By Abhay Pandey, Founder & CEO of MAST Consulting
The growing sophistication of cybercrimes and attackers’ modus operandi can be summed up reasonably by citing UAE’s experiences: The UAE was ranked fifth globally in robust cybersecurity infrastructure by the International Telecommunication Union’s Global Cybersecurity Index 2020 report. Yet, around the same time, attacks such as ransomware mushroomed in the country. Documented incidents peg the total sum paid by victim businesses at about $1.4 million. Unfortunately, paying ransom couldn’t stop about 42% of the victims from closing shop and about 90% of them from experiencing a re-attack. The ransomware attacks impacted businesses of all sizes and cybersecurity status.
So, as far as cybersecurity in this hyper-digital era is concerned, the writing is on the wall: There is no room for complacency — all it takes is a minor misstep or a lapse in judgement for bad actors to launch attacks such as phishing, malware, and ransomware. As often as not, in response, businesses ramp up security controls. However, due to the increased number of “exposed devices” and external value-chain suppliers, internal controls can fail because, as the saying goes, a chain is only as strong as its weakest link. That is perhaps where the compliance imperative comes in.
Compliance: Tying loose ends and enhancing competitiveness
At its core, cybersecurity compliance is like law — it involves adhering to certain standards and requirements mandated by a body that all stakeholders feel agreeable to. So, by complying with the stipulations put forth by an apex body, all parties become subject to certain operational standards and practices. Depending on the regulator’s leverage and reputation, compliance often accompanies business incentives, including but not limited to good brand reputation among customers, higher trust and transparency, and creditworthiness. More accountability in the business environment addresses security gaps, besides having a cascading effect on the nation’s competitiveness. The UAE, cognizant of such positive outcomes, has launched a few frameworks, whose particulars and functionalities can be summarized as follows.
- National Cybersecurity Strategy
A quintessential national-level cybersecurity framework, it defines/mandates standard operating procedures for governing bodies and entities under “Critical National Services” of the National Electronic Security Authority (NESA). Broadly, the strategy posits prevention, preparedness, collaboration, capacity building, response, and recovery for efficient cybersecurity. Though optional for private entities in the country, the National Cybersecurity Strategy is an opportunity to effectively safeguard one’s security postures and simultaneously contribute to the country’s overall resilience.
- National Information Assurance Framework
Security assurances play a key role in ensuring the availability and integrity of measures to safeguard the information architecture. UAE’s National Information Assurance Framework promotes sector- and product-specific risk-based approaches to exchanging information with third-party vendors while making periodic recommendations to member entities and monitoring progress.
- Critical Information Infrastructure Protection Policy
As the name suggests, the Critical Information Infrastructure Protection Policy determines what constitutes “critical information” in different sectors and niches and defines the measures needed to secure it. Acting as a conduit between sectors, the framework facilitates secure collaborations for synergistic cybersecurity efforts. Its necessity in sectors such as finance and defence cannot be stressed enough.
- UAE Information Assurance Standard
Consisting of administrative and technical controls, the UAE Information Assurance Standard too applies to entities that fall under NESA’s “critical infrastructure” purview. It mandates a rudimentary level of protection and recommends enhancements as and when circumstances merit. Through reporting, auditing, and testing, the standard ensures key assets are not compromised.
- Dubai Electronic Security Centre (DESC)
By decree of Law number 11 in 2014, DESC came into force as a go-to authority for cybersecurity and related issues in the Emirate of Dubai. It has since helmed many initiatives, including simulations of cyberattacks to enhance preparedness. Besides, DESC ensures local government entities are bound to the security standards of national-level frameworks. Abu Dhabi Government Data Management Standards is the corresponding framework for the Emirate of Abu Dhabi.
- Personal Data Protection Law
Developed in partnership with leading technology companies in the private sector, Personal Data Protection Law prohibits the unlawful transfer of personal data to jurisdictions beyond the boundaries of the UAE. Its scope also extends to data controllers processing data of UAE subjects residing outside the country. Failure to comply with the law elicits a fine determined by the Council of Ministers.