non-disruptive storage upgrades and the average number of upgrades having grown 38% year-overyear for the last five years. The consistent growth of Evergreen serves as a foundation for Pure’s strategy to deliver simple, reliable and scalable storage asa-service (STaaS) and a seamless bridge to the cloud. Unveiled in 2015, Evergreen challenged the status quo of traditional storage delivery, which was marked by high costs, 3-5-year technology refresh cycles, forklift upgrades, storage rebuys, unplanned downtime, high-risk data migration, and overall data storage complexity. Evergreen has paved the way for the new era of IT ownership by enabling customers with a subscription to innovation that reduces costs, creates a longer and more sustainable technology lifecycle, and allows them to continue to modernize their organizations with zero disruptions to respond to changing business needs. Evergreen’s momentum, combined with Pure as-a-Service, a true consumption-based STaaS offering, and Pure Cloud Block Store™, which provides seamless data mobility across on-premises and cloud environments, is a testament to Pure’s expanding and unified subscription strategy. In the first quarter

Zoho Advances BI and Analytics Market with New Self-Service Platform Zoho Corporation, a leading global technology company, has announced its new Business Intelligence (BI) Platform — an AI-driven data analytics solution empowering businesses to surface precise and actionable insights through self-service data preparation and augmented analytics. Zoho also launched Zoho DataPrep, an augmented self-service data preparation and pipeline service.

While conventional storage upgrades require a complete overhaul of an organization’s IT infrastructure, including removing outdated storage and replacing it with the latest technology, Pure’s Evergreen Storage is completely disruption-free, eliminates storage rebuys, and provides investment protection. To date, the program has successfully delivered over 7,000 non-disruptive controller upgrades to Pure’s growing customer-base, eliminating downtime, performance impact, data migrations and forklift upgrades.

Below are four standout pillars of this platform that allow businesses to perform better and remain competitive in their industries:

Global customers and early adopters are continuing to benefit from Evergreen’s ease of use, seamless upgrades and overall simplicity, including NEEN, Jung Holding, and Solidéo. “Traditional clouds are burdened with overprovisioning. With Pure, we now have a solution perfectly tailored to our needs, and one that scales seamlessly thanks to non-disruptive Evergreen storage upgrades," said Marco Zani, CEO, NEEN.

Data Stories - Zoho's BI Platform now offers an integrated enterprise portal builder (Zoho Sites) and presentation software (Zoho Show). Embedding live reports and dashboards into a website or presentation allows administrators to wrap additional context around data and foster more immersive discussion on business matters. Data Stories reduces friction within an organization, so that businesses can be data-driven without needing to learn new tools.

“Pure is completely different, the approach is unique and has completely convinced us. The performance boost was immense. Evergreen is an important argument for Pure," said Oliver Retz, CIO, Jung Holding.

Augmented Analytics - Ask Zia, Zoho's conversational AI, enables business users--with or without technical know-how--to surface data through natural language querying. Additionally, the all-new Zia Insights provides textual narration of key insights from reports and dashboards that significantly reduces the time and effort required to explore data and glean insights. Zia Insights also includes what-if capability, enabling scenario analysis for effective decision-making.

“Pure knows better than anyone else how to integrate new technologies into its storage solutions while maintaining simplicity, which suits our IT team perfectly. Pure Evergreen Storage allows us to upgrade our storage capacity non-disruptively—without changing hardware or questioning our initial investment," said Marc Duong, CISO-CIO, Solidéo.

// SECURITY REVIEW | JULY-SEPTEMBER 2021

Augmented Data Prep and Management - Zoho DataPrep, a new application, is an AI and machine learning-driven self-service data preparation tool. The addition of Zoho DataPrep to the BI Platform allows business users to easily create and manage data pipelines that enable them to integrate, model, cleanse, transform, enrich, and catalogue data before making it ready for analysis.

Marketplace - Through Zoho Marketplace, an apps marketplace, Zoho is enabling partners to develop and publish analytical apps and integrations to complement Zoho Analytics users, thereby strengthening the BI and Analytics platform.

Qrator Labs DDoS Attacks Mitigation Service Now On HUAWEI CLOUD Marketplace Qrator Labs, a DDoS mitigation and continuous availability service provider, partners with HUAWEI CLOUD Marketplace to provide top-notch DDoS attacks mitigation service for wide range of customers within the Huawei ecosystem. HUAWEI CLOUD is the world's fastest-growing major cloud service provider, launching 220+ cloud services and 210+ solutions. News agencies, social media platforms, law enforcement, automobile manufacturers, gene sequencing organizations, and financial institutions benefit significantly from HUAWEI CLOUD. It works with 19,000+ partners and 1.6 million developers, while 4,000+ applications have been launched on the HUAWEI CLOUD Marketplace. Huawei is increasingly cognizant of security concerns such as phishing attacks, DDoS attacks, malware infections, and ransomware and attaches high priority, through heavy investment, to technological competency, regulatory compliance, and ecosystem growth in cyber and cloud security. In July 2021, the Middle East team of HUAWEI CLOUD worked with Qrator Labs to onboard the Qrator DDoS Protection service onto the HUAWEI CLOUD Marketplace. Omar Akar, Vice President and Managing Director of Cloud BU at Huawei Middle East said: " , said: ““Against the backdrop of the COVID-19 pandemic, a cyber pandemic gripped our digital world, with cyber breaches and cyber-attacks being carried out against organizations, government, and individuals. As a leading global ICT provider, Huawei adopts an open, transparent, and collaborative approach to cybersecurity, and we’re pleased to work with industry leaders like Qrator Labs to ensure all HUAWEI CLOUD customers continue to maintain strong cybersecurity postures.” Qrator DDoS Protection is a flexible cloud service for traffic filtering that is designed to detect and effectively mitigate the attacks targeting customer's web infrastructure on all network layers. Qrator DDoS mitigation system employs custom algorithms for traffic analysis, filtering and machine learning which are being constantly updated and expanded in order to be able to counter the latest threats appearing in the global network.

Secure Access Service Edge (SASE) Solutions are the Future, Check Point Survey Finds Check Point Software Technologies has revealed the results from a recent survey showing how organizations have been impacted by the pandemic, particularly when it comes to IT and security strategies. Cyberattacks and threats have increased as hackers have taken advantage of the shift to remote and hybrid work, and this survey confirms that there is a growing shift towards cloud-based security and SASE solutions. As organizations enable their employees to access corporate resources remotely, the SASE model addresses the limitations of traditional network architectures, converging networking and security in the cloud. Uncovering the extent to which remote working has affected organizations’ security posture, operational overheads and impact on users, key findings from the survey of 450 global IT and security professionals include: •

•

Remote work brings increased risk: According to 45% of all respondents, organizations are at higher risk of cyberattacks as they shift to remote working. The industries that reported the highest level of cyberattacks were finance (54%), utilities (52%) and manufacturing (47%). Administration challenges: The top three issues IT and security professionals contend with are scaling performance (46%), addressing privacy and data sovereignty concerns (42%) and supporting remote access for employees’ unmanaged devices (40%). Strategies for scaling remote access: To meet the hike in demand for remote working, 69% of security professionals report they are adding on-prem capacity; 66% are moving to cloud-based security and surprisingly, 36% do both. Protecting remotely accessed apps: When enabling remote access to corporate apps, 70% consider the security of applications against cyberattacks and zero-day threats to be of high importance. Adopting SASE technology: 94% are familiar with the secure access service edge framework, but adoption is slow, with 9% having already implemented it and 21% planning to do so.

“The shift to remote and hybrid work is one of the most important changes to have taken place as a result of the Covid-19

pandemic. Many organizations have had to compromise network performance and protection across their distributed environments because they use multiple different point products, which leads to management complexity and fragmented threat visibility,” said Rafi Kretchmer, VP of Product Marketing at Check Point Software. “This survey confirms that many organizations are feeling more at risk and there is a growing shift towards cloud-based security. The SASE framework consolidates cloud services to minimize attack surfaces and improve the user experience.” Interestingly, the survey reveals dual adoption of both cloud and on-prem security. For expediency, it may be easier to add capacity to current solutions, rather than rip out and replace them with completely new ones. Alternatively, this may reflect a phased approach to adopting cloud-based services or may be a result of data residency considerations. Yet 66% are using cloud-based security services to scale up remote access and 61% of those respondents consider cloud-based security services to be critical to scaling remote access (including 83% of senior management). Now more than ever, due to the long-term effects that remote working will have on data security needs and architecture, cloud-based security services and secure access service edge (SASE) technology are gaining interest as they solve the pressing need to provide fast connectivity and reliable security for any user regardless of device, location or target resource. With users working anywhere, cloud services improve performance and availability on a global scale. Check Point Harmony Connect delivers Check Point’s top rated field-tested security technology from the cloud. Harmony Connect redefines SASE by making it easy to access corporate applications, SaaS and the internet for any user or branch, from any device, without compromising on security. Built to prevent the most advanced cyberattacks, Harmony Connect unifies multiple cloud-delivered network security services, such as SWG, ZTNA, FWaaS and DLP, and is deployed within minutes to apply Zero Trust policies with a seamless user experience.

NEWS

Cobalt Iron Enhances Compass Support for AWS With Management of Virtual Machine Snapshots Cobalt Iron Inc., a leading provider of SaaS-based enterprise data protection, has announced that it is bolstering its support for Amazon Web Services (AWS). In addition to backup and data protection, the company's Compass® enterprise software-as-a-service (SaaS) platform now enables seamless management of AWS virtual machine (VM) snapshots.

Veritas Technologies Appoints Geoff Greenlaw as its New VP of Channel and Alliances Veritas Technologies, the global leader in enterprise data protection, has announced the appointment of Geoff Greenlaw as its new VP of Channel and Alliances for Europe, Middle East, Africa and India (EMEAI). Greenlaw’s first priority in the new role will be to roll out the revamped and simplified 2022 Veritas Partner Force Program, which will make it more profitable for the channel community to help customers recover from ransomware attacks and to manage data across increasingly complex multi-cloud environments. Greenlaw’s key priorities are to reward the channel community for strategically expanding Veritas footprint with new incentives and double rebates for key products that will harden customers’ resilience against ransomware attacks. Greenlaw wants to ensure that the channel will benefit from a regular exchange of detailed information from a sales enablement, communication and marketing perspective. By providing greater insight into renewal opportunities and customer revenue forecasting, he wants to empower resellers to increase their profits. An industry veteran, with over 25 years’ experience of managing IT channel and sales teams across Europe, the Middle East and Africa, Greenlaw has been with Veritas for over seventeen years. During his tenure, he has previously held various roles as Head of Enterprise Sales in the

UK, as Country Director for South Africa, as Head of Channel for the UK and Nordics, and as Head of Channel for Veritas’ International Emerging Region, based in the UAE. “Geoff has been empowering the Veritas Partner Force community for success in some of our most channel-centric markets in the world,” said Mike Walkey, global VP of Channel Sales and Alliances at Veritas. “We are excited to have him bring that wealth of experience and reputation for success to the wider EMEAI programme. We are 100% committed to our channel and expect Geoff’s knowledge, insight and passion for partnering to help us deliver further on our channel promise.” “The acceleration of digital transformation that we’ve witnessed in the last year represents a huge opportunity for the channel,” says Geoff Greenlaw, VP of Channel and for EMEAI at Veritas. “I feel fortunate to be stepping into this expanded role just at the point that we are introducing the Partner Force 22 programme, which will help our channel to address this. I look forward to building deeper and wider relationships with the channel community across EMEAI, and working together to meet the needs of businesses as they face the rising threat of ransomware and the increasing complexity of multi cloud environments.”

// SECURITY REVIEW | JULY-SEPTEMBER 2021

Through this new capability, Compass users are able to manage backup retentions and schedules for AWS VM snapshots using the Compass Commander GUI, the same interface with which they manage their enterprise backups. Users no longer have to spend extra time logging separately into AWS or other tools, and backup administrators can be confident that Compass is recording and reporting both AWS and non-AWS VM backup events within a single GUI. Commander can be configured to add insight via reporting and timely notifications of snapshot events, if desired. "Enhancing our support for AWS with the new VM capability allows our customers to access and manage the entire backup landscape from Compass Commander — easily managing scheduling and reporting of their AWS VM snapshots alongside other backup clients," said Robert Marett, chief technology officer at Cobalt Iron. "This in turn simplifies operations, while saving time, reducing costs, and increasing security. It's just another example of our dedication to the ongoing advancement of Compass to meet the ever-evolving needs of the marketplace."

Dynabook recommends Windows 10 Pro for business

The world’s lightest* 13-inch convertible Discover the Portégé X30W. Engineered to exceed Intel®’s exacting new Evo™ classification. Windows 10 Pro | Intel® Evo™ Platform | 11th Gen Intel® Core™ Processors | Intel® Xe graphics | 989 Grams | Instant Wake <1s 15 hour battery life with quick charge | 2 x Thunderbolt™ 4 | Robust Magnesium Chassis tested to Mil STD 810G

me.dynabook.com/laptops/portege/portege-x30w Take the lead with Windows 10 Pro devices *Based on 13.3” convertible laptops with 11th generation Intel® Core™ processors as of 2020/11/04, research conducted by Dynabook Inc.

NEWS

Commvault Partners with SoftwareONE Commvault has announced the launch of a new partnership with SoftwareONE, a leading provider of end-to-end software and cloud technology solutions. SoftwareONE is Metallic’s first Managed Service Provider (MSP) global design partner for delivering Metallic-based SaaS data protection solutions in the form of BackupSimple powered by Metallic. BackupSimple is SoftwareONE’s cloud-based managed service offering to deliver critical data backup and recovery capabilities for companies of all sizes.

4th Edition of Intersec Saudi Arabia Rescheduled to Return in 2022 Intersec Saudi Arabia, the Kingdom’s largest trade fair for security, safety, and fire protection, has been rescheduled to take place in September 2022, the show’s organiser announced. The 4th edition of the three-day event was originally set to run from 12-14 September 2021, however the move to next year comes after the Kingdom’s international travel restrictions remain in place, impacting the ability to plan ahead for the show. Intersec Saudi Arabia is organised by Saudi-based Al-Harithy Company for Exhibitions (ACE) Group under licence from UAE-headquartered Messe Frankfurt Middle East, which organises Intersec, the world’s leading exhibition for security, safety, and fire protection. Alexandria Robinson, Intersec Saudi Arabia’s Show Director, said: “We continue to remain in regular contact with our key stakeholders, trade associates, government partners, exhibitors and supporters of Intersec Saudi Arabia. “The decision to move the exhibition to 2022 is widely supported by the industry and the feedback we’ve received has indicated everyone is positive and excited about what the future holds. We’re looking forward to delivering a fully booked Saudi show in 2022 that will deliver above and beyond what is expected of the Intersec brand. Saudi is the largest

and fastest growing market for security, safety, and fire protection in the Middle East, and Intersec Saudi Arabia 2022 will present the ideal platform for international and local exhibitors to re-connect and gain direct access to key players in this industry,” added Robinson. Intersec Saudi Arabia is supported by key government entities including the Saudi Ministry of Interior, Saudi Civil Defense, and the Saudi Standards, Metrology and Quality Organization (SASO), together with the industry at large. More than 120 exhibitors from 20 countries are expected to participate next year, while the customary wide range of value-added conferences covering much needed discussions and topics will also return. Long-term prospects for Saudi’s security, safety, and fire protection market look good after a pandemic-affected 2020; according to analysts 6WResearch, the Kingdom’s market for video surveillance, access control, and intrusion detection, along with fire safety systems and equipment, is estimated to be worth US$906 million in 2021, a seven percent increase over the previous year (US$846.6 million). The market is set to grow at a compound annual growth rate of 6.3 percent over the next five years, and is estimated to reach US$1.2 billion in 2026.

