Abdullah Al Ali, CEO of Cyberkov, talks to The Energy Year about the company’s role in cybersecurity efforts within the oil and gas sector and the evolving risks that must be dealt with within the cybersecurity industry. Cyberkov is a Kuwaiti professional cybersecurity firm providing a targeted set of security services.
How have cybersecurity risks evolved in the past years?
When we started the company, we provided mainly 35 sets of services, between advisory services, penetration testing, vulnerability assessment, digital forensics, incident response, training, awareness, phishing assessment and blockchain and email fraud investigations.
In 2020, we made some shifts in our business model, expanding our set of services to include fully managed security operations and end-to-end vulnerability management to help the clients fill the current gaps in their cybersecurity programmes.
We saw an exponential rise in ransomware attacks targeting organisations of all sizes including those in the supply chain, which is the most risky and damaging type of attack. After these types of attacks, the whole oil and gas sector massively invests in cybersecurity. They acquired the best technology and hire the best people, train their own people and make big changes when it comes to cybersecurity. However, the attackers can also shift their strategies, and they start attacking the supply chain and third parties who work with all of this critical infrastructure, which are easier to target and compromise the critical infrastructure of companies.
We have seen that a couple of big companies here in Kuwait working with the oil and gas sector have been hit by ransomware attacks, and they were completely shut down. They had significant downtimes and delays in deliveries.
So, we shifted our strategies. When it comes to providing services, we now provide 24/7 cybersecurity surface protection and incident response.
What is the level of awareness and understanding of cybersecurity risks in Kuwait?
I think we are still not mature enough when it comes to understanding the risk and the damage that can be done by cyberattacks. All of these groups who launch the cyberattacks are sophisticated and well-trained because they make a lot of money off ransomware attacks.
They operate just like companies. They have analysts and third parties, and they work with engineering and development teams. They develop sophisticated malware that goes undetected even by the most advanced cybersecurity protections. In a matter of an hour, they can enter a network and do serious damage by implanting a lot of backdoors, stealing information, credentials, confidential documents and more. Then, they blackmail the victim by threatening to publish the stolen data, causing serious damage to reputation which can end in legal and economic challenges, as well as trust issues from the customers.
I think GCC countries have made a significant effort to close these gaps and to build their capacity and capabilities. Most companies I have seen are investing a lot, and they understand the risk. Saudi Arabia is a leader in this respect.
Governments generally are taking good steps, although some of them are still operating under an old mentality. A key issue in the GCC region and especially in Kuwait is the lack of regulatory and compliance matters, as well as the gap between the public and private sector.
Does the Kuwaiti private sector understand the potential cost implications of ransomware attacks?
We see the private sector as quite weak in cybersecurity in terms of understanding the value or return of investment in cybersecurity. Usually, the only way they invest and take it seriously is after they have been hit with ransomware attacks.
These attacks can paralyze the entire operation of the companies, making them return to a pen-and-paper way of work in the age of digitalisation. Another issue is corporate and industrial espionage implications, which should be considered as well. The main issue driving this private sector weakness is that there is still no regulation in Kuwait to force the private sector to follow at least a minimum requirement for cybersecurity, like in the UK.
In the UK, the government helps mitigate the damage of cyberattacks by forcing SMEs to implement minimum security requirements in order to do business in the country. This came after a significant increase in cyberattacks, espionage activities and ransomware attacks targeting UK SMEs, where around 60% of those SMEs hit by ransomware attacks could not recover, forcing them to close their doors and shut down business, based on a recent UK study.
Sometimes, the cost of the ransomware recovery is higher than shutting the business down. This is what we see: when companies in Kuwait are hit by ransomware, the cost is sometimes double or triple than what they would have invested in the first place to prevent this.
Because of these successful attacks, top management loses the trust of their own team, they change technology and sometimes replace a lot of hardware in order to recover operations quickly. This leads them to spend more money without a proper strategy. Additionally, they suffer from media issues as well as legal issues with clients. Sometimes, the attackers leak a hundred gigabytes of confidential information and business strategy. This leads to embarrassment between business partners, especially for companies dealing with international businesses.
Marc Sitaram, operations manager at Bandera Oil Tools, talks to The Energy Year about the company’s strategic approach to oilfield… Read More
Curtis Boodoo, assistant professor of utilities and sustainable engineering at the University of Trinidad and Tobago (UTT), talks to The… Read More
François Tack, general manager of Newrest Angola, talks to The Energy Year about how the company’s portfolio of clients evolved… Read More
Hassan Choudhry, CFO of Umm al Hayman for Wastewater Treatment Company (UAH), talks to The Energy Year about the key… Read More
Jacinto Sabino Mutemba, chairman and CEO of Belutécnica, talks to The Energy Year about the company's expanded production capabilities and… Read More
Carlos Firme, CEO of Fortaleza Seguros, talks to The Energy Year about the role the company wants to play in… Read More
This website uses cookies.