In 2020, as lockdowns were put in place and workers retreated to their homes in droves, bad actors struck. While economies worldwide spiralled downwards, the volume of cyber-incidents took the opposite trajectory, with digi-criminals taking advantage of isolated users, surges in BYOD, and the incidence of tech sprawl policed by overworked IT teams.
These trends were felt acutely in UAE, long a favoured hunting ground among digital predators. According to Etisalat Digital’s cybersecurity team Help AG, Distributed Denial of Service DDoS attacks saw a 183% increase last year in the UAE alone.
And in a 2020 survey conducted by KPMG, UAE business stakeholders expressed their pessimism about the 2021 threat landscape. Some 98% had a dreary outlook for the year when it came to overall levels in cybercrime. Almost two thirds 61% were worried about phishing while 42% expressed concern over escalations in ransomware.
Indeed, in its State of the Market Report, Help AG also cited regional rises in the dreaded lock-and-extort attacks, warning that DDoS campaigns were often used as distractions while dropping ransomware.
The UAE government is only pursuing what every sensible business stakeholder should want, resilience
According to another study on ransomware, UAE victims said they had paid as much as $1.4 million and 42% had been subjected to total operational shutdowns. To add insult to injury, 90% of those that paid reported being hit again.
But the good news for UAE businesses is that the government here has always been proactive on matters of technology, especially when it comes to cyber security, information security and privacy. Keen to protect its digital economy and the businesses that call it home, the UAE has initiated the Information Assurance Regulation as a key element of its National Cybersecurity Strategy NCSS.
The Information Assurance Standard calls for a broad range of best practices in protection and management, including business continuity, disaster recovery, compliance, certification, and accreditation. The end goal is a unified national framework that the government intends to be followed by every enterprise.
Compliance will be largely the domain of each individual enterprise
The standard also calls for increases in the levels of protection in information systems and urges the implementation of risk-based controls. It directs organisations to clearly define the roles and responsibilities of those within their ranks who are charged with overseeing and guaranteeing cybersecurity.
In its pages, the UAE Information Assurance Regulation sets out the reasons for adoption of the standards. It is clear that the government recognises that economic activity is oiled by confidence and can seize up in its absence.
The end goal is a unified national framework that the government intends to be followed by every enterprise
The standard mentions the benefits of a trusted digital environment for businesses and individuals across the nation, tying those benefits directly to cybersecurity, which the Telecommunications and Digital Government Regulatory Authority the TDRA, author of the standard considers to be the shared responsibility of every organisation and individual.
While the TDRA leaves room for collaboration and partnerships between public and private sector organisations, compliance will be largely the domain of each individual enterprise.
As with most compliance regulations in the digital space, the UAE government is only pursuing what every sensible business stakeholder should want: resilience. If last year taught us anything, it was the value of preparedness as it relates to continuity. The TDRA’s guidelines are worded in such a way as to be flexible because it knows that each industry and business is different.
The standard mentions the benefits of a trusted digital environment for businesses and individuals across the nation
Predictably, the standard applies to some industries more rigidly than to others, but adoption of the guidelines is in the interest of any business that operates in the digital economy. The TDRA makes this point quite plainly. The IA regulation, while mandatory for some, is urged for all.
One part of the security controls alluded to in the UAE Information Assurance Regulation are those related to communication and network security. In this regard, the standard is timely. As practices such as remote working and distance learning took off in 2020, the modern network became manifestly more complex than at any time since the emergence of cloud computing. In such environments it directs IT stakeholders to reconsider their threat postures.
Telecommunications and Digital Government Regulatory Authority leaves room for collaboration and partnerships between public and private sector organisations
Using the network itself to detect threats before they become breaches and to understand the risk posed by every connected system and user, are key to effectively applying the communication and network security controls.
While security engineers have being trying to do this for years, the boost in computing power has finally made it possible for them to tap into the power of Artificial Intelligence AI and Machine Learning ML and tilt the game of threat detection in their favour.
The wide availability of AI and ML power paved the way for the evolution towards AI-based Behavioural Network Detection and Response NDR tools that go a long way towards automating the kinds of security controls the TDRA cites. Information transfer, network security management, cloud computing, and incident management and response are all covered in this approach. The power of AI can also be used to score systems, devices, and users according to the risk their behaviour poses another suggested practice in the IA guidelines.
AI-based Behavioural NDR tools can be a significant leap towards compliance for UAE enterprises as they align with the government’s vision. If its implementation is spread widely enough, we can quickly achieve the trust and confidence required for innovation and competitive participation in the global digital economy.
The UAE’s Information Assurance Standard calls for protection and management, business continuity, disaster recovery, compliance, accreditation.