// SECURITY REVIEW | JULY-SEPTEMBER 2021

“We’re excited to partner with SoftwareONE to offer their customers industry-leading data protection, while simplifying partner adoption via the rapid time to value, lower costs, and ease of management that comes with SaaS,” said Sanjay Mirchandani, CEO, Commvault. “Coupling SoftwareONE’s world-class managed services and customer focus with the flexibility and scalability of Metallic’s breadth of offerings will surely accelerate the creation of streamlined customer onboarding, experience, management, and operational processes as we build the industry's leading managed service program." “At SoftwareONE, we enable digital transformation of our customers’ businesses through innovative cloud and technology solutions.” said Dieter Schlosser, CEO of SoftwareONE . “We’re honored to be Metallic’s first MSP design partner, enhancing our managed services portfolio to help protect, manage and optimize our customers’ infrastructure and critical data in the cloud. Our managed services provide the deep technical expertise and 24x7x365 operational capabilities that our customers need for their business operations." As the market continues to move quickly to the cloud, BackupSimple powered by Metallic provides an easy entry point for service providers like SoftwareONE to deliver industry-leading data management capabilities, enabled by the simplicity of a SaaS model. Leveraging a secure and scalable cloud infrastructure, with remote management and rapid tenant onboarding through a seamless, targeted program and APIs. MSP partners can also seamlessly offer Metallic capabilities, including breadth of coverage for SaaS applications, endpoints, hybrid cloud datacenter workloads, and unique Metallic SaaS Plus storage flexibility – eliminating the need for disparate point solutions and siloed data.

NEWS more limited. This nature minimizes the hacker's ability to mobilize their money. The use of cryptocurrencies like Bitcoin in ransomware has resulted in critics calling for the banning of digital assets. However, backers of Bitcoin believe that cryptocurrencies should not be blamed for the rise in ransomware. Some experts note that there is no data on what ransomware attacks look like in the absence of cryptocurrencies. Notably, in jurisdictions such as the United States, it is legal to pay the ransom. To some extent, it is even tax-deductible with the money coming from a company's cyber insurer. There are calls to ban ransoms in the US to cut off the cash supply for criminals.

Bitcoin Payments to Major Ransomware Hacker Groups Hits $60 Million Growing cases of Bitcoin being used to facilitate ransomware payment indicate that the cryptocurrency is gaining popularity among cybercriminals. Consequently, the value of Bitcoin payments to top hacker groups has now hit millions of dollars. Data acquired by cryptocurrency trading simulator Crypto Parrot indicates that the amount of Bitcoin paid to major hacker groups has a value of $60.87 million or 5,491,37 BTC. The Netwalker ransomware accounts for the highest payments at $27.95 million, followed by REvil at $11.32 million, while Ryuk ranks third with $4.67 payments in Bitcoin. Netwalker accounts for almost half of the payments at 46.24%, followed by REvil at 18.73%, while Ryuk accounts for the third-highest share at 7.73%. Qlocker has the least share at 0.79%. The data on ransomware based is provided by Rasomwhe. re.

asset. Bitcoin is also a powerful tool for hackers as it enables money laundering and the ability to shift currency from one state to another. Bitcoin and other cryptocurrencies also make it possible to extort huge ransoms from large companies and even government entities. However, besides Bitcoin, Monero is an increasingly popular option for hackers. Monero is considered more of a privacy token and allows cybercriminals greater freedom from some of the tracking tools and mechanisms that Bitcoin lacks. Notably, Bitcoin remains the go-to crypto because, with privacy coins, the cash-out options are

It is worth mentioning that the ransomware payments in Bitcoin could be higher because there is no comprehensive public data on the total number of ransomware payments. In the absence of exact data, it is not clear to determine the actual impact of ransomware and its relation to cryptocurrencies. Notably, hackers prefer Bitcoin payments mainly because of the cryptocurrency's anonymous nature. For instance, converting money to Bitcoin, sending, and receiving it doesn't require the use of a legal name or address. Criminals prefer Bitcoin because it is not easy to track beneficiaries of the

// SECURITY REVIEW | JULY-SEPTEMBER 2021

Concerns over the rise in ransomware In general, ransomware attacks are on the rise and have emerged to be a subject of discussion even between world leaders following some high profile attacks like the Colonial Pipeline, meat processor JBS, and the recent attack against enterprise software management firm Kaseya where REvil ransomware was used. Cryptocurrencies have certainly made ransomware more accessible and contributed to the rise. Interestingly, research by Cybercrime Magazine shows that businesses will likely fall victim to a ransomware attack every 11 seconds in 2021. The increase in ransomware comes even as awareness of cybersecurity issues is on the rise. Notably, amid the rising cases of ransomware, some companies are caught unaware of the logistics, and some businesses have emerged to aid in paying the ransom in Bitcoin.

ThreatQuotient’s ThreatQ Data Exchange Allows Analysts to Easily Share Curated Threat Intelligence ThreatQuotient is addressing an industry need for more curated and data-driven threat intelligence with the availability of ThreatQ Data Exchange. Built on the foundation of ThreatQuotient’s flexible data model and support for open intelligence sharing standards, ThreatQ Data Exchange makes it simple to set up bidirectional sharing of any and all intelligence data within the ThreatQ platform and scale sharing across multiple teams and organizations of all sizes. ThreatQ Data Exchange provides the ability to granularly define data collections for sharing, and easily connect and monitor a network of external systems with which to share data. Data collections are built using the existing Threat Library user interface and allow users to define the groupings of data they want to share and can incorporate any data available in the Threat Library and are not limited to specific object types or attribute types. These data collections can be used for single connection feeds, reused for feeds to multiple external systems, and also used for internal analysis within the Threat Library and Custom Dashboards. “An analyst’s ability to efficiently share focused, curated threat intelligence has a significant impact on the success of their organization’s overall security operations. ThreatQ Data Exchange is a powerful new component of the ThreatQ platform and is critical for achieving more control over the collection and dissemination of threat data,” said David Krasik, Director of Product Management, ThreatQuotient. “ThreatQ Data Exchange allows our customers to create custom data feeds with their aggregated data to share within and external to their organization. By providing the flexibility to share specific threat data without limitation or worry of exposing data that organizations prefer not to share, ThreatQuotient enables a collective understanding of threats and fosters a safer way to collaborate and share intelligence.” Any multi-tiered threat intelligence sharing network where control and monitoring must be available to a global administrator will gain a faster and easier way to operationalize threat intelligence by using ThreatQ Data Exchange.

Genetec Outpaces VMS and Windows-Based Recorders Markets: Omdia Report According to the latest report from research organization Omdia, Genetec continued to increase its global markets share, outpacing market growth in both VMS and Windows-based recorders categories. The report also revealed that Genetec retained its position as the global market share leader, recording the highest growth amongst the top five worldwide software manufacturers. According to its Video Surveillance & Analytics Market Share Database – 2021 report, Omdia recognized Genetec as the world leader (excluding China) in VMS with a 17.4% market share, up from 16.0% last year. While the EMEA market for VMS solutions grew at a slow rate (0.9%), Genetec continued to gain market share, posting one of the region’s strongest growth (7.7% growth) in the top 10 video surveillance software developers. The company credits its continued growth to the strength of its unified security platform, Security Center, recurring revenue from its enterprise cloud solutions, as well as a resolute focus on cybersecurity and privacy. “While the global market for video surveillance software was flat in 2020, Genetec demonstrated a continued and sustained upward growth trend," said

Oliver Philippou, Research Manager, Physical Security Technologies, Omdia. "Genetec was once again ranked as the number one developer in the video surveillance software market, as well as achieving top-two rank in worldwide Windows-based recorders sales.” In the Windows-based recorders category, Genetec demonstrated the highest market growth globally. This reflects the company’s leadership in ready-to-deploy security infrastructure, fueled by an ever-strengthening demand for hardened appliances that address growing requirements of privacy and cybersecurity concerns. “Throughout the pandemic, when organizations needed to reinvent themselves and adapt to the new reality very quickly, businesses became creative about how they used, redeployed and expanded their security systems across their organizations. With a unified security platform that ties in video surveillance with access control, ALPR, analytics and more, our customers were able to expand the role of physical security to go beyond traditional applications to deliver more value and improve business operations, without requiring massive investments,” said Guy Chenard, Chief Commercial Officer, Genetec, Inc.

NEWS “The growth of FinTech as an industry in its own right is accelerating in the Middle East, and the reason is two-fold. Firstly, the lack of legacy infrastructure gives Emerging Markets the agility to adapt to new and exciting technological advances, making them easier to integrate on a blanket basis. Second, major economies in the region, such as the UAE and Saudi Arabia, are currently mid-phase in their national transformation programmes, which hold within them supportive regulatory plans and projects to support FinTech innovation,” de Blonay continued.

FinTech is the Key Disruptor for Emerging Market Financial Services in 2021 and Beyond Jupiter Asset Management has launched its latest white paper titled “The Innovations Disrupting Financial Services in Emerging Markets” in response to shifting dynamics of financial services in the Middle East. In the paper, Jupiter identifies which FinTech trends have had the greatest impact in the last year and investigates how they are playing a role in evolving the financial services sector. FinTech is currently in an exciting phase, with new entrants afforded the opportunity to create compelling products for consumers while challenging the status quo and influencing incumbent financial institutions. In the Middle East, Jupiter’s Financial Innovation team believes that compelling opportunities exist for investors to increase their exposure to FinTech due to six main themes: the transition to a cashless society, e-commerce, emergence of super apps, financial inclusion, digital banking, and digital currencies. In MENA, financial inclusion has existed in the background as a challenge and opportunity for financial institutions for some time. The rise in FinTech innovation has created opportunities for the development of third-party, bespoke solutions and products that cater exactly to consumer requirements.

Companies and platforms are now emerging that can adequately capture larger proportions of untapped capital, which has long been underpenetrated by financial institutions. Jupiter’s team believes that the shifts in behaviour and the acceleration in financial innovation brought about by the pandemic, are sustainable in the medium-term, with plenty of room for new and exciting platforms and systems to emerge. Established institutions who realise the importance of technology and the role it plays, and will continue to play, in the financial services ecosystem, will be best equipped to manage future disruption and reap rewards, with others quickly falling behind. “Technology is at the heart of structural change in financial services, in both developed and Emerging Markets. Banks have dramatically changed the way they deliver products and services as they strive to meet customers’ ever-changing needs. However, lower barriers to entry mean that a flood of new FinTech players is entering the market, offering a wide range of innovative products and services and posing a serious threat to the established industry,” said Guy de Blonay, Fund Manager, Financial Innovation at Jupiter Asset Management.

// SECURITY REVIEW | JULY-SEPTEMBER 2021

“We see FinTech as an enabler of post-pandemic recovery, with exciting long-term opportunities for the sector. One risk that should not be overlooked, however, is the fact that technology stocks may be negatively impacted should we see a durable increase in interest rates. Overall, we retain a positive outlook on emerging sub-segments including cashless transactions, AI, online lending, crypto and digital currencies.,” added Antoine Hucher, Equities Analyst, Financial Innovation at Jupiter Asset Management. A cashless society is no longer a far-off fantasy, and is quickly becoming a reality through increased adoption of cashless payments and supportive e-commerce market dynamics. Such dynamics have given impetus for non-bank lenders to emerge and incumbents and governments to take digital and cryptocurrencies more seriously. By way of example, Saudi Arabia’s Vision 2030 has officially committed to achieving 70% cashless payments for all transactions upon completion of the programme, a significant shift in consumer behaviour that will likely continue to evolve further should the rate of financial technology innovation maintain its current trajectory. One of the most significant drivers for FinTech growth across Emerging Markets is the demands and needs of consumers. According to Jupiter, retail audiences are compounding with macroeconomic trends to create a gap between institutional offerings and consumer demand, paving the way for more innovation, and disruption, in the financial services sector.

Emirates NBD’s Liv. Elevates Digital Banking Experiences with Microsoft Azure Cloud Services Liv., the lifestyle digital-only bank by Emirates NBD, a leading banking group in the MENAT (Middle East, North Africa and Turkey) region, has enhanced its customer-focused offering by partnering with Microsoft to elevate the digital customer experience. “Microsoft Azure is rapidly picking up broader awareness from businesses, large and small, who are increasingly trusting the services to enhance their capabilities from the more than 60+ Azure regions, including the UAE cloud regions,” said Naim Yazbeck, Regional Director, Enterprise and Partner Group (EPG), Microsoft UAE of Microsoft. “These cloud services provide the opportunity to provide real-time insights that advance customer service and deliver a more refined consumer-focused business offering through enterprise-scale analytics, applicable across the financial sector.” The digital bank that acts as a ‘financial buddy’ to its millennial clients is now powered by Microsoft Azure Cloud Services. The bank’s Today landing page has a variety of technical integrations offering a broad range of services, with advanced APIs (Application Programming Interface) and analytics that deliver a personalized banking experience. The enhancements will further elevate the Liv. proposition, which has received significant global recognition for its lifestyle-centered offering, making it the bank of choice for the younger generation. Liv.’s offering is centered around personalized banking solutions that match customers’ lifestyles and needs. Liv. provides a reimagined banking service, as one of the first mobile-only banks to cater to consumers’ lifestyle-based preferences. The bank provides a differentiated digital experience that is intuitive and simple to use, empowering a new generation of customers in their daily lives.

