The ABCK-AmCham Kuwait held a ‘Data Loss Protection (DLP), Cybersecurity, and Best Practices in Kuwait’ panel discussion, with the support of the Communication & Information Technology Regulatory Authority (CITRA) and the U.S. – Kuwait Business Council. The panelists for this discussion included Mohammad Altura -Chief, Market Regulations & Competition at CITRA, Vivek Joshi – Deputy Counselor for Economic Affairs at the U.S. Embassy in Kuwait, Alain Sanchez – EMEA CISO at Fortinet, Majd Abbar – National Technology Officer at Microsoft, Ayed Al Qartah, M.Sc. – Technical Solutions Architect at CISCO, Faisal M. AlAli- Enterprise Risk Management Manager at Zain. The discussion was moderated by Dana Winner, M.Sc. – Cybersecurity Policy & Certified Information System Security Professional (CISSP).
In his opening statements, ABCK- AmCham Kuwait’s Chairman, Frank Belonus welcomed the panelists and moderator and gave a special thanks to CITRA, the U.S. Embassy of Kuwait, and the U.S.-Kuwait Business Council for their support. He then introduced Dana Winner as the moderator for this discussion.
Winner introduced the topic by talking about the statistics on data breaches between August 2019, and April 2020, as the average cost of data breaches was estimated at 4 million USD in the U.S., in which healthcare data breaches cost more than 7 million dollars per breach, making Cyber-attacks a major costly issue. The core principles of cybersecurity are confidentiality, integrity, and availability (CIA). She stated that the purpose of this discussion was to create a better understanding of the subject of DLP, how it is related to cybersecurity, and details on how to better respond to threats and strengthen our vulnerabilities, especially in Kuwait.
Winner started the discussion by asking panelists about the entity responsible for DLP and Cybersecurity on a Macro and Micro level. Sanchez stated that we all have a global responsibility to imagine, design, maintain, and communicate cybersecurity to keep crucial assets safe. Cybersecurity is now more than technology; it is a mission that is to make our hyper-connected world a safer place. He added that in the past there was a department essentially in charge of cybersecurity, but this scope has now expanded. Joshi agreed and said that every incident begins with an individual; therefore, the responsibility falls on both the collective and the individual. According to Altura, the government is responsible for building awareness and ensuring an understanding of the risks that cyber-attacks pose to nations. He said that trends are happening at this time regarding national cyber-strategies, especially in building awareness. The government’s IT infrastructure is incredibly critical to building resilience and better protection for the nation. Abbar built upon this comment by proving a corporate approach, stating that the entity responsible is the one in the organization that can best propose recommendations to the security department, to ensure that red flags and hints do not go unattended. Al Qartah stated that cybersecurity breaches heavily affect the reputation of organizations, and cause major financial loss, and have multiple negative effects which can truly damage companies. He advised participants to be wary of different types of attacks as they evolve, for example, phishing attacks combined with social engineering are often used to compromise systems. AlAli finalized this question by stating that it is the responsibility of every single person however the main responsibility falls upon the CISO or the cybersecurity department, as it is their responsibility to enable the company employees to have the tools and awareness to fight off cyber-threats and protect crucial assets better.
Winner asked the panelists whether there is a specific budget that companies follow for cybersecurity and DPL. Joshi noted that the budget is inversely proportional to the amount of education and awareness. Higher awareness = Less budget as it has a direct economic impact in terms of how much an organization would be required to spend on cybersecurity. Altura spoke about the digital transformation hype happening in the industry, which reduces the cost of running IT within the organization, by using providers for secure cloud solutions. He mentioned that these providers can take on the cost of infrastructure as they already provide this, so the budget need for this infrastructure will be reduced. By using cloud computing to secure data, the customer can focus on the core business as the provider is mostly responsible for the security aspects of the cloud. Abbar mentioned by using cloud solutions, the responsibility becomes shared, but a large portion goes to the provider instead of the customer, he mentioned that the budget for this goes from 2% to 15% percent based on the organization’s needs. According to Al Qartah, the more regulated the organization the higher the cost that they must pay if they have a breach. Organizations must know where data is always stored by doing a data classification process, which is a continuous journey. AlAli also discussed that in his point of view, being a hybrid (cloud and on-premises) is most effective because in the case that companies input all their information on the cloud, and a country decides to issue a law in which all customer data must be in the country, it will be incredibly costly to bring all the data back into the server. Sanchez advises cybersecurity offices to present scenarios to not make the decision alone in order to involve the entire C-Suite. Instead present the scenario to the clients, the partners, and stakeholders, so that everyone has a voice, and all agree to go at a specific level of risk and investment, to make a collective and informed decision.
Winner finalized the discussion by talking about the colonial pipeline shutdown caused by ransomware, and the breach on the solar winds supply chain breach. She asked panelists where we must assume that we will be breached and what should be our response if we are at that risk. Abbar mentioned that there is a 0-trust policy that is not a matter of if but when you will be a breach, how to detect it and how to recover from it, we must strengthen the international rules to ensure there are laws to deal with these attackers as one of the crucial steps. Al Qartah stated that we cannot rely on conventional security for attacks like that previously mentioned, we need to start with changing the rules of engagement, so we need to ensure that the environment is hardened, by increasing visibility, threat hunting, and 0-trust model to ensure that excessive trust that is given to network management tools is risky if it is being used by an adversary. Al Faisal spoke about the methodology of assessing the data, classifying the data, encryption, and masking, he says even though it is a matter of time to get breached, we want to make it harder for hackers to get the data if we follow a good methodology of encryption for critical data. Sanchez says that by educating your people whether they have the technical knowledge or not, you are raising the levels of cybersecurity in your company, along with using methods such as encryption, and authentication for passwords. Joshi said that quickly disseminating information on threats is incredibly important as is learning from mistakes from others. Altura agreed that learning from mistakes is incredibly important, by having organizations being more transparent about their breaches, others can learn how to protect themselves better, and this can be of great service to the rest of the world. Countries should implement transparency laws to help companies protect themselves through information sharing.
Winner closed the discussion by offering the audience the support of AmCham Kuwait, in order to support data protection in Kuwait. She thanked the panel for their crucial input, and she mentioned that the meeting was recorded and can be found on AmCham Kuwait’s YouTube.
Read Today's News TODAY... on our Telegram Channel click here to join and receive all the latest updates t.me/thetimeskuwait
