By Ayswarya Murthy

After a serious cyber attack on the biggest bank in Qatar, has the financial sector woken up to the risks? Qatar Today finds out where the pitfalls lie and how they can be avoided.

In April last year, a major cyber attack on Qatar’s largest lender sent reverberations around the globe. A group of unknown hackers had claimed to have hacked into the servers of Qatar National Bank (QNB) and leaked 1.4 GB of data from the database containing personal data of its customers. The massive data dump contained hundreds of thousands of financial records including credit card numbers and their PIN codes and customer transaction logs.

Moreover, the hackers also claim to have leaked banking details of some members of the Al Thani family, Al Jazeera journalists, officials from the Ministry of Defence, the State Security Bureau “Mukhabarat” and several other intelligence agencies. What was truly frightening was that it contained personal information collected from several non-QNB sources like social media, put together with the aim of creating a complete profile of certain customers. The breach was massive, it was public and it shocked people and institutions into action. What until then was thought of as something that happens to someone somewhere else, had hit home hard.

Governor of Qatar Central Bank (QCB), HE Sheikh Abdulla bin Saoud Al Thani

“Qatar Central Bank is preparing the Qatar Financial Sector Information Security Strategy, which will enhance and maintain information security and create a more resilient and secure cyberspace to safeguard the financial sector in Qatar.” 

The Governor of Qatar Central Bank (QCB), HE Sheikh Abdulla bin Saoud Al Thani, noted that cybercrime is now considered the second most common economic crime in the Middle East. Speaking at a Dean’s Lecture at Carnegie Mellon University in Qatar, he emphasised the importance of strong cyber governance, continuous monitoring, step-by-step detection and a well-designed contingency plan to mitigate any vulnerability on account of cyber risks to Qatar’s financial sector. “Both attackers and their motivations are becoming more diverse – from financial gains to disrupting activity to causing political and financial instability,” he remarked, noting that cybercrime in Qatar increased by 52% in 2015 over the previous year.

The wake-up call

David Cafferty, Risk Consulting Director at Crowe Horwath UAE and Member of the Chartered Institute for Securities and Investment (CISI)

Security analysts are understandably on the edge. “Firms are coming under attack daily. It is well known that financial institutions across the region have prevented a number of attacks and also that a number of cyber attacks have succeeded in penetrating organisational defences. However, there is also a perception that the region is next in line for a major/sustained cyber attack, following large-scale strikes in other parts of the world,” says David Cafferty, Risk Consulting Director at Crowe Horwath UAE, and a Member of the Chartered Institute for Securities and Investment (CISI).

Soubhi Chebib, General Manager at GBM Qatar

And exasperating this challenge is the shortage of highly skilled people in this field in the region which is also geographically far from major technology centres, making the availability of quality support, implementation expertise, and the reliability of the providers even more important, according to Soubhi Chebib, General Manager at GBM Qatar.

Nicolai Solling, Chief Technical Officer at Help AG

Also, consumers in the region are doubly vulnerable to attack on financial institutions because they are somewhat less protected than their counterparts in, say, Europe. “In Europe, a consumer is protected by the European Union legislation for consumer protection, which means that a consumer can only be held liable for a very small amount of damage in case of a data breach or theft. Here it is different and the consumer is more or less liable for any misuse of electronic accounts, or at least the legal process is hard and cumbersome,” says Nicolai Solling, Chief Technical Officer at Help AG.

“For the same reason, the banks in the European Union are very focused on minimising risks as they hold the liability. One of the ways this affects the way the banks operate is that in Europe you will not find many banks without a proper two-factor authentication solution for users, whereas here in the Middle East this is something that has only recently been applied by the large portion of banks.”

Under these circumstances, it has become increasingly important to understand the drivers of these cyber risks to help boost policies and strengthen risk governance, according to Cafferty. “Regional governments are very aware of the threat, and the formation of Computer Emergency Response Teams (CERT), and the development of national strategies, is indicative of that,” he says.