Only 11% of Emiratis Trust Social Media Companies With Their Personal Data In modern society, many of us find ourselves giving more and more of our personal information to better experience and use products/services provided by a range of industries/ institutions. Some of those key institutions being social media titans such as Facebook, Instagram and Twitter. Interested in data protection, MoneyTransfers.com analysed the latest data from YouGov, to establish which countries in the world most and least trust social media companies with their personal data. MoneyTransfers.com found that Poland is in number one spot as 32% of Poles trust social media companies with their personal data. In second position is India, where 16% of Indians are confident social media companies diligently handle their personal data. Germany and Indonesia are in joint third place, as 12% of citizens in each respective country believe social media companies are competent and ethical in their management of personal data. The United Arab Emirates (11%) is among the other countries where over 10% of citizens in the respective country have faith in social media companies with their personal data, respectively ranking fourth. At the other end in joint ninth position is Italy and the United Kingdom as Italians and Brits are the most sceptical, as only 3% of citizens in each respective country are

confident about social media companies with their personal data. YouGov surveyed up to 2,251 individuals (adults 18+) in each of the 17 included countries: United Kingdom, United States, China, Germany, France, Italy, Denmark, Sweden, Spain, Poland, Mexico, United Arab Emirates, India, Australia, Indonesia, Hong Kong and Singapore. In each of the respective countries, those surveyed were simply asked: “Do you trust social media companies with your personal data?” The figures provided in the final results/data table is the % from those surveyed in each respective country who do trust social media companies with their personal data.

INTERVIEWS

THE SIMPLICITY OF SECURING AND MANAGING DATA Claude Schuck, the Regional Director at Veeam, speaks about what companies need to do to protect their data and be compliant

// SECURITY REVIEW | JULY-SEPTEMBER 2021

We would like to start with a brief about the digital transformation efforts companies are taking over the last couple of months. How is that progressing in the market and what feedback have you received? We talk about digital transformation in the last months - the last 18 months I suppose. Customers faced a couple of challenges. They had digital transformation on their radar and we did a couple of reports at the beginning of this year. Digital transformation had increased by 60%, because companies were forced to move quickly to change the way they do business. The challenge they have now is with the pace and the speed of trying to get out of the spaghetti mesh of legacy systems. Mistakes are being made and they don't have enough time to be thorough enough to make sure that their transformation, which is essentially their new business, is working correctly. So that's one of the risks we've seen with customers in terms of digital transformation. One of the things that has changed a lot is data security as well. How it is handled and the compliance as well. What kind of changes have you seen in terms of data privacy and compliance? Yes, we speak about the lines getting blurred between security and data privacy. As an individual - and I always look back at real life examples. I look at things like, I'm a technologist. I love technology and I love it when things are intuitive and can point me in the right direction. But, I always say, when you see something and it comes across to you and it becomes creepy, you take a step back right? You try to unravel to see what is that and we look at it and we say as individuals, we are far too easily influenced to click "accept", without knowing what we're giving away in terms of our privacy.

So, just an example - I made a booking a while ago in terms of travel and I got the confirmation email from the airlines. Within two minutes, Google Calendar had opened up a calendar entry, saying "trip confirmed". This also included the details of the flight, the date and so on. So, the only way this thing can know what that is, is if it's reading every single email. That's creepy! What do companies need to do, to make sure data is protected, especially when it is not centralised? So, before the pandemic data was centralized and overnight we were forced to decentralize. Now with decentralizing of your work staff so did your data decentralize. And now you've got so many more touch pointsm that are at a risk in terms of security - who has access over what type of data, what type of networks, and so on. So companies have to rethink their strategy about how do they back up, how they recover, and how do they secure their data. That's the challenge they do face today. You recently announced new enhancements to your ProPartner program. Can you tell us about the enhancements? So, the feedback from our channel community has been phenomenal. And it's been really good. Why? Because, we've put in more for them. When I look at a channel, the first thing we have to answer for them, is what's in it for them. And let's be honest, right? It's money. Because, that's why they have a business. We've increased the level of support and privileges for all our partners. So we go across from platinum, gold, and silver - who get further privileges to make more money. Another thing is when a partner

stands up and is selling their value to their customer, it does add value to be associated with Veeam. And one more thing that is even more important between the vendor and the partner is trust. So, I think the Pro Partner program really encompasses all of these elements and the partners have been really thrilled with what we've done. For your VCSPs, what sort of new enhancements and value-add has Veeam V11 brought along? So, V11 was sort of launched during mid-pandemic and the one thing that our VCSPs - or Veeam Cloud Service Providers - were asking, was for a single platform which could be used to deploy their services very quickly. Services such as Back Up as a Service, DR as a Service and so on. They wanted that pace and speed and the simplicity of that and V11 addressed that. They've all embraced it and it's worked very well for them. How has Veeam ensured business continuity for its partners and customers? So, obviously when we talk about continuity, you know have you have to be able to back up your data, and recover your data. Also, there is a threat from ransomware, too. So, version 11 introduces a lot of new things around ransomware, whereby we give the ability for customers to lock or make their data immutable thereby securing it against any attack. This is something that is built into one box. V11 really focuses around putting all the feature sets within one and giving customers access to all of those without having to buy multiple products that are sometimes more expensive and more complex to implement.

EXPERT VIEW

HOW ACCESS CONTROL PLAYS A VITAL ROLE IN A SAFE RETURN-TOWORK STRATEGY Written by Sanjit Bardhan, Vice President – Head of Emerging Markets, Physical Access Control Solutions at HID Employers today face a new challenge: to provide a safe and clean work environment as employees bring with them a new social consciousness centered on public health awareness, social distancing, and hygienic spaces. As employees consider a return to the physical workplace, they must adapt to new requirements, implement new procedures, and leverage technology to alleviate their employees’ concerns. Access control plays a critical role in creating a safe back-to-work strategy. Organizations can leverage contactless physical access technologies — including mobile credentials along with Bluetooth solutions — as well as implement location services and visitor management tools to provide employees with an experience that supports a healthy and safe work environment. CHANGED EXPECTATIONS As organizations move toward reopening their offices, workers bring with them a new awareness of issues around human proximity, environmental and surface cleanliness, and the sharing of publicly accessed resources such as touch screens and keypads. Hygiene isn’t a new concern, but the level of awareness is new, as well as the need to give employees the confidence that their workplace is not only secure but healthy and safe. Physical access is a prime area of interest. With health and safety concerns at the forefront, security and facilities personnel have the opportunity to be the heroes of the day. At a time when employee safety is not just an ordinary need, but an extraordinary moral

obligation, teams can rise to the fore with proactive solutions that meaningfully impact the quality of life. Access control management can help route employees, in tandem with efforts to stagger work times. Physical access control systems (PACS) can also leverage location services to support contact tracing and reduce crowding, and these same systems can be used in support of thoughtful visitor management. TOUCHLESS ACCESS CONTROL Various forms of touchless access control can help to reduce viral spread at human-to-object touchpoints. By reducing contact between humans and the objects related to access control, security could help to minimize potential cross-contamination. Automatic door operators, revolving doors, and sliding doors — all can help to reduce contact at high-volume entry and exit points. These can be coupled with contactless credentials and readers to ensure security while minimizing surface contamination. Another strategy involves the use of long-range capable readers that leverage Bluetooth Low Energy (BLE) connections to deliver read performance at a distance. With a read range of up to several meters, BLE can further distance employees who might otherwise crowd up around readers and doors. Mobile access likewise reduces the need for employees to physically touch cards and communal readers. And by leveraging the technology on the mobile device instead of at the door, users are only touching their own device and not a touchpoint that is shared with every other occupant. Touchless

// SECURITY REVIEW | JULY-SEPTEMBER 2021

credentials, including mobile-based, shouldn’t be limited to opening doors. Organizations also may find that these credentials support more hygienic protocols for logging in to networks, paying for vending, or activating printing. VISITOR MANAGEMENT Solid policies and advanced technologies can ensure the safe movement of visitors. Visitor management solutions can be used either standalone or in conjunction with an organization’s access control system. Visitors self-register in the lobby and hosts are notified when they arrive. Driver’s license scanners, barcode scanners, cameras, and printers all help support those front desk processes. While the primary use case is for visitors, these systems can also be used to issue employees temporary badges for single-day use or to issue replacement badges. LOCATION SERVICES Much how GPS is used in outdoor settings, location services leverage BLE beacons to ping off gateways that in turn can identify the location of individuals in a physical space. An individual’s identity can be based on an ID card which broadcasts continually, creating a virtual map of location relative to the fixed gateways. Location services give management a means to be proactive rather than reactive in their efforts to promote physical distancing. The same system could make space utilization more efficient. Connected beacons could broadcast room occupancy, for example, letting people know which spaces are free and which are in use.

EXPERT VIEW

HOW THE DISPOSABLE NATURE OF TECH IS PUTTING YOUR BUSINESSES DATA AT RISK Written by Rick Vanover, Senior Director Product Strategy at Veeam

It has become common practice for people to chase the latest technology trends. As tech becomes part of our everyday life, the lifecycle of our devices becomes smaller and smaller. This is posing a huge issue to the sprawl of data. With the lifecycle of tech shortening, many are abandoning old devices at second-hand stores (thrift shops) and selling them to new owners without thinking about the data and personal information that is left on there. Many people are now working from home and opting to use a personal computer to get work done. This is making the challenge of controlling and managing your organisations data near impossible. With data now sprawling across company and personal devices, there is no control over it, especially when it is sold on to its next home, left behind at a second-hand store or thrown away. To add to this, workplace trends like BYOD (Bring Your Own Device) are gaining popularity and making it harder for organisations to keep track of data. IT teams have less control over employees’ personal devices and so protecting the data on it becomes a challenge. Things like a lack of encryption or outdated operating systems can lead to potential hacks and data loss. This is something organisations need to consider when implementing a cyber security strategy. This means

educating staff in understanding the risks involved with discarding old devices and setting up the right protections within an organisation. Educating staff The first step in managing this is for IT teams to educate employees about the risks involved with using personal devices for work purposes and then eventually discarding it. Employees should be trained in the security practices of an organisation and also understand how that translates to personal devices. Part of this should be educating staff on how to properly wipe the contents of their phones if they eventually discard it to a second-hand store. This is not something that is considered by most organisations. Employees also need to be briefed to understand how to identify potential malware, phishing, or ransomware attacks on their personal devices. If employees are able to identify these threats, it mitigates risk of data being lost at all. Protections If educating staff fails, there are some protections IT teams can manually put in place to mitigate risk even further. •

Constant software updates – if employees opt to use their devices for work purposes, this has to be under the precedent that the phone is updated regularly. Be sure to provide employees with the support necessary to deliver these updates.

•

Password security – to minimise security risks, roll out a compulsory monthly password change. Also ensure that you are putting up restrictions around the type of passwords employees are using, making it less obvious to potential hackers. Encrypt data for protection – smartphones and tablets have encryption options that will provide protection of storage. Smartphones that are encrypted have a lower risk of being hacked. Clear all phone data – if employees decide to move on to a new device or stop using their current device, ensure you manage the deletion of all data from that phone and a strict policy around discarding devices.

As work from home has become the new normal this year, it is becoming increasingly complicated to manage the sprawl of a company’s data. While these agile work trends had been predicted for the next 5-10 years, organisations were not prepared for them to become so mainstream in 2021. As we look to the future, this is only going to become more and more complicated. It’s important for IT teams to understand all the risks as their companies take on more flexible working arrangements in the new future. A huge part of this is of course understanding the risks that come with using personal devices, particularly in the process of discarding them or sending them to a new home.

INTERVIEWS

SECURITY AND PRIVACY GO HAND IN HAND Ephrem Tesfai, the Sales Engineering Manager at Genetec, speaks about data security and data privacy

// SECURITY REVIEW | JULY-SEPTEMBER 2021

How has the need for data security and compliance changed over the past year? The past year has uncovered vulnerabilities across multiple verticals as data security becomes a rising concern. The need for compliance to avoid potential breaches increases one news headline at a time. As seen in the Genetec EMEA Physical Security in 2021 report, physical security professionals have embraced digitalization and have started shifting their operations and data to the cloud. While this allows better data protection, it does not leave them immune to data breaches and cybersecurity risks. The report also outlines that cybersecurity is more important than ever in the physical security industry following last year's events, with decision-makers in the sector choosing to prioritize it moving forward. As the focus on data security increases, so does the augmented need for compliance with local regulations. Complying to data security standards globally, regionally, and is becoming more important for consumers and companies. Both sides can benefit from compliance and be harmed by the lack of it for personal and legal reasons. What are the best-practice standards and frameworks that can help companies achieve and maintain data security and compliance? With the continuous evolution of technology, securing data has become more complex as the cybersecurity landscape is perforated with impending threats. Therefore, companies need to put together best-practice standards and frameworks to ensure that their data is secured and remain compliant with the relevant regulations. This begins with staying informed about new laws to reinforce cyber resilience and avoid penalties for non-compliance if your network is breached. Companies need to be well prepared at all times, not only when

expecting an audit. As data security can be compromised at any given moment, remaining compliant and implementing the correct methods to counter these risks is essential. For this, regular cybersecurity risk assessments are required. Companies also need to create a data security framework based on access control and identification, which means stricter accessibility to footage on an internal basis to ensure that sensitive data is available only to those with the relevant credentials. Regulations concerning what is done with the video surveillance footage need to be set and define where the data is stored and the disposal of any irrelevant data. Are there any regional data compliance regulations and frameworks, which companies that handle large amounts of public data need to follow? As the General Data Protection Regulation (EU GDPR) came into place, this has forced many countries to reevaluate their existing data compliance regulations and frameworks, including the MENA region. With countries within the region operating differently, there is no one size fits all in terms of data protection regulations. For example, the UAE’s Dubai International Financial Centre (DIFC), Dubai Healthcare City (DHCC), and Abu Dhabi Global Market (ADGM) have chosen to enact their specific data protection laws. The latter has been inspired by the EU GDPR as well as other international best practices. These rules and regulations outline the requirements for collecting, handling, disclosing, and using personal data in the different areas and the rights of the individuals whose personal data is held. Many countries have passed their own version of data protection laws recently. How does your company help its clients with securing their data and staying compliant? With countries within the region

strengthening their data protection laws, Genetec aims to provide its clients ease of mind for both physical and data security. Physical security solutions should protect its clients’ people and assets while also helping them remain compliant by integrating policy and regulations in the platform and allowing the creation of security and operational reports acting as evidence for audits. Genetec products also highlight the need to provide robust cybersecurity defenses within physical security. As physical security solutions can be an entry point for threat actors to access enterprises' networks, it is essential to focus on how crucial it is to unblur the lines between physical and cybersecurity. Genetec solutions are built with core cybersecurity pillars in mind, including encryption, authentication, authorization, and privacy. Do you believe the line between data security and data privacy has started to blur? Security and privacy go hand in hand, and companies must maintain a balance between the two. Securing the individual’s data means ensuring their privacy, which can be done by implementing regulations within the video surveillance sector to protect unconcerned individuals. With stricter rules globally, video surveillance technologies will be forced to adapt to find a balance between security and privacy. Providing safety and protection to the public cannot be done without collecting personal, private data such as identity details, images, and videos. Video surveillance vendors need to move forward with product development with privacy and security as a priority in mind. This will achieve compliance and strengthen trust between vendors and clients. In turn, the clients, and the individuals that these technologies are protecting. When security is assured, privacy is provided in turn.

