Investment in anti-hacking technology is growing exponentially in the UAE’s banking sector as the move towards global e-commerce increases the threat of security breaches, say analysts.
It is estimated that resources allocated to information security have risen by more than 200 per cent year-on-year since 2005.
Greater awareness of the threat among UAE banks is driving the surge in investment, said Naveed Moeed, principal technical consultant for the Middle East and Africa at RSA, the security division of information management group EMC.
“We have had huge traction in the banking sector,” he said.
“It’s far and away the fastest growing sector of our business in the last three years. It’s grown by well over 200 per cent year-on-year in terms of revenue.
And practically all that revenue is coming out of the awareness of fraud, particularly insider and online fraud.
“To secure core banking you now have a package that’s tried and tested. But providing security for a growing population that wants to use ATMs and the internet to do their banking is an ever-increasing task. The bigger the banks grow the more they spend on security.”
RSA, which provides information security solutions to 90 per cent of the Fortune 500 companies, has seen its Middle East client base grow from one bank – the National Bank of Dubai – in 2003 to 40 institutions at the end of last year.
“We have seen exponential growth from this sector and this reflects how banks are reacting to security and how much they see it as leverage for accelerating the business. It’s also about retaining customers.”
Moeed, who was attending the Secur Middle East Congress in Dubai, said the extent of the damage caused by a security breach will depend on the size of the bank and type of clients it had.
The Abu Dhabi Islamic Bank has more than doubled the amount it allocates to information security to Dh15 million from Dh6m in 2006.
“The risk element is coming from opening up to the world, be it through internet banking or international expansion,” he said.
“But we are not pessimistic about this because there are also opportunities associated with opening up to the world.
“We’ve had several attempted attacks in the last year and some attempted disruption, but we haven’t suffered any financial loss. Our budget represents about 10 per cent of our IT allocation. UAE banks should ideally allocate up to 20 per cent of their IT budget to information security.”
Banks in the region have become particularly vulnerable to “phishing” attacks in recent years where criminals steal sensitive information from unsuspecting computer users.
Hackers try to obtain usernames, passwords and credit card details .E-mail or websites used for phishing usually appear trustworthy, but are meant to trick people into revealing sensitive information.
Vinod Vasudevan, Chief Technology Officer and Director at security company Paladion, said the country’s burgeoning banking industry marked it out as a target for hackers.
“The threats to banks are moving more towards financially motivated attacks,” he said.
“Attacks in the past year have been mainly phishing attempts, and because the Middle East is considered economically strong you have most of the financially motivated, targeted attacks.
“The reality today is any attack that is happening anywhere globally can come quickly into the region.
Five years ago Europe and the United States would be where attacks would first surface and there would be a lag before they appeared in the Middle East or Asia.
“But because of the economic prosperity here any new attack that surfaces hits the region immediately. That lag has disappeared.”
Paladion, which specialises in security solutions for the financial services sector, estimates that a bank’s budget for information precaution in the UAE has grown to 12 to 15 per cent of its IT funding – up from five to seven per cent two years ago.
“A phishing attack can typically lead to thousands of accounts being siphoned off in 24 hours, which could mean millions of dollars disappearing in one day. The impact will also depend on the number of users affected and the size of the bank – the larger the bank the more transactions they will have.”
Last year the Abu Dhabi Islamic Bank faced several phishing attacks, but Elshahry said preventative measures had controlled the security breaches.
“If we suffer from phishing it affects our reputation, so we have controls to stop the attackers,” he said.
“When there is a security breach it affects how customers see us, which is a problem for the growth of the bank. If customers do not feel secure with the bank they will not continue to deal with us. Plus there is greater competition in the region.”
RSA says customers of European banks have moved to competitors because of concerns about information security.
“In Europe the banks that have done really well are the ones putting these measures in place,” said Moeed.
“More customers are moving from certain high streets banks to other high street banks because of the technology edge. If consumers feel a bank is more secure then they will move to it. At the same time that bank is reducing the level of fraud so its net profits double or triple.”
Kurt Information Security, which is active in 15 countries, specialises in securing data for the oil and gas, telecommunications, banking and finance, government and service sectors.
It co-ordinates its Middle East security operations from headquarters in the UAE.
Ahmed Al Mulla, Chief Information Officer at Dubai Aluminium Company, said he was recently asked by his chief financial officer whether his information security measures would be adequate if the group were to become a shareholder company.
“We were working on a roadmap for finance and there were a lot of regulations we would have to abide by.
One of the requirements was if we want to go the initial public offering route, are we ready?
We’re not ready for an IPO from a security point of view because we don’t need to be. Our CFO was trying to find out where we were as a business.”
And, referring to the banking sector, he said: “The technology is there – but the challenge is you need to keep updating the technology.”
Dubai-based banks are recruiting former hackers to shore up their information security systems, said an information technology expert.
In Dubai banks are hiring hackers to protect themselves because how else do you protect yourself from hackers?
He said 60 per cent of hacking originated inside organisations or was carried out by former employees.
Zombies and botnets are the latest threats faced by firms that use the internet.
Botnets are software robots – or bots – that run autonomously and automatically on groups of ‘zombie’ computers controlled remotely over the internet by hackers.
These are used to distribute spam e-mail and carry out fraud without the knowledge of their owners.
And the Middle East is not immune to botnets – the world’s number one emerging internet threat – according to web security firm Trend Micro.
David Perry, the company’s Global Director of Education, said botnets were responsible for more than 80 per cent of the world’s spam and generated fraud worth more than $1 billion (Dh3.67bn) annually.
The number of web-based threats has increased by more than 600 per cent in the past two years and Trend Micro attributes the growth to ignorance.
“IT users, whether in a professional or consumer capacity, should always follow responsible, best-practice internet policies to protect themselves from existing and emerging web threats.” said Perry.
Tony Larks, Middle East Communications Director of Trend Micro, said: “The key issue is that company internet security policies are not enforced effectively in the region and are not conveyed to users. The biggest concern here is that IT users are not aware of internet threats – the level of awareness is very low.”
Larks said in the past 12 months more than five million cases involving computer viruses had been detected around the world.
“The growth in internet threats is such that professional programmers are working for organised crime gangs – and they prefer to remain undetected for as long as possible. They are playing a longer game, which means that by the time a virus is detected they might have obtained access to a great deal of sensitive information,” he said.
Internet use in the Middle East has soared by 920 per cent in the past seven years – dwarfing the world average of 265.6 per cent, according to industry figures.
But the increase has been accompanied by a similar rise in the level of cyber crime.
Larks said the region had an advantage over other parts of the world as it did not have a legacy of outdated infrastructure.
“Some economies like Europe have an IT infrastructure that is 30 or 40 years old. The cost of upgrading is much more than installing new software. So the Middle East has the advantage of having the latest internet security technologies,” he said. .( Anjana Sankar)
$1bn: The annual amount of botnet fraud
600%: Increase in the number of web threats
UAE banks invest in IT security on hacking fears