This is substantiated by HE Al Thani who spoke encouragingly about the work the Qatar government has taken to combat cybercrime, including establishing the National Cyber Security Strategy. “Going forward, in order to benefit from the resiliency efforts of the financial institutions, Qatar Central Bank is preparing the Qatar Financial Sector Information Security Strategy, which will enhance and maintain information security and create a more resilient and secure cyberspace to safeguard the financial sector in Qatar,” he said.

As a result of this, there is an increasing awareness of cybersecurity. Solling says this emphasis on cybersecurity in Qatar will only increase in the coming months with Qatar’s recent promulgation of Law No. 13 of 2016 concerning Privacy and Protection of Personal Data.

“The first of its kind in the GCC, the law places new restrictions on how personal data of an individual is to be processed in accordance with principles including those of transparency, integrity and respect for human dignity and acceptable practices,” he says. To comply with this, financial institutions, which handle large volumes of sensitive personal information about their customers, will no doubt have to rethink their operations and protocols, if need be, and also conduct regular training of their staff.

But the government can always do more, as Cafferty illustrates. “Governments receive information on individual attacks but they could do more to assist organisations by sharing this information and using it to create threat assessments, and typologies/case studies, for dissemination to a wider audience. But again, there is a cultural issue around scaring people – perhaps unnecessarily. However, not only should organisations be scared, they need to be scared into taking a more robust, strategic and holistic approach to cyber-risk.”

Chebib agrees. “IT security is not something that can be implemented and then forgotten; it requires constant monitoring and periodic updates that keep it up to date with the latest batch of threats and malware on the scene,” he says. “In addition to this, IT security should not be taken alone to ensure the protection of systems; it should be woven into the overall security strategy of organisation. In fact, many organisations have established a designated Chief Security Officer position, thus assigning the maintenance of the overall security of the company to a single person who reports directly to the CEO of the organisation.”

Patching up vulnerabilities

Globally, the financial services industry is under a barrage of ransomware and spearphishing attacks, according to a new survey conducted by the SANS Institute, gauging the state of risk and security in the financial sector. For the first time, ransomware, identified by 55% of respondents, has eclipsed spearphishing (50%) as the top attack vector.

Such attacks have caused considerable damage, with 32% of survey respondents citing losses between $100,001 and $500,000 as a result of their breaches. While the sample size of Middle East-headquartered organisations in the survey is reasonably small, as Chebib says, “Cybersecurity has no physical borders. Wherever you are or the system is around the world, attacks can be mounted from and to anywhere. Certainly, cyber attacks are politically motivated and we witness this from time to time. Qatar has taken strong measures to employ very sophisticatedly cybersecurity solutions and continues to update this in order for the services to be provided reliably and uninterrupted.”

While Qatar, together with the UAE and Saudi Arabia, leads the IT market in the GCC, spend alone will not ensure security. “Cybersecurity spending now accounts for a significant portion of IT budgets in the Middle East. What remains unclear is whether they are sufficiently equipped to defend against these attacks,” said Ned Baltagi, Managing Director, Middle East & Africa at SANS. Just over half of surveyed organisations claim to have felt prepared or very prepared to fend off attacks. “And even this readiness will stand to be tested when alternative payment systems come online,” he added.

Managing human vulnerabilities is sometimes more of a challenge than the technical aspects, though it ought to be the easiest and most effective way to combat cyber-risk. For example, both ransomware and phishing attacks (the two largest kinds of cyber attacks on financial institutions) prey on the vulnerabilities associated with users, who often unwittingly click on links that unleash vicious attacks on their organisation’s assets.

For that reason, organisations are going beyond techniques like employing perimeter defences, endpoint protections and log management techniques to identify, stop and remediate threats, and are focusing on controls such as email monitoring and security awareness training to reduce the potential for employee actions that unleash malware on their devices.