INTERVIEWS

Data Security is the Heart of Cybersecurity Syed Ashfaq Ahmed, the Head of Encryption Business Unit at Spire Solutions, speaks about how data security and compliance needs have changed in the past year, the blurring line between data security and data privacy, and lots more How have data security and compliance needs changed over the past year? The last 12 to 18 months have seen a paradigm shift in technology adoption due to COVID and many initiatives which would have taken years to adopt have fast-tracked. The region has seen work from home, digital transformation, IoT, cloud adoption, etc take off in an unparalleled manner. All these changes make data one of the most valuable and strategic assets to the business therefore data protection has become a priority. Though the complexity in cybersecurity has increased, the idea of securing the data at the core using encryption has not changed. The authentication, integrity, and access to data are directly governed by encryption. Encryption is literally the last frontier of data security. Given a scenario when all the other security measures are breached, if the encrypted data cannot be broken, the stolen data will not be of any use to the adversary. The health of the cryptographic primitives should be at the highest level to give a core advantage for an organization in securing its data. In my opinion, data security is the heart of cybersecurity, and most organizations now believe that they are inherently addressing data security when they adopt various cybersecurity measures. Data security & compliance to regulations are no longer choices but mandates that companies must adhere to so they can protect their most prized asset (data) from newer attack vectors. What best-practice standards and frameworks can help companies achieve and maintain data security and compliance? Data breaches can lead to stringent financial penalties and can have catastrophic effects on an organization so building robust data security programs that are in line with industry standards and led by skilled personnel becomes non-negotiable. Organizations can couple their internal experiences and industry best practices along with local laws and most popular frameworks developed based on years of academic research, training, and education such as:

•

Payment Card Industry Data Security Standard (PCI DSS): Protects the payment card data in electronic form during transmission & storage. Health Insurance Portability and Accountability Act (HIPAA): Protects sensitive patient health information & personally identifiable information. NIST Cybersecurity Framework & NIST Privacy Framework: Provides standards, guidelines, and best practices to help organizations manage cybersecurity risks & data privacy risks. ISO/IEC 27701, Security Techniques: Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management – Requirements and guidelines, helps companies manage their privacy risks for personally identifiable information. eIDAS: This allows the EU to provide a legal framework for transnational digital transactions. It establishes a framework for electronic identification and trust services, including the topic of the electronic signature.

What according to you are the five tips that companies need to follow to comply with data security regulations? Irrespective of the framework an organization adopts, the following five tips will help them on the journey to regulatory compliance: •

•

// SECURITY REVIEW | JULY-SEPTEMBER 2021

Identify/Discover Critical Data: On the Data Security journey, the initial / First step is to identify or discover what data is present and where your data is present. Organizations should opt for solutions such as Atos Data Protect for discovering both the structured data like in Databases, or Unstructured data like data in File shares, SharePoint etc. Atos Data Protect can you help in discovering the data based on cardholder information (PCI DSS), health records (HIPAA), PII of EU residents (GDPR), or other data. Classify and Protect the Data: The second stage in data security is to Classify and Protect the data. Organizations must use Solutions like Data Classification and DLP which can help in Classifying the data and protecting the data from leakage. Data and Identity Security: Adopt a da-

•

ta-centric security approach to ensure your most critical assets are protected. Monitoring & detecting suspicious behavior on sensitive data & ensuring access rights to sensitive data is properly managed. Also, Identity is the new perimeter in today’s world and organization should adopt strong measures to protect the Identities & the access, internal or external. Develop a clear plan: Organizations must develop a strategy while implementing Data security solutions. Organizations should start with minimal scope, rather than going for exhaustive scope. Organizations must understand that developing these measures will be “User Behavior/ Culture Change”. Adding more controls in the initial stages will increase the user frustration and in turn decrease the productivity of the users. User Awareness: Organizations must ensure educating and creating awareness in the users. Organizational users must be trained to understand the importance of data security & the role they play in protecting critical assets of the organization.

How does your company help its clients with securing their data and staying compliant? Spire Solutions has a team of data security professionals focused on data protection solutions that address compliance regulations of countries in the Middle East and Africa. We are partnered with ATOS, a global cybersecurity leader, to provide end-to-end protection of data at rest, in motion, or in use; and emerging quantum leader QNu Labs to bring quantum-safe security to the region with Quantum Key Generation & Distribution. Our consultants are adept with the regional data protection laws and agile enough to adapt to newer regulations to help our customers in their data security journey.

Security Models Should be Simple to Make Them Easier to Implement Brian Chappell, Director – Product Management, BeyondTrust, speaks about best-practice standards for data security and compliance How has the need for data security and compliance changed over the past year? The move to remote working has radically expanded the arena in which organisations need to address and maintain data security and with that comes greater complexity in satisfying compliance requirements. The number of devices needing securing has grown exponentially while the attack surface has grown geometrically. Also, more remote workers, often in environments that are far beyond any control of the organisation — i.e., not just home but, as lock down’s ease, coffee shops, etc. — leads to the need to increase controls on the endpoint without, as far as possible, impacting productivity and flexibility. We are looking at unprecedented increases in the challenges to maintaining an effective and appropriate data security practice. Too stringent a control suite and we’ll see a resurgence of shadow IT. Too open, and we risk easy dissemination of sensitive company information and/or easy entry into the environment. What are the best-practice standards and frameworks that can help companies achieve and maintain data security and compliance? Frameworks tend to be collections of best practices that commonly address specific industry regulatory requirements — we see many of those best practices repeated across the various frameworks such as NIST Cybersecurity Framework, HIPAA, FISMA, etc. For me, the most important activity is to focus initially on the basics. I visualise the attack surface like desert sands — constantly shifting with dunes rising up and sinking away. Trying to build anything complex on top of that risks the structure tipping and toppling to the ground at, what might be, the slightest change. We need to harden our cybersecurity strategy with foundational piles that hold steady and give us a platform on which to build. Those foundational elements include Privileged Password Management, Privileged Elevation and Delegation Management, Privileged Session Management, Vulnerability Manage-

ment and Identity Management. These are the basics that organisations continue to not get right and, as a result, provide the most common areas of exploit. Getting these right means focusing on them, working to ensure the security models are simple, which makes them easier to design, implement, manage, maintain and respond to when something bad is happening. By simple, I don’t mean basic, I mean avoiding unnecessary complexity — something that’s very difficult for many in cybersecurity. As Steve Jobs put it: “Simple can be harder than complex. You have to work hard to get your thinking clean to make it simple. But it's worth it in the end because once you get there, you can move mountains.” Get the basics right and the rest gets easier and that’s vital with the additional complexity in today’s data security world. What according to you are the five tips that companies need to follow to comply with data security regulations? Tip #1: You cannot abdicate or pass on responsibility for your data to another organisation. Even if you empower them to manage access, implement controls, or provide the infrastructure in which it’s stored and/or processed, it’s your data and you are ultimately responsible for it. That’s a guiding principle that any data security specialist should have pinned to their wall. Tip #2: Get control over privileged access. This doesn’t mean just lock the environment down but rather implement controls that move you from a restricting approach — i.e., trying to control what someone can do with privilege — and onto an enabling approach where you can explicitly and granularly allow an unprivileged user to do more. It’s so much easier to understand and manage. Tip #3: With #1 in place, you can know who has access to sensitive data. Next is to control that access through password and session management. This gives you visibility into when they accessed it and what they did with it. Tip #4: Don’t ignore the external accesses

into your environment by vendors supporting their systems in your infrastructure. Bring those accesses under the same controls as your own teams. Avoid VPN access. It doesn’t matter how well you think you have that entry point controlled, it’s likely to provide access to systems that are necessary for that access, but the engineer shouldn’t have visibility to. Find an access technology that doesn’t provide a direct TCP/IP path to the target system(s). Tip #5: Know the regulations. This seems obvious but everyone involved in data security should read and understand the regulations they need to comply with. Many rely on what others tell them and that’s subject to interpretation. The number of times I hear requirements quoted that I know come from other, often unrelated, regulations, only because that’s what the person has been told or assumed. This is often the result of being asked a question about an area that the regulations applying to the organisation don’t cover, so people coop requirements from other regulations because they ‘make sense’. This complicates the compliance and often results is multiple solutions for the same problem and friction from each and every one. Be compliant, be a little more than compliant but make sure you understand where compliance is and knowingly step over the line — don’t try and ‘control’ your way out of that situation. Sometimes the answer is to remove controls. Do you believe the line between data security and data privacy has started blurring? I don’t believe there is a line between data security and data privacy. You cannot have data privacy without good, effective, appropriate data security. While the concerns may be different conceptually, data privacy compliance relies on good controls to ensure that only appropriate people have access to data, that we know when they accessed the data and how they used that data

INTERVIEWS

Data Security and Data Privacy Are Two Separate Elements Haider Muhammad, the Community Manager for MIddle East, Turkey and Africa Community Sales (EMEA) at Milestone Systems, speaks about how newer techniques to be built to ensure data security How has the need for data security and compliance changed over the past year? Technology has been changing rapidly over the past few years. Digital transformation has fueled the rapid acceleration of new technologies like cloud computing, Software-as-a-Service (SaaS) applications, Internet-of-Things (IoT), and computing by Smartphone apps. Over the last year, the pandemic led to organizations rushing to enable their staff to work from home or remotely where possible. This meant investing in Virtual Desktop Infrastructure (VDI) and Desktop as a Service (DaaS) applications. We also have a lot of people working from home on their personal devices. With the lack of movement, online shopping and eCommerce increased. All these activities heightened the security risks. You can see that, unlike earlier, the digital touchpoints of accessing data have suddenly exploded. Earlier staff were accessing only from the office, and now, there are multiple points. The sudden move to a virtual office has led to inadequate security practices and a lack of awareness and costs of securing devices leading to data security risks. Companies have had shortfalls in implementing adequate security measures and compliance policies. What are the best-practice standards and frameworks that can help companies achieve and maintain data security and compliance? We would recommend the following measures for organizations to keep their data secure. Awareness plays a significant role. Employees need to undergo security training to avoid lapses from their part. Some of the tips would be: • Organisations must ensure security awareness training periodically for all the staff about various threats • Organisations must mandatorily implement policies so users will be forced to change their passwords • Use and update antivirus and anti-malware software when needed • Ensure your operating systems are always up to date and update with newer security patches and updates

•

• •

from manufacturers Employees must avoid oversharing their screens. During online meetings, they should be extra cautious when sharing their screen Beware of phishing Do not acquire or use work-related IT equipment without an agreement with your own organisation.

In the case of Video Management Systems (VMS), it needs a few extra measures as follows: • Awareness: Ensure broader awareness of the need for a secure VMS • Hardening: Tighten up your Video Management Systems (VMS) as part of an ongoing and dynamic process designed to ensure robustness • Training: Educate users and colleagues on Best Practice in system set-up, installation, and use • Privacy: Maintain a ‘culture of privacy’ by ensuring that the system is compliant with local data privacy regulations. • Regular updates: Keep systems up to date with the latest drivers, patches, and fixes to stay ahead of any hacks Are there any regional data compliance regulations and frameworks, which companies that handle large amounts of public data need to follow? There are no specific laws governing the processing of personal data by public sector institutions in the UAE. However, we take personal data very seriously and handle it in the same manner that we would with other countries with laws. In Europe, GDPR is playing a leading role. European Union initiatives protect data in cloud scenarios, e.g., Screms II, which we follow closely to sense early impact for Milestone, our customers, and partners. Another example is GDPR Guidelines and local implementation of rules for storage of video feed. What, according to you, are the five tips that companies need to follow to comply with data security regulations? Companies need to understand that data is a sensitive matter and data privacy matters. There can be legal damages in case of non-compliance.

// SECURITY REVIEW | JULY-SEPTEMBER 2021

We would advise customers to look at data in the following ways that will help them become compliant with data security regulations. Data Analysis: Organizations need to understand the kind of data processed. Depending on the type of personal data, there are different principles to follow. In short, the more sensitive the data is for the data subject, the better you need to protect it, and the more specific you need to be about what you are using it for. Do you believe the line between data security and data privacy has started blurring? I would say Data Security protects data from compromise by external attackers and malicious insiders. Data Privacy governs how data is collected, shared and used. There are data encryption techniques in place that protect data at rest and data in motion. For example, your credit card data is stored securely and is not visible to your e-commerce stores. In the field of video technology, there are also plenty of solutions with the ability to anonymize data through meta data aggregation, privacy masking, data purging and much more, and thereby video tech can help keep people safe without compromising data privacy. Continuously, newer techniques are being developed to strengthen data privacy further. Data security techniques are also advancing against new threats, and it is an ongoing process. We can minimize breaches with user awareness and advanced data security techniques. I believe data security and privacy complement each other to mitigate risks and build a strong foundation of trust in the accelerating digitalisation of society.

There’s No Single Best Security Standard or Framework Nezar Edwan, the Regional Accounts Manager for Saudi Arabia at Infoblox, speaks about data security and compliance How has the need for data security and compliance changed over the past year? The COVID-19 pandemic accelerated digital transformation and drastically changed the way things are done and our daily lives. This has imposed a massive impact on the data and data security, making it more challenging to safeguard it from corruption and unauthorized access by internal or external sources. At the same time, the importance of securing data has grown more critical, as organizations who suffer breaches also suffer financial loss, reputation damage, consumer confidence disintegration, and brand erosion. Furthermore, new government and industry regulations around data security make it imperative that organizations and companies achieve and maintain compliance with these rules wherever they do business. What are the best-practice standards and frameworks that can help companies achieve and maintain data security and compliance? With the evolution of technology and networks, several security standards and frameworks exist which address different cyber security needs and business sector requirements. So, there’s no single best security standard or framework, as each serves a specific purpose and is designed to address certain gaps and issues. However, ZTNA is becoming very popular today, especially with digital transformation and the adoption of modern work styles such as like WFA, WFH & BYOD, as well as SASE--an emerging cybersecurity concept that Gartner described in the August 2019 report entitled ‘The Future of Network Security in the Cloud’. Are there any regional data compliance regulations and frameworks, which companies that handle large amounts of public data need to follow? Locally within the Kingdom of Saudi Arabia, the National Cybersecurity Authority (NCA) introduced the Essential Cyberse-

curity Controls (ECC) after conducting a comprehensive study of multiple national and international cybersecurity frameworks and standards. NCA developed the controls by reviewing legal and regulatory requirements, global cybersecurity best practices, analyzing cybersecurity incidents and attacks on government establishments, and considering the opinions of various prominent businesses around the country. What according to you are best tips that companies need to follow to comply with data security regulations? Start simple by adopting a step-by-step approach. First, you need to understand your business and what security regulations apply to you. Then, identify how the digital transformation will affect you on the business level. Next, determine the data and the assets that you own and what level of impact the transformation will have on those assets. Lastly, determine what conditions should be in place to gain access to your assets, and establish data access policies. Many countries have passed their own version of data protection laws recently. How does your company help its clients with securing their data and staying compliant? Infoblox is a technology leader in DNS security and enterprise-grade DNS, DHCP & IPAM (DDI). Many security regulations and frameworks such as ZTNA and NCA/ECC recognize the necessity of DNS security in emerging networks. This is because the DNS control plan can provide a layer of foundational security and offers network administrators the ability to gain centralized visibility and control over all of your computing resources, following the tenets of Zero Trust. DNS can be a source of telemetry, helping to detect anomalous behaviour (for example, a device going to a server it usually doesn’t go to) and to analyze east-west

traffic. DNS can also continuously check for, detect and block C&C connections. For every cloud and on-premise data center that your enterprise uses, DNS can be a centralized point of visibility and risk reduction.

