By Tareque Choudhury, Head of Security Practice, Middle East and Africa – BT
In the Middle East, Internet security has been on people’s mind for some time as most Middle Eastern countries enforce URL filtering at a national level via the main Internet Service Providers. The reasons for having such a grand security infrastructure are twofold — first, it is to keep Internet browsing in line with what is morally accepted in the region; and secondly, it protects citizens from threats that occur from inappropriate parts of our digital world.
Security investment has been around in the Middle East for at least the last 10 years. In Sub-Sahara Africa, we haven’t really seen the maturity of information security; and it’s only recently that projects are starting to come out as organizations are trying to get into mainstream markets. South Africa, however, is a different animal altogether from the rest of Africa. The maturity of information security in large organizations is a sigh of relief as we see not only security from a technology perspective, but we see compliancy, business continuity and true end-to-end information security programs.
If we swing back to the Middle East — what is driving information security in the region is technology. The domain of information security encompasses people, processes and technology. Time and time again, the majority of the organizations in the region fail to recognize that just putting in firewalls and some anti-virus is not enough to ensure their adequate protection. Not only does each company need to protect themselves from the digital world, but they need to protect themselves from their own employees. And this only can come when technology is coupled with good processes and the right people.
It’s not to say that URL filtering at a national level is giving the citizens a false sense of security.
Rather, it’s just that more awareness is needed to ensure that each person has an understanding that information security in the region is more than just technology.
If we look at the United Arab Emirates (UAE) — they have taken great strides to provide cyber security awareness across the country. The UAE government established a CERT (computer emergency response team) a few years ago and within the last six months, they did an ad campaign on the major roads and even had a cyber security mascot promoting security on the Internet. They should be applauded for this effort that was not only directed at organizations but at home users, as well.
The Kingdom of Saudi Arabia, the country in the Middle East with the most IT spend, invests heavily in security from a technology perspective. What I’d like to see is more being spent on awareness, processes and talent; I’m sure that will happen eventually, but it may take some time. Each organization must ask themselves how much time will it take to put in adequate controls — do they wait until something happens, such as defacement of their website, or loss of connectivity due to denial of service attacks? But the real question is if organizations can be self-critical. We call it a risk assessment — assessing where your weaknesses within your organization are and knowing where to invest and how much to invest in security.
In upcoming blogs, I’ll talk about South Africa in-depth and discuss some of the great things that are happening there with regards to information security. And later I’ll report on information security in Egypt, which has the most Internet users in the Middle East and North Africa region. We’ll even get a chance to discuss what is happening with security in Pakistan as well, a politically charged landscape that is touching every facet of information security.
Until next time, goodbye, salaam (Arabic), tot siens (Afrikaans), au revoir (French as spoken in North Africa), kwaheri (Swahili).