But there is still much left to be desired in this area. “Organisations are still taking an ‘old school’ approach to cybersecurity with a narrow focus on ‘IT security’ – a simple, easy-to-deal with threat with guidance given to members of staff, such as on the usage of USBs, unauthorised downloads, theft of data and small-scale phishing,” says Cafferty. “The impression that staff members get is that IT matters are very personal localised issues, rather than highlighting the bigger risks they may cause to the organisation such as denial of service, theft of customer data, whaling and large-scale extortion.”

“Management, working under Board direction, needs to develop focused education, training and awareness programmes for their organisations. Utilising government statistics and typologies, supported by internal research, management should ensure that all staff are aware of the full range of risks the organisation is exposed to and that education programmes are put in place so as to ensure that cyber risk management is embedded in daily activities. Finally, specific/ongoing training should be given to key individuals, and teams, so as to provide the skills and knowledge the organisation needs to effectively prevent, detect and respond to the cyber-threat,” he says.

From end to end

Thanks to technology, everything is interlinked, such as a business’s core operations with its vendors, customers and supply-chain networks. As such, failure to understand and address the systemic cascading effects of cyber risks could have far-reaching consequences across the network, according to Cafferty. “Customer education is more commonplace in this region, but again the fear factor gets in the way. Organisations don’t want to give customers the impression that they don’t have the systems in place to protect them,” he says. Initiatives like ‘customer training’ may be unlikely due to the logistic challenges they pose, says Solling.

“Financial institutions could, however, regularly share information about the latest cyber-threats and trends. They could also share best practice for online security. For example, many customers reuse weak passwords across multiple Internet accounts and even their online banking accounts. With data breaches of even large social media and other Internet services now commonplace, such behaviour could easily jeopardise users’ security,” he says.

But he also goes on to emphasise that financial institutions must be wary of the partners they work with, particularly those that are SMBs. “Cyber-criminals often use these as gateways into the networks of larger organisations,” he says.

“In the UAE we have seen such an attack successfully carried out against RAKBANK. In this particular case, RAKBANK’s business partner in India, which prints their credit cards, had a data breach where information on credit card numbers and CVC codes were lost. This allowed attackers to replicate card information, which again was used to deduct money from these cards. RAKBANK was reported to have been facing damages of approximately $5 million (QR18.2 million) associated with this. Although they were not directly at fault, of course such incidents have a negative brand impact,” he points out.

Training partners and ensuring that they have the right cybersecurity measures in place will increase the security posture of the financial institutions themselves. By taking a broader focus that is aimed at the operations of the business, its supply-chain networks and customers, cyber-risk education to all involved parties can provide proactive strategic and more actionable insights into the entire control system of the enterprise.

New challenges of a new era

Even as we are still grappling with existing challenges, a new technological era fast approaches. With advances in new technologies – such as the cloud, analytics, mobility, artificial intelligence (AI), Big Data and Internet of Things – technological vulnerabilities have expanded exponentially.

In particular, the so-called Internet of Things (IoT) –  a term that is used to describe anything and everything that is connected to the Internet and able to communicate with other ‘smart’ devices – has been vital to the turnaround of businesses, and in return, it has come with immeasurable challenges in the areas of privacy and security. A major issue around IoT is the vast number of devices, says Solling.

“We are talking about as many as 50 billion sensors and devices by 2020. All those sensors are cheap, low-cost devices – a major factor as there are so many of them. Give this, how much security do you then think they could design into the hardware? Another problem is the software: IoT devices use software like any other device on the Internet. Some of them have generic operating systems like embedded Linux. How do you patch 50 billion devices in case of a general vulnerability?” he asks. Unfortunately we are already beginning to see the first examples of how attacks can be perpetrated in a connected ecosystem.

Given these challenges, it is imperative for organisations to thoroughly assess their IoT readiness before going to market. First, the service needs to make sense. While CEOs and CIOs within organisations must focus on how they can innovate in their business, it won’t always hold true that IoT is the only way they can innovate. What is unique about IoT is that it is not necessarily trying to invent new problems, but tries to solve or optimise how we do things.