INTERVIEWS

Use Security Measures to Accomplish Privacy Objectives Ahmed Sousa, the Systems Engineering Director (EMEA) at Poly, speaks about tips companys need to follow to comply with data security regulations How has the need for data security and compliance changed over the past year? Data security has become even more critical to organizations and government entities for more than just moral and legal reasons. Data falling into the hands of hackers and immoral people could spell a lot of trouble for the entities and society as a whole. It can also cause damage to the reputation of these organizations besides having financial and logistical repercussions. For most companies during the quarantine, work environments changed significantly. Workers were sent home, services moved to cloud providers and the security perimeter looked different. Companies and security organizations have had to quickly adapt and implement new (and sometimes creative!) ways to monitor activity to identify and thwart threats – oftentimes with little to no new financial resources or tools. What are the best-practice standards and frameworks that can help companies achieve and maintain data security and compliance? Globally, ISO/IEC 27001 is the most widely accepted international standard for information security best practices and provides assurance that the best-practice information security processes have been established and implemented. Every organization should focus on 3 core elements that function as a security framework - Confidentiality, Integrity, and Availability. Some of the best practices include data auditing, real-time alerts, risk assessments and clean up of stale data. Are there any regional data compliance regulations and frameworks, which companies that handle large amounts of public data need to follow? In Europe, GDPR compliance is the framework that organizations adhere to. In the region, there are no such specific laws but the onus is on each organization to ensure that they are being safe and ethical. Public data is information that can be freely used, reused and redistributed by

anyone with no existing local, national or international legal restrictions on access or usage. The main consideration for proessing public data is ensuring veracity. What according to you are the five tips that companies need to follow to comply with data security regulations? Go back to basics. Companies must continuously evaluate the following: • Policies, Procedures, Standards and Guidelines – These documents must exist and be reviewed at regular intervals to ensure they are up to date and address both risks and requirements. • Employee Training and Awareness – Workers should receive regular security awareness training that addresses the real risks an organization faces. Make sure your training curriculum address not only concepts and industry best practices but also your internal security and data privacy policies • Be aware of any data protection regulations you must comply with – Data Protection laws are quickly being adopted and/or updated in many countries and even in individual states across the globe. Know what your obligations are regarding the movement of data (Cross-Border Data Transfers especially). You may need to formally execute written agreements to satisfy regulatory requirements and process data in compliance with laws. • Network Security – Corporate and development networks should be managed and controlled to protect both systems and applications • Vulnerability Management – Managing technical vulnerabilities within the companies information systems should be constructed on timely information through regular threat assessments. Many countries have passed their own version of data protection laws recently. How does your company help its clients with securing their data and staying compliant? Poly helps unleash the power of human collaboration with secure video, voice and content solutions. Poly privacy and security prac

// SECURITY REVIEW | JULY-SEPTEMBER 2021

tices are applied to the design, development, implementation, hosting, and maintenance of systems, infrastructure and the networks that store Poly and customer data. Poly’s Information Security Management System (ISMS) is ISO/IEC 27001:2013 certified. Poly’s ISMS is comprehensive and covers people, processes and technologies used to provide unified communication and collaboration services and solutions to employees, customers (both hosted and on-premises). The Poly Product Security Standards align with NIST Special Publication 800-53, ISO/ IEC 27001:2013 and OWASP for application security. Guidelines, standards, and policies are implemented to provide our developers industry-approved methods for adhering to the Poly Product Security Standards. Also, Poly follows a secure software development life cycle (S-SDLC) with an emphasis on security throughout the product development process. Do you believe the line between data security and data privacy has started blurring? Not blurring, no. Security is the process of layering together tools, technical configurations, and procedures (like logging and monitoring) to prevent compromises in data confidentiality, integrity and availability. Privacy is a legal concept. We can use security measures to accomplish privacy objectives. Organizations have begun establishing lines of defense for data security. Many are even working on compliance through their privacy and security teams with a focus on data governance and management. It is important that every function in the organization from HR, Marketing, Operations to Security understand their responsibility and be in compliance.

Data Security Through Robust Cybersecurity Should Be Top Priority Patrick Grillo, the Senior Director for Solutions Marketing at Fortinet, speaks about what companies should do to comply with data security regulations How has the need for data security and compliance changed over the past year? Obviously the biggest impact over the last year has been the shift to “work from home/work from anywhere” and the need to securely support a remote workforce with no advance notice. Shifting a workforce away from their usual environment, with little to no training on the “ins and outs” of remote access significantly increased the risk to data security. What are the best-practice standards and frameworks that can help companies achieve and maintain data security and compliance? There are a number of different frameworks available for organizations to use in their efforts for data security compliance such as ISO 27001, NIST Cybersecurity Framework and MITRE ATT&CK. These frameworks focus on cybersecurity which is the foundation for data security. Are there any regional data compliance regulations and frameworks, which companies that handle large amounts of public data need to follow? The General Data Privacy Regulation (GDPR), which was introduced by the European Union in 2018 and has subsequently been used as a framework as individual countries create their own standard, is probably the best known regulatory framework.

ing and storing data 5. Be as transparent as possible Many countries have passed their own version of data protection laws recently. How does your company help its clients with securing their data and staying compliant? Fortinet works with its customers to ensure that their network is secured to the highest degree possible through its cybersecurity platform, the Fortinet Security Fabric. The Fortinet Security Fabric provides broad, integrated and automated protection across the entirety of the network. Do you believe the line between data security and data privacy has started blurring? Yes, very much so. For example, when the GDPR came into effect, most organizations had focused on the customer-facing aspects of the regulation such as the appropriate disclaimers about their data collection and opt-out policies. Data security, through robust cybersecurity, needs to be a top priority for all organizations.

What according to you are the five tips that companies need to follow to comply with data security regulations? 1. Know where the data is located. 2. Understand why you’re collecting data 3. Collect only the minimum amount of data necessary 4. Periodically review internal procedures for collect-

INTERVIEWS

Ransomware Attacks Have Soared in the Past Year Aloysius Cheang, the CSO of Huawei UAE, speaks about best-practice standards that can help companies achieve and maintain data security How has the need for data security and compliance changed over the past year? Accelerated digitization has been one bright spot from the pandemic, but it is coming at a cost. As digital spreads across enterprises, it also increases the risk and impact of cyberattacks. Some of the digital platforms that organizations have rolled out around AI, cloud, and IoT are incredibly powerful. Yet they can be unfamiliar territory for their IT security teams, so there’s a constant need to stay vigilant, share learnings, and develop open standards that can help all businesses. Another trend we’ve seen is that workfrom-home requirements have complicated many organizations’ security posture as employees collaborate outside the corporate firewall. Most organizations have also been compelled to implement emergency security strategies on the fly, sometimes with little testing or training, potentially exposing their corporate virtual assets to cyber threats. The World Economic Forum's COVID-19 Risks Outlook report released last year found that 50% of enterprises were concerned about increased cyberattacks due to a shift in work patterns alone. What are the best-practice standards and frameworks that can help companies achieve and maintain data security and compliance? The reality is that humans often remain the weakest link in any security posture. Phishing, for example, accounts for a large number of all cyberattacks today. Therefore, training and awareness of employees must be a priority. Cybersecurity is also a corporate priority, and security managers should have direct access to the C-suite so that cybersecurity is woven into the corporate fabric. Ransomware attacks have also soared

in the past year, highlighting the need to always back up data and have a disaster recovery plan in place. Additionally, the proper access controls need to be maintained to manage access for remote workers. In short, companies needs to bake cybersecurity needs into the company’s process right from the beginning so as to achieve security-by-design and privacy-by-design to ensure security out of the box. Are there any regional data compliance regulations and frameworks which companies that handle large amounts of public data need to follow? If your organization has any business with EU companies or individuals, you certainly need to be aware of GDPR. Countries in the Gulf have their own data security laws. The UAE, for example, has data protection requirements in place both at the federal and emirate level that govern personal and corporate data. The UAE's National Cybersecurity strategy, developed by the TRA, aims to create a safe and robust cyber infrastructure. Meanwhile, the Dubai Cyber Security Strategy aims to strengthen Dubai's position as a world leader in innovation, safety, and security. Saudi Arabia also has a broad Anti-Cybercrimes Law that addresses data protection in the context of cybercrimes. The Saudi Arabian Monetary Authority (SAMA) has also published a Cyber Security Framework for the financial institutions under its purview to guide their efforts towards appropriate cybersecurity governance. Moreover, organizations should leverage their partnerships with technology companies for their expertise and capabilities. At Huawei, we assist numerous customers daily to secure and comply with regulations if and when required.

// SECURITY REVIEW | JULY-SEPTEMBER 2021

Many countries have passed their own version of data protection laws recently. How does your company help its clients with securing their data and staying compliant? Cybersecurity is more important than ever, and as an industry, we need to work together to share best practices and build our collective capabilities in governance, standards, technology, and verification. At Huawei, we work with governments and private sector organizations to jointly develop and contribute to such cybersecurity initiatives. Huawei is also committed to transparency, as demonstrated in our expanding network of global Cyber Security and Privacy Protection Transparency Centres. This June, Huawei opened the largest of such transparency centers which provides a testing environment for Huawei software and hardware, technical documents, testing tools, and necessary technical support. Security is an integral part of Huawei's own digital offering. We provide resilient end-to-end network security capabilities that ensure the security of customer data and applications. Huawei's products and solutions have been deployed by 253 Fortune 500 companies globally, helping secure their digital transformation journey.

There is a Thin Line Between Data Security and Data Privacy Sajith Kumar, the General Manager of Enterprise at Cloud Box Technologies, speaks about tips companies need to follow to keep their data safe and be compliant

What are the best-practice standards and frameworks that can help companies achieve and maintain data security and compliance? There is no single regulation or standard been implemented by organizations. Instead, organizations comply with multiple regulations and frameworks and the popular one's include GDPR, CCPA, HIPAA, PCI-DSS. It helps them improve their information security policies by providing guidelines and best practices based on the company’s need and the type of data they maintain. Non-compliance with these regulations can result in severe fines, or costly cyberattacks, data breaches. It is important that organizations start to have strong data governance framework which helps against cyberattacks, provides stronger data management processes and reduces the burden on the IT teams. And most importantly it helps organizations remain compliant. Are there any regional data compliance regulations and frameworks, which companies that handle large amounts of public data need to follow? Different regions have set up their own data compliance requirements. Some fo them that are widely followed would be GDPR – Europe’s General Data Protection Regulation, CCPA – California Consumer Privacy Act, LGPD – Brazil’s Lei Geral de Proteção de Dados, POPI – South Africa’s Protection of personal information, etc. What according to you are the five tips that companies need to follow to comply with data security regulations? 1. Data Encryption policy: Companies should have policies around data

encryption so that at the data is not misused or breached and it's accessible to approved users Internet usage Policy: Employees spending time on non-work-related websites, the companies have to put in place an acceptable internet usage policy. This will formalize any activities that are outrightly blocked, as well as setting limits on the time employees are spending on un productive activities. It must also have a place a system on how companies are monitoring the activities. Email Policies: Employees needs to be educated and made aware of the different types of files to be opened, what kind for information can be to be shared which may also include scam emails etc., Password policy: Companies need to train employees to set strong passwords, outline policies to change passwords periodically. Data Usage Policy: Employees needs to know what kind of data is being processed, how it is being used and with who it is being shared with and most important what are the policies that are in place t ensure that this is carried out.

Many countries have passed their own version of data protection laws recently. How does your company help its clients with securing their data and staying compliant? Presently, there are more than 120 countries that have enacted on data protection legislation to secure the protection of data as well as privacy, and this number is growing constantly. Cloud Box Technologies helps customers that the data is secure, compliance

requirements are being met. We do this by helping them keep regular back backups, helps them have information flow legally and transparently, and in case of any data loss in the event of a failure we help them recover from the situation by analyzing the situation and putting in place an action plan that will help the out of a crisis. Do you believe the line between data security and data privacy has started blurring? There is a thin line between data security and data privacy, although this line is not blurring, organizations as well as individuals must realize the importance of data security especially in today’s digital world. Government regulations are in place and moving forward they will be fine-tuned to tackle current and future requirements.

INTERVIEWS

CISOs Can Provide a Long Term Vision to Security Amit Hooja, the CEO of NetGraph, speaks about how companies can stay compliant and keep their data secure How has the need for data security and compliance changed over the past year? As more business moving towards online interactions, threats are increasing in a daily basis and businesses have to work towards securing customers by keeping the data and privacy intact. Different industries and jurisdictions are drafting their own set of rules, regulations and compliance requirements and a more or less similar to each other. However, some industries have higher needs for security, especially in the case of medical records, financial transactions, etc. Also similar to GDPR, it now evident that a lot more countries are moving towards creating their own set of privacy rules. What are the best-practice standards and frameworks that can help companies achieve and maintain data security and compliance? In the current business environment, IT is of equal importance and must be given it’s due. One way to ensure that there is a tight knit unit that works with every department would be to have a CISO is place who will be able to provide a long term vision to security. Another area that needs to be a focus area is the appropriate polices are set on data management and how the process will work in terms of handling customer data. Besides, organizations should be able to identify data access groups and what level of data is accessible and transferred between departments. One of the most crucial ways to ensure data security would be the usage of encryption wherever personal or sensitive data is stored. This must be fortified with encryption keys that have limited access. Are there any regional data com-

pliance regulations and frameworks, which companies that handle large amounts of public data need to follow? What we see here in the UAE is that some entities have their own public data regulations, and most public data would fall under the general criminal law. Businesses are also equipped to comply with the GDPR requirements if applicable. However, there is an increased awareness of data privacy and it is being given priority treatment as more and more customers are aware of how their data is being stored. Should there be any data breaches, it would cost the company major loss of revenue as well as reputation. What according to you are the five tips that companies need to follow to comply with data security regulations? • Know your data flow - who owns what and who deals with what data and for what purposes • Data flow should be in encrypted into whatever channels it goes through • Access key should be guarded and provided only to a certain level of data access they need • Big format exports should be rare and audited • Integration and API should be well audited well • Disclosures to users based on country of jurisdiction Many countries have passed their own version of data protection laws recently. How does your company help its clients with securing their data and staying compliant? Compliance has been gaining traction across the globe and as Managed Security Service Providers, we are aware of the increasing need to strengthen our customer’s data protection posture. We provide a set of services that will help in establishing strong processes for data

// SECURITY REVIEW | JULY-SEPTEMBER 2021

management, setting encryption in place for sensitive data, determine the eligibility and type of data available to different people across the organization and also provide airgap and time-based access on data whenever needed.

