Assuming a state of breach

Assuming a state of breach

As UAE corporates and authorities grapple with the cyber breach that occurred at bank from Sharjah recently, one thing is very clear. Cyber crimes, cyber fraud and other forms of cyber related illegal activities are no longer one-off. Unfortunately these types of breaches and forms of blackmailing and extortion have happened in the past, affecting a range of businesses from financial institutes to retail outlets to other online entertainment power houses. This type of crime has the potential to not only expose weaknesses in that particular institution’s security controls, it also puts thousands of customers in an extremely vulnerable position, with financial and reputational stakes being particularly high.

A holistic approach that places cyber security at the front and centre of true business risk evaluation is advised. There ought to be a focus on cyber security-related controls ranging from prevention, detection, response and recovery.

It is also forecast that cyber-related breaches are only set to increase in number and sophistication, hence the approach we advise is to assume a state of breach, and prepare for it not only from a technological stand point, but also from a true business resilience one.

In a nutshell – cyber security in no longer a technology battle. It has come down to a survival play for individual institutions as well as nations. It’s no longer a question of if cyber breaches occur– it’s a question of when they will, and what is an organisation’s preparedness to respond effectively to such?

A number of mitigating steps do, however, exist:

At DarkMatter, we provide services to highly sensitivity entities requiring increased security for their data. Should one perform a root cause analysis, it all comes down to data.

The more valuable – actual or perceived - the data one possesses, the higher the probability of it attracting attempts to breach it as there is a distinct financial motive as evidenced in the Sharjah bank example. At DarkMatter, we work with similar organisations to ensure that we implement various data devaluation solutions in order to hedge against similar attacks. These solutions include:

  1. ​Tokenisation:  Utilising tokenisation techniques, one can ensure that even if data is breached, it is not used against any customers.  Tokens are the one-way hash of a sensitive card number or account number, and without the mapping, the token is rendered useless.  Tokens also cannot be reversed-engineered to come up with the actual credit card number or other sensitive information. 
  2. Encryption:  One of the key areas for securing data at rest and data-in-transit is the proper implementation of encryption.  DarkMatter not only has various solutions to implement encryption for data-in-transit and data-at-rest, the company also has crypto experts who possess best-in-breed solutions for key management. 

Legislation and Regulatory

As I mentioned earlier, the Sharjah bank cyber breach is not the first or the last of its kind to occur, and the issue at hand cannot be dealt with by just a technological reaction. Of course, performing a post-mortem analysis of the breach, and coming up with controls such as data devaluation, tokenisation, and encryption are all valid points, but they remain based purely on short-sighted and short-term reactions.

Some of the high-level questions that need to be raised and already are include: ​

  • How deeply should cyber security and cyber laws be written into legislation?
  • ​How can regulators make sure that lessons that were learnt with respect to regulatory changes introduced as a result of the global financial crisis of 2008 could also be considered in the realm of cyber security?

There will be arguments for and against the implementation of stricter cyber regulations, and how to achieve a balance between security and privacy, though that’s not even the fundamental issue. The central issue is in the above scenario regarding the Sharjah bank; a breach can happen to any organisation and what makes such an activity even more concerning is that anyone globally is capable of undertaking it should he/she possess the know-how. Thus the greater problem regulators will face is to institute legislation that also addresses the international nature of cyber activity and its cross-border implications.