Another very important aspect is the integrity and availability of the service. The minute you start to integrate with the day-to-day life of individuals, you need to ensure that the service is always available. Finally, and perhaps most importantly, security; financial institutions in particular need to think about the data they are storing, and how they are ensuring it is safe. IoT services need to be built with security in mind, as any failure to deliver the same can cause a huge impact to the reputation of a service.

On the other hand, the technological upper hand provided by Big Data and predictive analytics can’t be denied. “Predictive security analytics is a way to analyse where threats could be coming from and who is mounting these threats and relationships that they have between them with potentially the physical location of the threat,” says Chebib.

“Different elements of information are correlated together to provide insight about the threat to enable security specialists to pre-empt such threats, or to stop it. Big Data concepts shed more light and additional perspective in understanding threats and ways to prevent them and/or minimise their risk.” Big Data will also have an important role to play in helping organisations to identify areas of risk, says Cafferty. “What data they have; where that data is to be found; and what levels of protection are needed. It’s a profound transformation in how man and machine interact with each other.”

The Chartered Institute for Securities & Investment (CISI) frequently organises cybercrime events, including workshops, conferences, targeted seminars and round-table events for members, as well as clients.

The Qatar Finance and Business Academy (QFBA), in partnership with CISI, recently organised a cybercrime workshop to educate professionals and technical employees in cybersecurity in the finance sector. Professional bodies like the CISI, have been thrust into the spotlight as market pressures for constant technical evolution and persistent IT security threats require professionals to provide and seek IT and information security assurance, Cafferty says.

“At the workshop, attendees encompassed a wide variety of functional specialists from IT/IS professionals; compliance staff; internal and external auditors; college lecturers and lawyers; accountants; project managers – in fact, everyone except the people who need to accept and understand the problem the most, and that is, senior management and board members. Attendees also came from across industrial groups and from the public and private sectors.

“The focus of these workshops is on highlighting the threats that organisations are facing; that it is a local as well as an international problem; that cybersecurity is the major threat facing financial institutions today and that as a result, this is a Board-level issue; and that a new integrated response is necessary to counter the cyber-threats that organisations are facing. We also address how we should respond to growing innovation that comes with new risks. As technological innovation continues to transform industries, the role of cyber-security professionals, risk and compliance teams is crucial as they help in identifying and managing emerging risks.”

Intel Security released its McAfee Labs 2017 Threats Predictions Report, which identifies 14 threat trends to watch in 2017.

  1. Ransomware attacks will decrease in the second half of 2017 in volume and effectiveness.
  2. Windows vulnerability exploits will continue to decline, while those targeting infrastructure software and virtualisation software will increase.
  3. Hardware and firmware will be increasingly targeted by sophisticated attackers.
  4. Hackers using software running on laptops will attempt “dronejackings” for a variety of criminal or hacktivist purposes.
  5. Mobile attacks will combine mobile device locks with credential theft, allowing cyber thieves to access such things as bank accounts and credit cards.
  6. IoT malware will open backdoors into the connected home that could go undetected for years.
  7. Machine learning will accelerate the proliferation of and increase the sophistication of social engineering attacks.
  8. Fake ads and purchased “likes” will continue to proliferate and erode trust.
  9. Ad wars will escalate and new techniques used by advertisers to deliver ads will be copied by attackers to boost malware delivery capabilities.
  10. Hacktivists will play an important role in exposing privacy issues.
  11. Leveraging increased cooperation between law enforcement and industry, law enforcement takedown operations will put a dent in cybercrime.
  12. Threat intelligence sharing will make great developmental strides in 2017.
  13. Cyber-espionage will become as common in the private sector and criminal underworld as it is among nation-states.
  14. Physical and cybersecurity industry players will collaborate to harden products against digital threats.