Security Practitioners Should Work Towards Preserving Users’ Privacy As Much As Possible Jonathan Fischbein, CISO, Check Point Software Technologies, speaks about how data security and compliance has changed over the past year How has the need for data security and compliance changed over the past year? Over the past year, the “new norm” workspace expanded the organization’s perimeter. Going forward into 2021, remote work and distributed workspaces are a new reality. The need for data security and compliance was predominant as organizations had to recalibrate their cybersecurity approach around securing their corporate networks and data centers, cloud environments, and employees wherever they are. With remote work as the new standard and organisations working on multi-cloud environments, we had to make sure that all the developers and teams accessing very confidential assets such as source codes for customer PII (Personally Identifiable Information), ERP systems or financial information, etc. did not go out of the organization. Technologies such as VDI (virtual desktop Infrastructure) together with several other security solutions are adopted to make sure that the exchange of data and information from home is secured. The use of collaboration tools has also escalated rapidly. Organizations have switched to using collaboration tools such as Zoom, Teams, and Slack more than ever before. These collaboration platforms which are an extension of an organisation on-premise infrastructure, are completely in the public cloud. What are the best practice standards and frameworks that can help companies achieve and maintain data security and compliance? There are plenty of best practices, but the question is first of all how can we implement a best practice that is going to scale and be unified across the entire organization. It is not feasible to implement best practice standards and frameworks separately for each different

sector within an organisation. It has to be simple. If a security policy or a solution framework is not easy to follow, it will become a major obstacle. Cyber attackers will find ways to elude and bypass it which is a very big problem. Adopting the Data loss protection (DLP) best practice is extremely important in making sure that all information going out is filtered. Secondly, making sure that all files by default are encrypted in ways such that any member of the organization can access it, but if unwittingly that information is sent to an external 3rd party, they should not be able to access it. There are many different ways by which important data can fall into the wrong hands. Are there any regional data compliance regulations and frameworks, which companies that handle large amounts of public data need to follow? Every country has its own legislation and set of regulations which are dynamic and are reformed through continuous efforts to improve it. There are many data protection laws and legislations that are put in place to secure and safeguard the protection of data and privacy within the country. Besides the regional regulations and compliance, there are also several other well-known certifications and frameworks that cybersecurity vendors or organizations operating in the cloud or other security-specific areas have to comply with. We need to have compliance checks on this process of digitalization and adoption of the cloud. As we move the information and important data into the public cloud, we need to also add to the security to ensure that this environment is secured. There is also a necessity to maintain compliance checks and monitor it on a regular basis. This is an important part of our daily operations at Check Point

Software Technologies which requires us to focus on compliance checks on GRC and infosec best practices internally as well. What according to you are the five tips that companies need to follow to comply with data security regulations. First of all, I would say map the challenge right. If the mapping is done in the right way then you will know exactly what is where and will be able to tackle the problem. This is very significant on the public cloud when it is not sure how dynamic or extending it is, in that case, the battle will be lost before it even starts. The second one is to make sure to understand the security controls that are already in place. As cyber-attacks become increasingly evasive, more controls are added, making security more complicated and tedious. The next important thing is to implement the security policies that are relevant and can be met. For example, it is not possible to implement security controls of military-grade to a regular organisation, it has to be relevant and there should be a balance. Other than this, there is also a need to make sure that the security policy does not become an obstacle and allows people to work successfully, knowing that security is present on the side but does not cause an obstruction. And lastly, it is very important to make sure that all of the regulations such as SOC 2 and PCI, etc., and many other such certifications and regulations are updated. We know that in every country legislation and regulations are changing so it is necessary to make sure that the security teams are up to date with this.

INTERVIEWS

Integrated Cybersecurity Solutions Can Help Companies Protect and Monitor Data Emad Fahmy, the Systems Engineering Manager for Middle East at Netscout, speaks about what companies need to do when they handle large amounts of data How has the need for data security and compliance changed over the past year? Data security and compliance have evolved in the role they play in our everyday lives. Both are critical factors for consumers to trust the business entity that they provide sensitive personal data to. As cybersecurity attacks increase, the spotlight is firmly fixed on data security and compliance moving forwards. According to our Threat Intelligence Report in 2020, there were over 10 million DDoS attacks taking place alongside rising rates of ransomware attacks and data breaches. Even though data security has been a recurring and critical topic for a while, the increased reliance on the use of virtual solutions and platforms we have witnessed during the past year has made this a priority. What are the best-practice standards and frameworks that can help companies achieve and maintain data security and compliance? As companies struggle to maintain and achieve data security and compliance, their digital transformation journey has propelled them into the more challenging task of managing and tracking data company-wide. Data management best-practice is to put in place clear and defined procedures that support and manage data compliance activities. One of the best ways businesses can protect and monitor data across their organization is through an integrated cybersecurity solution. At Netscout, we choose to apply three types of safeguards to assure our client’s data is protected: • Technology safeguard, which is done through the application of anti-virus and encryption and the continuous monitoring of our system and data center to ensure compliance • Organizational safeguards, through the training and awareness of our

•

resources to make sure that they are also applying personal data safety best practices Physical safeguards refer to securing access to facilities and regular destruction of personal data according to compliance policies.

Are there any regional data compliance regulations and frameworks, which companies that handle large amounts of public data need to follow? Across the UAE, multiple authorities exist that look after data security and compliance regulations and set the standards to be applied by companies in the country. The National Electronic Security Authority (NESA) standards outline the requirements for appropriate implementation of security controls in order to safeguard information assets across all entities in the UAE. Complying with these standards allows the mitigation of identified information security risks and the implementation of efficient controls. The Information Security Regulation (ISR) works along with the international compliance standards ISO 27001:2013. This regulation evaluates 12 domains among information security structure, ranging from management and governance to performance measurement. What according to you are the four tips that companies need to follow to ensure data security? We recommend using an integrated cybersecurity solution to maintain data security while remaining compliant. The main four tips we suggest as requirements for the implementation of an integrated cybersecurity solution are: • The ability to classify and understand sensitive data in order to achieve visibility on different data platforms. • The option to map identities to ensure

// SECURITY REVIEW | JULY-SEPTEMBER 2021

•

the authentication of anyone logging into the system. The continuous risk analysis of sensitive data in order to simplify the tracking and prevention of data leakages. The planning and monitoring risk to protect data from unauthorized access by implementing automated orchestration.

Do you believe the line between data security and data privacy has started blurring? With businesses facing rapid data growth across the enterprise as they embark on their digital transformation journey and individuals’ shift to a more virtual way of living, the line between data security and data privacy becomes increasingly blurred. As large volumes of data are widely available today more than ever, we have to place high importance on managing and protecting data to avoid its misuse and ensure regulatory compliance and customer trust, making data security and privacy more important than ever before.

Security and Privacy Go Hand in Hand Hyther Nizam, the President for Middle East and Africa, at Zoho, speaks about how Data privacy enables people to control the use and disclosure of their data, and lets them exercise their rights over it How has the need for data security and compliance changed over the past year? With remote working as a norm is the past year, more and more businesses are looking for cloud software to run their business. The data is no longer residing behind the firewall. They now rely more on cloud software vendors, hence the need for strict data security and compliance has increased. You are as strong as the weakest link. It’s important to identify the weakest link, isolate it and have the right data security strategy in place to fix it. What are the best-practice standards and frameworks that can help companies achieve and maintain data security and compliance? Security should be the core foundation on which customer data has to be laid. It has to be thought through from the ground up, right from the first step of writing a piece of software code to selecting the network or data storage devices. First, organizations should adopt Zero Trust approach. Interestingly, trust is key factor to retain employees, but in security context, to retain customers we need to adopt Zero Trust policy of not trusting anything to ensure customer data is 100% safe and secure. Second, Bring Your Own Device (BYOD) policies should be clearly stated. This is a key area for potential data leaks. Third, become compliant to security practices and privacy laws. European Union's General Data Protection Regulation (GDPR) has become the gold standard for privacy. Apart from GDPR compliance, companies should become ISO certified on Information Security Management System (ISMS) ISO 27001 series - 27001, 27017, 27018, 27701.

Are there any regional data compliance regulations and frameworks, which companies that handle large amounts of public data need to follow? It’s important companies that handle large amount of public data follows the principles of Federal Information Processing Standards (FIPS) and GDPR which can be set as baseline for global privacy compliance. Many countries are following the core concepts of GDPR when drafting their privacy laws. For example, South Africa has come up with Protection of Personal Information (POPI) Act that follows the footsteps of GDPR. It would be good if companies follow other key security frameworks like NIST and ENISA which focuses on cybersecurity. What according to you are the five tips that companies need to follow to comply with data security regulations? • Understand the assets and continually assess the threat landscape • Continuous monitoring and audit • Automate compliance wherever possible, even enable AI/ML based technology • Adopt global standards and map local frameworks to it • Standardize common practices so that deviations/anomalies can be observed easily Many countries have passed their own version of data protection laws recently. How does your company help its clients with securing their data and staying compliant? The first step is to set up a separate department in the organization to look after security, privacy and compliances. At Zoho, we created awareness, conducted training programmes and sensitized all employees on security and privacy. For

customers,

set

default

security configurations wherever possible and provide options to them to configure or re-configure the settings according to their organisational requirements, especially providing controls to customers to define security parameters like access controls and encryption. Do you believe the line between data security and data privacy has started blurring? Security and privacy go hand in hand. Data privacy enables people to control the use and disclosure of their data, and lets them exercise their rights over it. Data security provides security over user's personal as well as non-personal data such as confidential information and other business assets. Security is more often seen to enable data privacy, while more data privacy requirements encourage organizations to improve their security. The good news is that more organizations are taking privacy and security seriously than ever before. Consumers are becoming more aware of privacy and surveillance issues and the potential risks that ad-based companies pose to their data. Privacy is no more perceived as a luxury but a necessity. Thanks to privacy conscious companies like Apple. For example, in the latest update of iOS, Apple has introduced App Tracking and Transparency (ATT), where an app has to get explicit permission from the user to access location, microphone, contacts and photos. Such consumer awareness on privacy is accelerating the data privacy actions inside organizations.

INTERVIEWS

Companies Have Started Focusing on Cyber-Risk Mitigation Strategies Ray Kafity, the Vice President for Middle East, Turkey, and Africa (META) at Attivo Networks, speaks about data security and compliance

How has the need for data security and compliance changed over the past year? Over the past year, the importance of data and network security has risen throughout various verticals, whether in governmental, non-profit, or for-profit organizations. These entities must protect personal information and confidential data, and that requires better in-network detection of attacker activities. In addition, the increased reliance on cloud storage, online work collaboration solutions, and other network services, brought on by the shift towards remote working and learning environments following the pandemic, has heavily driven cybercriminals to abuse companies' vulnerabilities and caused data breaches. These trends, therefore, highlight the need for improved data security measures, especially those related to detecting attacker misuse of credentials, privilege escalation, and lateral movement. As compliance requirements and security challenges evolve, companies have turned to cybersecurity platforms focusing on cyber-risk mitigation strategies aligned with several well-known security frameworks. What are the best-practice standards and frameworks that can help companies achieve and maintain data security and compliance? To assure that organisations achieve and maintain data security and compliance, companies and IT leaders have advocated for combining cyber hygiene and information sharing since the late '90s. However, they have deemed these methods alone as insufficient since bet-

ter detection capabilities must accompany them. Nevertheless, only by grouping these three essential factors can IT leaders make real and positive changes to keep personal data secure. This year has been a turbulent one in terms of data security. With several data breaches headlining in the news, companies should no longer trust software providers without establishing an "assumption of breach" security posture through more effective detection tools. Companies seeking to minimize breach impacts should implement Identity First security as an essential best-practice standard rather than patching vulnerabilities when they arise. This strategy denies access to data through personalized and limited data access control. Additionally, using guidelines provided under MITRE ATT&CK an Shield can help organisations understand the coverage of their security controls and where there are gaps. These tools have been particularly helpful in showing security teams coverage risks related to attacker lateral movement and privilege escalation. Of notable mention, is the risks associated with Active Directory, which is intrinsically insecure, under protected, and can have extreme consequences if exploited. Such approaches limit potential insider threats that can cost companies very significant losses, with the Middle East facing losses of over 11 million dollars annually. Many countries have passed their own version of data protection laws recently. How does your company help its clients with securing their data and staying compliant?

// SECURITY REVIEW | JULY-SEPTEMBER 2021

The Attivo Networks ThreatDefend platform helps clients secure data and stay compliant. While deception technology is the ideal solution for in-network threat detection, less familiar is its ability to meet guidance according to the ISO /IEC 27000 Family of Standards. After an in-depth evaluation of the capabilities of ThreatDefend concerning ISO/IEC 27001 and 27002, Attivo concluded that the solution provides the needed abilities to meet the standard and the policy objectives. The ThreatDefend platform allows the detection of potential credential theft, privilege escalation, and lateral movement. It also records and reports these movements to prove that the company is well equipped to detect and react to threats. Therefore, these records can demonstrate both company and supplier compliance through extensive reports of how the organization has mitigated the risk caused by the threat.

Achieving Compliance Can be a Challenging and Nuanced Process Mujtaba Mir, the Senior Sales Engineer of META at Barracuda Networks, speaks about the requirements for data security and compliance

How has the need for data security and compliance changed over the past year? There has been a significant change, with the majority of organisations going from having no formal guidelines in place, to now having clearly defined data security policies. This of course has been a result of the changes in workforce dynamics that we have witness over the last 15 months. As people begin to work outside of traditional IT perimeters, they don’t have the same protections as before, while still requiring the same, if not greater, collaboration and communication capabilities. This has fuelled a growing interest in Cloud Access Security Broker (CASBs). And of course, Data Loss Prevention (DLP) remains a fundamental requirement. At Barracuda, we are currently running the public beta of Barracuda Data Inspector, our cloud solution which offers advanced data protection features such as data classification, data interaction, and policy enforcement. Are there any regional data compliance regulations and frameworks, which companies that handle large amounts of public data need to follow? A key mandate, especially for government entities and organisations that manage sensitive customer information is that data remains in-country throughout its lifecycle. This has had implications on whether or not regional organisations can utilize cloud services, and the third-party service providers they can work with.

