Cybersecurity is now essential in many sectors

Riyadh is once again hosting a global event, with the LEAP conference starting Feb. 1 bringing more than 400 speakers across six sections to discuss the future of technology in education, finance, health, retail, transport and urban planning.

All of these industries are dependent on critical IT infrastructure and security, especially national megaprojects with major international partners.

In an age of open access to information, businesses need to be cybersecurity-conscious and must cooperate to deal effectively with the threat of automated crime and even online terrorism. Several attacks on state-sponsored key economic assets have taken place worldwide, like the so-called Shamoon cyberattacks in 2012 against both Saudi Aramco and Qatar’s RasGas.

The virus used in the attack was notable due to its destructive capabilities and the cost of recovery. Shamoon can quickly spread from an infected machine to other computers on a network, and once a system is infected, the virus continues to compile a list of files from specific locations on the system, upload them to the attacker and erase them. Ultimately, the virus overwrites the master boot records of the infected computer, making it unusable.

This was a wake-up call to key sovereign economic assets and joint venture companies. It forced many to reexamine their cybersecurity defenses.

One of the LEAP conference topics will cover future energy and the importance of countries like Saudi Arabia developing cleaner green hydrogen energy. The aforementioned cybersecurity attack on Aramco will be a valuable lesson to take into account.

Companies spend fortunes on information security, which might come to nothing if cybercriminals can take data worth copying and illegally monetizing. However, unlike government-to-government cooperation, corporate cybersecurity cooperation is easier said than done, as security vendors and government regulators advise that the solution is to spend more on security and enhanced regulation and for businesses to cooperate in organizing awareness campaigns to learn from each other.

There are lessons to be learned. The main risks to a business IT system are sometimes basic in nature, such as a system failure resulting from so-called “routine” security upgrades, and power failures from fire, flooding or even cable theft, which can bring down entire networks or data centers.

Outsourcing operations can sometimes compound risks, especially if the outsourcing destination is of an unknown quality. Some of the risks come from insiders, unwittingly at times from the activities of helpdesk staff, temporary contractors and even compliance officers who can cross so-called “Chinese walls” that supposedly protect against fraud by ensuring that there is no direct interaction between different operating units, especially in investment banking.

Security breaches, especially ones involving serious information, are often the result of insider mistakes. They occur while file copying is allowed, leading to large-scale fraud and losses of corporate industrial secrets.

A change in cybersecurity mindset is then required, whereby companies need to spend as much time and energy on managing and training employees as on the status of their software and hardware.

The systemic weaknesses that have surfaced to date, which have enabled criminals to organize computer-assisted fraud, are primarily failures of technology governance, which have crossed professional, cultural and regulatory boundaries.

This raises many questions. How does a company decide who to trust to look after the security of the organization, and above all, how does one select, train, motivate and update these employees while ensuring their loyalty and discretion? Outside of the organizational aspect, how does a company make it easier to use trustworthy security services and suppliers?

Cybersecurity might be associated with hardware and software in most people’s minds, but the issue of trust is of paramount importance in reducing cybersecurity risks.

Again, questions are raised on who trusts whom with their identity and personal information? How does management distinguish between exercising trust and being trustworthy, and for many remote service providers, how does one build trust online?

Following cybersecurity failures, how does one rebuild trust, if at all? The LEAP conference will examine some of these issues.

In the meantime, governments around the world are encouraging companies to conduct more cybersecurity awareness exercises, in order to promote extra layers of expensive monitoring and blocking threats to make institutions feel safer. But oftentimes these exercises lead to no significant improvement in corporate security.

Modern cybersecurity has raised many difficult and often inter-linked questions, including the issue of trust. However, for many years, before online transactions became the norm for many sectors, transactions took place based on the premise of “my word is my bond” on person-to-person identification.

However, in the current fast-paced online world, personal identification becomes somewhat irrelevant to many transactions, and some market transactions even require anonymity in order to avoid distortion.

Given that the younger generation is more comfortable with the use of technology compared to their elders, the issue of cybersecurity and how to safely navigate it has to be turned into a “cool tool.”

This will highlight the negative impacts of lax cybersecurity to them and to their livelihoods if they are not more risk-conscious and aware of the good careers offered in the sector.

Cybersecurity specialists and back end developers are among the fastest growing jobs in Saudi Arabia, according to new data from global professional networking firm LinkedIn. The LEAP conference is bound to underscore this need.

• Dr. Mohamed Ramady is a former senior banker and professor of finance and economics at King Fahd University of Petroleum and Minerals in Dhahran.