Author(s):Several

A Guide to Information Security and Data Protection Laws in GCC Countries

New challenges have arisen with the technological development along with the social and economic globalization. It can be said that our entire personal data is being stored in the gadgets we use. Internet today has brought millions of unsecured computer networks into continuous communications with other networks. With the advent of information being stored electronically, more and more people use online banking and shopping services, social media, location-based services, mobile services for their everyday activities. This results in the collection of an enormous amount of digital trail of personal data of these users which are left all over the internet. The security of each computer’s information depends upon the level of security of other computers connected to it.

In the recent years, with the realization of the importance of Information Security to both national security and the corporate world, awareness of the necessity to improve Information Security has grown and is ever increasing.

In this guide, we will address the following questions regarding Information Security:

What is Information Security? Is there a need for Information Security? What is the relevant legislation for information security in UAE and other GCC countries? What are information security agreements/ clauses and what needs to be added to these clauses/agreements?

What is Information Security?

In the earlier stages, information security was a simple process composed of predominantly physical security of documents and its classification. The primary threat faced by companies were theft of equipment, product espionage of the systems and sabotage. One of the earlier documented cases of security problems occurred in early 1960, where the systems administrator was working on the Message of the Day and another administrator was editing the password file, when a software glitch mixed the two files, causing the entire password file to be printed in every output file.

With the growing concern about States engaged information warfare and the possibility that business and personal information systems being threatened if left unprotected has made Information Security (InfoSec) emerge as a method to ensure the confidentiality of the available data and also the availability of technology enabling the delivery and processing of that data. In simple terms, it can be explained as the protection of information and systems from unauthorized access, disclosure, alteration, destruction or disruption.

It can be said that the main objectives of information security are:

Confidentiality

Which refers to the preventing unauthorized access or disclosure of information and providing its protection. Confidentiality means ensuring that the individuals authorized are able to access the information and those who are not authorized are prevented.

Integrity

It is the protection of information from unauthorized alteration or destruction and ensuring that the information and its systems are uncorrupted, accurate, and complete.

Availability

Means to ensure that the information is available in a timely manner and there is reliable access to and use of the information and the information systems, at the same time, protect the information and information systems from unauthorized disruption

Why do we need information security?

A fundamental aspect for the success of our economy and society is data, and the protection of the same from cybercriminals has become the need of the hour in today's cyber world.

Advanced Persistent Threat (ADT) is a well-resourced systematic attack perpetrated by competing states and cyber criminals who aim at state secrets, corporate espionage, and theft of sensitive data. ADT has added to the breaches of millions of the individual personal, health and financial information, making it essential for institutions that collect and use personal data to develop and sustain a comprehensive security system in order to protect itself against such attacks.

For the security of individuals and the survival of enterprises, it is paramount to secure information resources and protect personal information from being exposed to groups or individuals with malicious intentions. While businesses struggle to survive amidst these critical issues surrounding information security and the increased risk of serious data breaches, governments are also changing their data protection laws so as to adapt and secure itself against these new risks that arise every day.

When companies entrust business partners and vendors with the company’s confidential information, the company is also entrusting them with all control of the security measures for the company’s data. Such a trust cannot be blind.

Examples of InfoSec Breaches:

British Airway's Customer Data Hack 2018

The British Airways recently announced that over 380,000 payment card details and personal data of customers were compromised following a 15-day hack attack from 21st of August 2018 to 5th September 2018 and warning the customers to contact their banks immediately in order to secure the same.

The Bank Heist of 2013

In 2013, the world witnessed one of the biggest bank heists of the century. A team of cybercriminals stole $45 Million (AED 165 Million) from RAKBANK and Bank of Muscat by accessing the computers of their credit card processors. Once they gained access, they increased the available balance and withdrawal limits on prepaid MasterCards issued by the banks. They then distributed these counterfeit cards to “cashers” around the world enabling them to siphon millions of dollars from ATMs. This included over 36,000 transactions which were committed in a matter of 10 hours.

Cryptowall Ransomeware Case

Cryptowall is a file-encrypting ransomware program which was used by its creators to make over $1 million by infecting over 600,000 computer systems in 2014. Once gaining access into the computers, they encrypted the sensitive information files which were only decrypted when the owners paid the ransom. Even though Cryptowall had been spreading since 2013, it had been overshadowed by Cryptolocker, which is another ransomware program. When the threat of Cryptolocker was mitigated, the makers of Cryptowall stole the data by accessing computers through various tactics including spam emails with malicious links and attachments, drive-by-download attack for infected sites with exploit kits and through installation through other malware programs already installed and running on compromised computers.

To read this Guide further, please click here