There are of course specific frameworks that organisations in the region must be aware of and these depend on where these businesses chose to operate. For example, in Dubai, businesses might have to comply with the DIFC Data Protection Law No.1 of 2007 and the 2020 Law, whereas in Bahrain, they would be required to follow the Personal Data Protection Law (PDPL) which was announced in 2018. What according to you are the five tips that companies need to follow to comply with data security regulations? While the specifics requirements that need to be fulfilled can vary depending on the framework, there are broad criteria that organisations should have it place – both in order to meet regulations and to strengthen their security posture. Perhaps most importantly, they will need to ensure their data is securely backedup and replicated in an offsite holding location such as a disaster recovery site. Data classification is also important as this helps determine how information is stored, transferred, and accessed. Since meeting the various criteria required to achieve compliance can be a challenging and nuanced process, it is likely that organisations would need to engage the help of systems integrators that specialise in compliance. Whereas vendors would be able to address specific requirements of the framework, the broadscale expertise of a systems integrator best positions them to address all areas of the undertaking.

INTERVIEWS

Unwavering, Resilient and Personal Commitment From the Top is Key Roberto Maranca, the Data Excellence VP at Schneider Electric, speaks about data security and compliance

How has the need for data security and compliance changed over the past year? The more COVID accelerates the digital transition, the more the resilience risk coming from digital operation escalates in company’s risk profile, so I think at the very least the awareness of what previously was focused mainly on Cyber risk, is comprehending data security and compliance. The expectation on corporation around transparency and ethics has also accelerated possibly faster than the previous point as more digitally aware generations are gaining spending power and making employment choices. What are the best-practice standards and frameworks that can help companies achieve and maintain data security and compliance? The simplest and most important practice a company can put in practice is to develop a detailed “situational awareness” of its own data. The emergent emphasis on data flow mapping, data catalogues and metadata repository in general, it is not an accident: the clear view of the company’s data supply chains is an priceless advantageous piece of intelligence to optimize data security measures and to minimize compliance risks. Are there any regional data compliance regulations and frameworks, which companies that handle large amounts of public data need to follow? The simple and unorthodox answer would be “Loads!”, there has been an acceleration of regulations that are specifically posing obligations to company around what they do with their data, so much so not to be regulated in a certain country for a certain activity has become the exception.

It also noticeable that, although GDPR like regulations have stolen a bit of the limelight, and justifiable so for the potential effect of digital and data on the right individual to privacy, with globalization sovereign states are realizing that data (all of it and not just personal data) is crucial to their economical, political and societal objective and they are busy designing laws that will extend the national borders in the digital space, global companies have to be ready to learn how to be global and sharing their data to be efficient and profitable in a world that will see a marked data protectionist phase, hopefully a transient one. What according to you are the five tips that companies need to follow to comply with data security regulations? • First tip: It might sound obvious but unwavering, resilient and personal commitment from the top is key • Second tip: as per the previous point be on top of your data, wherever it is, whoever is using it for whatever purpose… Know your data supply chains • Third tip: be on top of your third parties, a contractual clause about data security should be tested for effectiveness regularly and not just debated after a breach has happened • Fourth tip: if you approach regulation as a “project” you will fail, regulatory response must add something to the DNA of the company, sustainably, and most crucially include dedicated resources. • Fifth Tip: Test Test Test for the worst scenario, nobody is perfect and things can happen but customer’s and employee’s trust can be rescued out of the most harrowing situations having a very well drilled response to crisis which should involve top management where appropriate

// SECURITY REVIEW | JULY-SEPTEMBER 2021

Many countries have passed their own version of data protection laws recently. How does your company help its clients with securing their data and staying compliant? Schneider Electric strongly supports the fundamental rights to privacy and data Protection as well as compliance with national and international privacy laws. In the legal and ethical principles, "Our Principles of Responsibility", Schneider Electric commits to maintaining confidential any personal information and to strictly limit any disclosure in accordance with local laws. Do you believe the line between data security and data privacy has started blurring? Personally I think that they are complementary disciplines of the same subject, data. There are commonality of tooling, processes and capabilities, but there are also specific aims and skills involved to be successful at both.

MARKET RESEARCH

BUSINESSES ARE NOT EQUIPPED TO DELIVER ON CUSTOMER EXPERIENCE: IFS STUDY

Businesses are missing out on a significant opportunity to fix internal processes and address the root causes of customer experience issues in the wake of the pandemic, research from enterprise software specialist IFS has today revealed. The global study, which surveyed 1,700+ executives and 12,000+ consumers, uncovered that despite the majority of companies (66 percent) investing upwards of $250,000 each year evaluating the customer experience through Net Promoter Scores, reviews, and customer satisfaction surveys, 82 percent were unable to recall a single positive example of a recent frictionless customer experience—showing current customer experience processes do little more than wallpaper over the cracks. While much attention is paid to customer service, the inflection points that occur throughout the lifecycle of an operation and encompass processes, technology solutions, and human coordination are even more important to business outcomes, yet even more frequently overlooked. Only by careful orchestration of these components can companies deliver a quality ‘Moment of Service’, in which everything comes together to create a positive result for a customer. However, while 79 percent of businesses have invested time and resources in identifying where these inflection points are, when problems are iden-

tified nearly a third of managers (29 percent) admitted to reporting them but not taking action. Furthermore, some 18 percent revealed they were too busy to report issues unless urgent, while just 15 percent said they proactively look to pre-empt problems. ' This begs the question of how companies can expect customer experience and loyalty to improve without taking necessary action, leaving revenue and market share on the table. With 90 percent of businesses stating they have reengineered or are reengineering their business to ensure customer touchpoints and stages come together for better moments of service, it is vital that companies ensure processes are optimized across each of these inflection points to mitigate issues and fuel growth. For enterprises that fail at the moment of service, the financial ramifications are significant. A quarter of consumer respondents stated they would never engage with a brand again after just one bad experience, while over half (52 percent) would abandon a company after two to three. IFS also sought to examine the impact of negative experiences on wider brand perception and uncovered that 58 percent of consumers are very likely or somewhat likely to share their negative perceptions with their

network, highlighting how easily a bad interaction can be amplified. However, it’s not all doom and gloom. Over half (52 percent) of consumers are inclined to leave a positive review, underscoring just how much can be gained by keeping an open dialog with customers and focusing on delivering an exceptional brand experience. “When it comes to delivering a positive customer experience, businesses have a limited opportunity to get it right. And if they neglect a single inflection point, they are gambling with their outcomes, including profits and margins,” IFS Chief Customer Officer Michael Ouissi said. “There are many points where you can either delight or disappoint a customer across the value chain and it is clear from these findings that consumers are willing to voice their opinions either way. As more and more businesses look to service provision as a key competitive differentiator, running the right enterprise software—engineered for the moment of service and capable of orchestrating a multitude of people, assets and customers—will separate the winners from the losers." “To achieve this, enterprises must rethink how they architect their operations, and become a ‘composable enterprise’ that harnesses a combination of packaged functions and technologies to deliver outcomes and adapts to the pace of business," Ouissi added.

EXPERT VIEW

ALREADY A RECORD-BREAKING YEAR FOR RANSOMWARE, 2021 MAY JUST BE WARMING UP Written by Bill Conner, President and CEO at SonicWall

We live in a nation preoccupied with the setting of new records. But while many records are newsworthy, not all of this news is good news. Two examples that have recently made headlines: the mid-June heatwave that has shattered temperature records all over the American West, and the unprecedented wave of ransomware attacks currently torching networks … well, just about everywhere. Through May, SonicWall recorded 226.3 million ransomware attacks, a 116% year-to-date increase over 2020, indicating cybercriminals’ rapidly evolving and highly profitable attack tactic. In fact, May 2021 was victim to the highest number of ransomware attacks we have ever recorded. Increases in ransomware attacks were recorded even in countries that had already been struggling with comparatively large amounts of ransomware, such as the U.S. and the U.K., which saw ransomware attacks spike 149% and 69%, respectively. Since the beginning of the year, it seems that 2020’s perfect storm for cybercrime in general, and ransomware in particular, has only grown in intensity. On the heels of its late 2020 performance, itself record-breaking, Bitcoin continued thundering on into 2021, reaching a new high in each of the first four months of this year. Around the world, fortunes were being made on cryptocurrency. And ransomware, its barriers to entry lower than ever due to readily available hacking tools and platforms such as Discord, attracted an increasing number of cybercriminals looking for a quick, easy way to obtain the

bitcoin that could make their fortunes. Unfortunately, in this storm, victims are finding that lightning strikes the same place twice with frightening regularity. Companies eager to move past increasingly sophisticated and debilitating ransomware attacks, and often sheltered by high-dollar ransomware insurance policies, too often pay the ransom — only to be targeted again shortly after. According to ZDNet, roughly eight in 10 organizations that paid ransom demands were subsequently attacked again, with nearly half of these victims saying they believe the second attack was perpetrated by the same criminals as the first. And these criminals are continuing their shift toward soft targets, including hospitals, utilities, schools and government agencies. In early March, Broward County School District in Fort Lauderdale, Fla., set its own record when it received a $40 million ransom demand — the highest ever for an educational institution. And in May, the Colonial Pipeline ransomware attack brought one of the nation’s largest fuel transportation networks to a standstill for nearly a week, leading to fuel shortages and panic buying. The bombardment of ransomware attacks is forcing organizations into a constant state of defense rather than an offensive stance. And as the tidal wave of ransomware attacks continues to crush company after company, there is a lot of speculation on how to keep individual organizations safe, but no real consensus on how to move forward when it comes to combating ransomware as a whole.

// SECURITY REVIEW | JULY-SEPTEMBER 2021

Law enforcement agencies and political figures continue to voice opinions that constantly contradict each other on how best to fight adversaries that know no boundaries, do not adhere to international laws and are far from the charitable operators they claim to be. The volume of targeted attacks on government organizations and enterprises that impact civilians, countries and the global economy will not end without a change in approach. But many countries — particularly those that have been hardest hit by ransomware, such as the U.S. and the U.K. — are mobilizing to fight back. With ransomware attacks now elevated to a matter of national security, increased funding for fighting cybercrime and penalties at the national level for countries that harbor ransomware groups could finally begin to turn the tide.

MARKET RESEARCH

Gartner Says Worldwide IaaS Public Cloud Services Market Grew 40.7% in 2020 The worldwide infrastructure as a service (IaaS) market grew 40.7% in 2020 to total $64.3 billion, up from $45.7 billion in 2019, according to Gartner, Inc. Amazon retained the No. 1 position in the IaaS market in 2020, followed by Microsoft, Alibaba, Google and Huawei.

slower than that of the market, with their sales growth primarily reflecting increased customer usage.

Huawei broke into the top five IaaS vendors for the first time in 2020, with $2.7 billion in revenue.

Microsoft maintained the No. 2 position in Gartner’s IaaS market share with nearly 60% growth, reaching $12.7 billion in revenue in 2020.

“Hyperscale providers are continuing to build distributed cloud and edge solutions that extend the public cloud’s reach into private and on-premise locations, addressing the needs of organizations relating to data sovereignty, workload portability and network latency,” said Sid Nag, research vice president at Gartner. “This fact, coupled with reliance on the public cloud by a majority of organizations during the pandemic, drove another year of double digital market growth in 2020.”

The global healthcare crisis and disruption in workplace environments during the pandemic era drove increased demand from existing Microsoft Azure customers to migrate mission-critical workloads, such as from healthcare applications with AI-assisted bots, digital twins in manufacturing and e-commerce in retail.

Over 90% of this revenue comes from Greater China, a region that continues to see rapid cloud market growth. “After 2019, Huawei made a hard pivot away from selling equipment to investing heavily in their cloud services business which is starting to yield results,” said Nag.

In 2020, the top five IaaS providers accounted for 80% of the market, and nearly 90% all IaaS providers exhibited growth. Amazon continued to lead the worldwide IaaS market with $26.2 billion of revenue in 2020 and 41% market share. Amazon’s 28.7% growth was slightly

The dominant IaaS provider in China, Alibaba, grew 52.8% in 2020 with revenue surpassing $6 billion, up from $4 billion in 2019. In 2020, Alibaba saw its highest growth rate in the education vertical at 105%, driven by downloads of Alibaba’s enterprise communication and collaboration platform DingTalk among employees and students working and studying from home. After its second consecutive year of over 200% growth in the IaaS market,

Google’s IaaS revenue grew 66% to reach nearly $4 billion in 2020. Spending from the retail, government and healthcare sectors helped drive Google’s growth in IaaS in 2020, as did their focus on supporting the development and deployment of cloud applications in both a hybrid and multicloud model. “The era of CIOs investing in cloud IaaS and platform as a service (PaaS) discretely is long over,” said Nag. “While the cloud market will continue to grow, the real opportunity for providers comes from growth in cloud-adjacent technology markets such as edge, 5G and AI, as CIOs look to invest in technologies that address their complex and emerging use cases.”

EXPERT VIEW

RISKY ONLINE BEHAVIOURS TO AVOID FOR A SAFE HYBRID WORKPLACE Written by Werno Gevers, Regional Manager at Mimecast Middle East

Hybrid work models are here to stay. Thanks to progressive vaccination rollouts, life in countries like UAE and Saudi Arabia have largely returned to normal. But it’s highly unlikely all organisations will ever fully return to pre-pandemic work models where employees were expected to work from an office all the time. In a recent virtual roundtable discussion with security leaders in the UAE, hosted by Mimecast, participants discussed the impact of hybrid work models on their overall security posture and cyber resilience. According to participants, employees working from home pose security challenges that many organisations are yet to fully understand. While it is tempting to simply deploy new technologies to keep remote users safe, this can lead to a cluttered security environment that becomes near-impossible to manage effectively. Keeping things simple and working to perfect processes could yield better results in protecting the organisation from the wide array of modern cyber threats. In the education sector, most places of learning still rely on online learning. Here, the use of virtual private networks (VPNs) with multi-factor authentication helps enable students and teaching staff to connect to online learning securely. In most cases, however, it is the behaviour of the employees or end-users themselves that pose the greatest risk to an organisation’s overall resilience against cyber threats. The critical role of employee behaviour As the last line of organisational defence, employees play an invaluable role in protecting the organisation from attack. The pandemic initiated a stunning rise in the volume and sophistication of cyberattacks, putting employee behaviour front and centre in the fight for greater

cyber resilience and security. In the latest Mimecast State of Email Security report 2021, 39% of organisations in the UAE reported an increase in internal threats or data leaks initiated by compromised, careless or negligent employees.

Organisations need to embark on a continuous process of regular, effective and engaging cybersecurity awareness training to help employees avoid some of the common behaviours that could put them – and the entire organisation – at risk.

Half of UAE organisations were also hit by an attack where an infected email attachment spread from one user to other employees, while 43% reported the same for emails infected with malicious URLs. Seventy percent also said they believe there is a risk of an employee making a serious security mistake using their personal email.

Risky behaviour to avoid Never click on unknown links in emails. Threat actors habitually embed malicious links that could expose the user to malware and other threats. These can easily spread from one user to another and cripple organisational defences.

