The Middle East has been placed second in a list of worldwide IT security services spenders, according to a report by market analyst IDC.
The region's expenditure – second only to the Americas – on security hardware and software grew by 60 per cent in 2006, with the market forecast to grow at an average of 23 per cent each year until 2011. The numbers speak for themselves. But what most people do not know is IT threats – even in a safe country like the UAE – are real and the effects on firms and individuals are substantial. Some attacks have already been successful, but the media and the general public have not been provided the details.
"We have a culture of non-disclosure in this region and I think it's working against us," Justin Doo, Trend Micro's regional director for the Middle East and Africa, said in an interview with Emirates Business. "The more we don't talk about it, the more people become less aware of the real danger of an unsecured IT environment."
Doo said when large organisations get hacked and lose a thousand records but still choose to say nothing, the harder it becomes for the general public to understand the problem. "It will also be harder for small businesses to realise that they need to protect their network environment," he said.
Currently, the region's biggest spenders on security solutions are governments, which account for 26.9 per cent, followed by telecommunications and finance, with 22.6 and 21.2 per cent share, respectively.
But it is not only the spending that matters. Public awareness should be the foremost concern of the public and private firms, said Doo.
"The biggest IT threat is the ignorance of the threat," he said. "Another problem is that people here are inherently trusting. As people have not seen the big exploits, because a number of large organisations refuse to tell the problem to the public, they still think IT threats are fictional. But they are not, they are real and they happen here."
—IT security has fallen out of chief information officers' top 10 priorities, said a report by IT data specialist Gartner. One of the biggest problems, according to its analysts, is enterprises are not thinking about new threats. Can you tell us what these new threats are?
—Everyone has invested in IT security. I don't think there's a company out here that has not invested in security as part of its infrastructure. However, the landscape of security threats is changing on almost a monthly basis. Most companies are aware of anti-virus technologies, most use firewall technology and many believe investing in these two things is already a strong policy. Unfortunately it's not. There is a lot more that needs to be done, especially in securing your connectivity and network. Wireless accessibility in hotels and airports, for example, is of prime consideration these days.
In this region, up to 60 per cent of PCs sold are laptops, so we're encouraging people to take their work outside the traditionally secure environment of a static network. There was an IT exhibition in London two years ago, attended by a number of security professionals. The event's wireless pass was hacked. The hackers' reason for doing so was to demonstrate that even IT security professionals can be hacked just like everybody else. The flip side could be, if you sit in a coffee shop today and someone hacks their wireless internet access, they can sell the information – like your credit card details – to other people without any hassle at all. And that happens in almost every other country in the world.
—How frequently do you have to upgrade your security system?
—It varies. The worse we had was 30 times in one day in February last year; our physical technology was outdated 30 times in one day. I'll give you an example on how they multiply so fast. In 2006, malware samples were just under one million globally. By the end of 2007, the number had grown to 5.4 million more than the 2006 period. By the end of April this year, we have seen 4.4 million new unique samples. So what we have to do as an organisation and as an individual is to look at the next wave of protection – that is, how do we move the protection layers away from the desktop?
—Recently, Trend Micro discovered a fake Beijing Olympics website supposedly selling tickets, essentially to steal credit card details. Are website-hacking incidents growing by the day?
—Yes. Unfortunately any major event, like the Beijing Olympics, is expected to be hacked from a social engineering perspective. The upcoming United States elections will also be hacked.
—There also have been a number of hacking incidents in the region, particularly in the UAE. But most have been shrugged off as mere attempts. What is the actual situation here?
—We have a culture of non-disclosure in this region and I think it's working against us at the moment because the more we don't talk about it, the more people become less aware of the real danger of unsecured IT environment. When large organisations get hacked, lose a thousand records and don't say anything about it, the harder it becomes for the general public to understand it. The harder it is for small businesses to realise the need to protect a network environment. Small and medium businesses may have only five to six connected PCs, but they still need to protect them.
—Can we assume the IT security problem here is actually high?
—It's impossible to put a definitive statement together on the back of that. We can only share information with the general public, that which our customers want us to share. It's not our job to go out and talk about these things as we have not been given the authority to talk. It can be very commercially damaging for our business.
That having been said, if you look at the data protection legislation in this region, if you look at the controls in most organisations, and if you look at the high-predominance of staff movement within the region, you will see that you have an environment that is open to attack. You have an environment that is essentially open to abuse because people move from one organisation to another and these people may have access to very sensitive information.
There's no data protection law here that allows somebody to pursue an individual who would take away data, so if I were to leave my company tomorrow and take my entire customer database with me, on a local level, there is nothing that Trend Micro can do to prevent me from doing that.
In Europe, it is now a chief information officer's responsibility to ensure that data integrity is protected and any act against it, but currently such a law does not exist here.
—What can be done in the absence of a data protection law?
—We can do a number of things based on looking at the transaction between your PC and the internet. We can equip the client and make sure that nobody can sniff that information from you. But most importantly, people should be changing their passwords frequently. Unfortunately again, about 80 per cent of people here use only two passwords or less for all their transactions.
—What are the top IT threats in this part of the world?
—They are the same as anywhere else. People ask me this on a regular basis, but there's nothing specific here. There are some instances in this region that contribute towards the threat. But the biggest threat is the ignorance of the threat or the lack of public awareness. People come here from all over the world, making it almost impossible to get a blanket of communication. How do you assess the knowledge level? How do you drive the awareness? Ignorance to the threats is the challenge. Another problem is that people here are inherently trusting. And as people haven't seen the big exploits, because a number of large organisations refuse to tell the problem to the public, they still think IT threats are fictional. But they are not, they are real and they do happen here.
PROFILE: Justin Doo, Regional Director, Trend Micro
Justin Doo, Trend Micro's regional director for the Middle East and Africa, joined the company in January 2000. Since then he has successfully built up the GCC office, which opened in 2002 and has become one of the most flourishing business units within the company.
Trend Micro is a leader in network antivirus and internet content security software and services. Doo's experience within the antivirus and malware industry has proved a valuable addition to the Tokyo-based corporation, whose products are sold through corporate and value-added resellers and managed service providers.
Doo has worked in the industry since 1990 and has expertise in the security and antivirus arena.