Putting the organisation at risk Organisations in the UAE face particular challenges with employee behaviour. In research conducted in 2020, respondents from the UAE reported the greatest use of company-issued devices for personal activities among all countries surveyed. Nearly nine in 10 (87%) respondents in the UAE said they use their work-issued device for personal activities, against a global average of 73%. In response, organisations across the region are prioritising cybersecurity awareness training. In fact, all organisations (100%) surveyed for the State of Email Security research conduct some form of cybersecurity training, with nearly half (47%) providing training on at least a monthly basis. However, organisations should not be lulled into a false sense of security. Awareness training alone cannot protect the organisation from employees engaging in risky behaviour. In the same 2020 study into personal use of work-issued devices, every respondent from the UAE said they were aware that links found in emails, on social media and in websites can infect their devices, and yet 61% said they opened suspicious emails nonetheless.

// SECURITY REVIEW | JULY-SEPTEMBER 2021

Never open or share email attachments unless you are 100% sure that you trust the sender, that the sender is not being impersonated and that you are confident that you know the attachment is not malicious. Don’t use your work device for personal activities. The more a work device is used for non-work activity, the greater the risk that the user unwittingly shares sensitive information, clicks on malicious links, downloads malware or otherwise expose the organisation to cyber threats. Don’t reuse the same password across multiple accounts. If you log in to your personal email with the same password you use to access work systems, you could inadvertently expose the organisation to a data breach. Use unique passphrases for every service to avoid the risk of having multiple accounts compromised by one successful breach. Take additional precautions with securing home WiFi networks. Employees are increasingly using their home networks to access work systems, and these networks are often less secure than enterprise networks. Ensure you have adequate security measures in place to protect your personal network.

EXPERT VIEW

TEN REASONS TO MOVE TO THE CLOUD

Written by Khaled Al Shami, Senior Director, Solution Consulting, Infor

Parting ways with a legacy solution isn’t always easy. The old, familiar processes and workflows may be comfortably predictable, even if outdated. Now, as companies begin to prepare for postCOVID recovery, the need for a change is harder to ignore. The cloud is tempting. Necessity forced many companies to accelerate cloud adoption as they transitioned to a remote workforce, online services, and contact-less offers for customers. The leap into digitalization wasn’t as frightening as imagined. Those cloud experiments proved positive, removing lingering hesitations for many risk-adverse companies. For companies looking to remove their last doubts about cloud, here are 10 examples of how cloud solutions simplify business challenges. 1. Agility. Want to change direction? No problem. Cloud solutions are highly flexible, making it easier to quickly set up new divisions or branches, break off business units, or merge with partners. Go ahead. Chase new concepts or business models. 2. Innovation. Think outside of the box. Encourage cross-functional collaboration within your organization with real-time tools for sharing ideas, files, and data. The deep storage capacity of cloud solutions will support ongoing R&D efforts.

3. Automate steps. Solutions backed with Artificial Intelligence (AI) help enterprises analyze processes and make smart decisions. Take advantage of cloud’s vast storage capabilities, use AI-driven analytics to find anomalies needing attention. Set up trigger events and automate responses, such as quality control checkpoints. 4. Yes? No? Maybe. Make well-informed decisions based on system recommendations. Some yes/no checkpoints can be automated, the system deciding if sufficient standards are met. 5. Streamline security and services. Security is a top concern for many companies, and they are relieved to learn about secure infrastructures, especially when provided by experts like AWS. A provider can also manage maintenance and disaster recovery and day-to-day needs, making the entire IT function simpler to manage and maintain. 6. Rules. Rules. Rules. Governance requirements have become confusing and time-intensive to manage in some fields. Always-modern cloud solutions can help companies stay current on the latest requirements. 7. Do-it-yourself reporting. For many legacy systems, reporting is complex, requiring assistance from the IT team to custom write queries. Modern solutions deployed in the cloud often have AI-driven reporting that guides the business user through

creating customized reports. 8. Power to the people. Cloud solutions give business users tools to help them do their job, often from any place, anytime. Remote connectivity is simplified – without risking security. 9. Platform as a service (PaaS). Choosing the right PaaS will give your team tools for no-code and low-code applications so they can build out specialized functionality as needed. 10. Stretch resources. Finding qualified IT technicians isn’t always easy. And your existing team may be stretched beyond capacity. Cloud solutions relieve your IT team of day-to-day maintenance, security, and back-ups so they focus on more important tasks. Cloud solutions provide the powerful end-to-end solutions that organizations need to modernize and simplify processes. Complexity can be tamed and managed with the right solutions. By moving the entire core ERP into the cloud, enterprises can make bold, high-impact changes. They can shed the modifications of their legacy solutions. They can employ proven best practices and confidently embrace the future.

EXPERT VIEW

WHAT TO EXPECT WHEN YOU’VE BEEN HIT WITH REVIL RANSOMWARE Written by Harish Chib, Vice President, Middle East & Africa, Sophos

REvil, also known as Sodinokibi, is a widely used, conventional ransomware-as-a-service (RaaS) offering that has been around since 2019. Criminal customers can lease the REvil ransomware from its developers, adding their own tools and resources for targeting and implementation. As a result, the approach and impact of an attack involving REvil ransomware is highly variable. This can make it hard for defenders to know what to expect and look out for. The following information may help IT admins facing or proactively concerned with the impact of a REvil ransomware attack. The findings are based on insights from the Sophos Rapid Response team, which has investigated multiple cyberattacks involving REvil. What to do immediately: contain and neutralize The first thing you need to do is determine whether the attack is still underway. If you suspect it is, and you don’t have the tools in place to stop it, determine which devices have been impacted and isolate them immediately. The easiest option is to simply disconnect from all networks. If the damage is more widespread than a few devices, consider doing this at the switch level and taking entire network segments offline instead of individual devices. Only shut down devices if you can’t disconnect the network.

which machines were protected? They’ll be critical in getting you back on your feet. Third, do you have a comprehensive incident response plan in place? If not, you need to identify who should be involved in dealing with this incident. IT admins and senior management will be required, but you may also need to bring in outside security experts and consult with cyber insurance and legal counsel. Should you report the incident to law enforcement and/or inform data protection authorities? There is also the question of what information you should give to employees, many of whom are likely to find a similar ransom note on their desktop. Last, but definitely not least: you’ll need to contact these and other key people, such as customers, to let them know what’s happening, but the attackers may be eavesdropping so don’t use your normal channels of communication. If the intruders have been in your network for a while, they’ll probably have access to email, for instance. What defenders can do There are some proactive steps you can take to enhance your IT security for the future, including: •

•

Second, you need to assess the damage. Which endpoints, servers and operating systems were affected, what has been lost? Are your backups still intact or has the attacker deleted them? If they are intact, make an offline copy immediately. Also,

// SECURITY REVIEW | JULY-SEPTEMBER 2021

Monitor your network security 24/7 and be aware of the five early indicators an attacker is present to stop ransomware attacks before they launch Shut down internet-facing remote desktop protocol (RDP) to deny cybercriminals access to networks. If you need access to RDP, put it behind a VPN or zero-trust network access connection and enforce the use of Multi-Factor Authentication (MFA)

•

Educate employees on what to look out for in terms of phishing and malicious spam and introduce robust security policies Keep regular backups of your most important and current data on an offline storage device. The standard recommendation for backups is to follow the 3-2-1 method: 3 copies of the data, using 2 different systems, 1 of which is offline. Also test your ability to perform a restore Prevent attackers from getting access to and disabling your security: choose a solution with a cloud-hosted management console with multi-factor authentication enabled and Role Based Administration to limit access rights Remember, there is no single silver bullet for protection, and a layered, defense-in-depth security model is essential – extend it to all endpoints and servers and ensure they can share security-related data Have an effective incident response plan in place and update it as needed. If you don’t feel confident you have the skills or resources in place to do this, to monitor threats or to respond to emergency incidents, consider turning to external experts for help

Dealing with a cyberattack is a stressful experience. It can be tempting to clear the immediate threat and close the book on the incident, but the truth is that in doing so you are unlikely to have eliminated all traces of the attack. It is important that you take time to identify how the attackers got in, learn from any mistakes and make improvements to your security. If you don’t, you run the risk that the same adversary or another one might attack again in the future.

EXPERT VIEW

FOUR STEPS TO ENSURE ROBOTIC PROCESS AUTOMATION SECURITY Written by Naved Rashid, Analyst (Research & Advisory) RPA at Gartner Parting ways with a legacy solution isn’t always easy. The old, familiar processes and workflows may be comfortably predictable, even if outdated. Now, as companies begin to prepare for postCOVID recovery, the need for a change is harder to ignore. The cloud is tempting. Necessity forced many companies to accelerate cloud adoption as they transitioned to a remote workforce, online services, and contact-less offers for customers. The leap into digitalization wasn’t as frightening as imagined. Those cloud experiments proved positive, removing lingering hesitations for many risk-adverse companies. For companies looking to remove their last doubts about cloud, here are 10 examples of how cloud solutions simplify business challenges. 1. Agility. Want to change direction? No problem. Cloud solutions are highly flexible, making it easier to quickly set up new divisions or branches, break off business units, or merge with partners. Go ahead. Chase new concepts or business models. 2. Innovation. Think outside of the box. Encourage cross-functional collaboration within your organization with real-time tools for sharing ideas, files, and data. The deep storage capacity of cloud solutions will support ongoing R&D efforts.

deployed in the cloud often have AI-driven reporting that guides the business user through creating customized reports. 8. Power to the people. Cloud solutions give business users tools to help them do their job, often from any place, anytime. Remote connectivity is simplified – without risking security. 9. Platform as a service (PaaS). Choosing the right PaaS will give your team tools for no-code and low-code applications so they can build out specialized functionality as needed. 10. Stretch resources. Finding qualified IT technicians isn’t always easy. And your existing team may be stretched beyond capacity. Cloud solutions relieve your IT team of day-to-day maintenance, security, and back-ups so they focus on more important tasks. Cloud solutions provide the powerful end-to-end solutions that organizations need to modernize and simplify processes. Complexity can be tamed and managed with the right solutions. By moving the entire core ERP into the cloud, enterprises can make bold, high-impact changes. They can shed the modifications of their legacy solutions. They can employ proven best practices and confidently embrace the future.

EXPERT VIEW

HOW THE PANDEMIC HAS IMPACTED COMMUNICATION SERVICE PROVIDERS Written by Amr Alashaal, Regional Vice President - Middle East at A10 Networks

The COVID-19 pandemic has had a lasting impact on countries around the world and, even with the successful vaccination roll out, regions are still moving in and out of lockdowns. Containment measures have, as you would expect, caused a substantial drop in business activity across Europe, Middle East and Africa (EMEA), especially in contact-intensive sectors. Economic growth is expected to pick up throughout 2021 as vaccines become more widely distributed. However, communication service providers have seen a significant surge in demand because of the pandemic. Overnight they saw demand spike as organisations moved to a distributed workforce. With many businesses now committing to a more hybrid working model, communication service providers will continue to experience high demand for the foreseeable future, which presents a unique set of challenges. To understand the true scale of demand and examine how COVID-19 has impacted communication service providers, A10 Networks conducted research that analyses the challenges and issues that senior IT professionals in communication service providers are facing, and how they are adapting to a post-pandemic world. Over 1,200 senior professionals took part in the research from five different countries and across seven different vertical market sectors including financial services, education, healthcare, government, ecommerce and retail, utilities, and gaming. Examining the responses across these different vertical markets here is what we found: Gaming and retail and ecommerce see significant spikes in demand for data and network bandwidth Without a doubt COVID-19 had a significant impact and almost universally (99%)

the 1,200+ respondents experienced an increase in demand for data and network bandwidth from their customers and subscribers. This was clearly due to the rapid switch to remote working and the continued lockdowns across countries and regions, which have continued throughout the first half of 2021. Interestingly, communication service providers with gaming customers witnessed the highest increase in demand, perhaps as citizens found themselves with more time on their hands working from home or furloughed. This was followed by government sector respondents and then ecommerce and retail. To this point, gaming and ecommerce and retail saw significant spikes in the increase in demand for data and network bandwidth in the over 75% and up to 100% category with 13% and 11.5% respectively. Education sector customers have witnessed unprecedented demand as a result of home schooling Clearly, the rapid surge in demand owing to COVID-19, meant that communication service providers had to quickly expand their capabilities. As organisations have moved to a remote set up, the attack surface has also expanded and intensified. This meant that respondents had to invest heavily in security technologies to protect their networks. Likewise, demand has come from multiple different locations. Previously customers/subscribers were more likely to be in offices together. Now, workforces are geographically dispersed, creating broader and heavier spikes in multiple locations. When we asked whether COVID-19 had accelerated network transition to a more distributed network (edge) and how much of the total network traffic has this impacted, interestingly, respondents serving the healthcare and utilities sector witnessed above average acceleration:

// SECURITY REVIEW | JULY-SEPTEMBER 2021

66% and 67% respectively, in the “by over 25-50%” category. Respondents serving the gaming sector were highest (38%) in the “by over 50-75%” category. Healthcare invests in security technologies The increase in traffic has significantly changed capital investment plans for communication service providers in multiple ways. More than half of the respondents plan to increase their investment in security. No doubt this is due to the escalating attacks witnessed on organizations with remote workforces. Providers serving the healthcare sector were most likely to be investing in security. However, communication service providers with customers in the government and education sectors were pausing investment plans. Cybersecurity training programmes are a priority for education and healthcare In terms of the security challenges enterprise customers/subscribers are facing, the education (62%) and healthcare (61%) sector respondents were more likely than other sectors to say that their customers need to revise their employee cybersecurity training programmes. The financial services sector ranked highest in terms of ensuring that BYOD policies were more robust. Additionally, when we asked about the highest priority security investments for 2021-2022, ecommerce and retail (51.5%) were the most focused on the upgrading of firewalls and other security appliances. When it comes to 5G, just under one-third of respondents stated that maintaining a quality service and avoiding service outages were top security challenges. Clearly, for ecommerce and retail respondents, ensuring uptime is critical, and 35% said that maintaining a quality service and avoiding service outages were key challenges.

Security Review - July - September 2021

Articles inside

Four Steps to Ensure Robotic Process Automation Security

What to Expect When You’ve Been Hit with REvil Ransomware

Ten Reasons to Move to the Cloud

Risky Online Hehaviours to Avoid For a Safe Hybrid Workplace

Achieving Compliance can be a Challenging and Nuanced Process

Record-Breaking Year for Ransomware, 2021 May Just Be Warming Up

Integrated Cybersecurity Solutions Can Help Companies Protect and Monitor Data

Companies Have Started Focusing on Cyber-Risk Mitigation Strategies

Use Security Measures to Accomplish Privacy Objectives

CISOs Can Provide a Long Term Vision to Security

Data Security Through Robust Cybersecurity Should Be Top Priority

Data Security and Data Privacy Are Two Separate Elements

Security Practitioners Should Work Towards Preserving Users’ Privacy As Much As Possible

Security Models Should be Simple to Make Them Easier to Implement

How the Disposable Nature of Tech is Putting your Businesses Data at Risk

How Access Control Plays a Vital Role in a Safe Return-to-Work Strategy