The certification was awarded due to QIB’s possession of and compliance with high technical standards of information security, operations and security procedures, especially related to websites and the use of software.

The ISO 27001 is the first certification received by QIB, which places them on par with leading international banks in the space of security and protection for electronic banking and is just the start of an aggressive strategy to carry out technology implementations across the entire information infrastructure.

The CEO of QIB Salah Jaidah said that the ISO certification ensures that the development of QIB’s banking techniques and constant upgradation of information technology, which is the backbone of the bank’s services and administration, becomes tis strategic priority. “Throughout the past three years, QIB has implemented state-of-the-art technology upgrades that has transformed the bank’s IT platform into one that offers the latest generation of e-banking services, enhanced features, upgraded global networking and high-performance connectivity among branches,” he said.

The Assistant General Manager of  Operations and IT group Hammad Al Zamli said the ISO 27001 certification is the result of establishing the Information Systems and Technology Center in 2008, which is equipped with all high-end technical specifications such as operating systems, surveillance systems, security and protection systems. All this provides high performance and capabilities with non-stop, continuous operations.

“QIB has provided the centre with all the necessary equipment to protect the bank’s information systems, data base and network, in addition to preventing hackers from attacking and breaching the emails. This was done in collaboration with specialised international companies that operate in this sector,” he said.

The receiving of the ISO 27001 certification came after a detailed risk assessment conducted by Paramount Computer Systems Doha Qatar, QIB’s strategic security partner and consultant.

Paramount used several advanced tests including ‘hacking procedures’ and ‘electronic breaching attempts’ to ensure that all the bank’s systems and procedures relating to information security and data protection were operating at the highest standards and efficiency. It studied the ways employees accessed various sites and systems at the main technology centre and the reserve centre and developed and enhanced policies and procedures.  Following this, the German Certification company TUV did a detailed assessment and auditing of QIB’s Information Security Management Systems.

This certification is associated with the usage of information security related to electronic banking. QIB will at a later stage expand this process to cover the entire Information Technology Center. The CEO of Paramount Computer Systems Premchand Kurup said the ISO 27001 certification assures QIB’s customers, associates and stakeholders that it now owns very high-end technical systems and an excellent IT environment that provides the highest level of banking information security as well as enhanced banking services especially in the E-banking sector.

“We are happy and proud to have been consultants to QIB for the ISO certification project and thank the management for their confidence in our services and expertise,” he said.

Security integrator Paramount Computer Systems has enlarged its footprint in the Gulf market by opening a branch office in Muscat, Oman.

The move brings the number of offices Paramount operates in the GCC to six, with two in the UAE and one each in Qatar, Kuwait and Bahrain.

CEO Premchand Kurup claims that the integrator has been able to secure "some significant wins" by supporting Omani clients from Dubai, but admits the time has now come for it to show how serious it is about the market.

"We realised that our kitchen needs to be close to the dining table of our customers - a fundamental pre-requisite for a customer-centric company and hence the decision to open an office in Muscat," he explained. "The new office is testimony to our commitment to our customers who reposed their confidence in us even when we did not have ground support".

Paramount, which provides technology from vendors such as Juniper, McAfee, Blue Coat and TippingPoint, employs 80 people in the region and will initially start with a team of three in Oman.

Kurup insists Paramount is "bullish" about its growth prospects in the country and expects to secure more business with a three-pronged strategy centred on people, processes and technology.

"This will be a strong differentiator in the market," he said. "We seek leadership position here through our excellent mix of technology, knowledge, experienced and certified workforce, and quality partnerships. Our technical capabilities are field-proven. For instance, identity and access management is a crying need today and Paramount is the only company that can claim to have more than 10 successful implementations in the region."

Paramount Computer Systems has been lauded for its efforts during the past year by vendor partner Barracuda Networks, which crowned the company ‘Best Partner-Emerging Markets' at its recent EMEA Partner Conference.

 Paul Thackeray, VP and managing director EMEA at Barracuda, said Paramount had contributed greatly to helping it penetrate the Middle East region through some impressive customer wins, notably in "key markets" such as the UAE and Qatar.

 Dubai-based Paramount is one of the few Barracuda partners in the region that is certified in the implementation of Barracuda web application firewalls, which require a high degree of technical expertise and understanding of customer requirements.

Premchand Kurup, CEO at Paramount Computer Systems, claims the award acknowledges the investments the company has made in its business.

 "It is a testament to our high levels of technical expertise, service and support in delivering high quality security solutions to clients in this region," he said. "Winning this award has motivated our team to strive even harder to achieve the highest possible standards of performance and business excellence."

 Paramount operates offices in the UAE, Bahrain, Kuwait and Qatar, and has certifications from vendors such as RSA, Juniper, Cisco, Microsoft and Trend Micro.

Paramount, the leading regional provider of products and services for securing the Information Assets of Enterprises in the Middle East, has floated a new business division for Supervisory Control And Data Acquisition (SCADA) and Process Control security and have signed a partnership agreement with Industrial Defender, the global leader in Cyber Risk Protection.

Security integrator Paramount has bolstered its top tier of management by appointing industry veteran G. Ramaswamy as its chief operating officer.

Ramaswamy boasts more than two decades of IT market experience, spanning technical support, sales, channel management and business development roles.

As COO, he will be responsible for all day-to-day operational matters, including strategy co-ordination and execution, resource management, operational quality and efficiency management.

Prior to hooking up with Paramount, Ramaswamy worked with several large IT suppliers. He initially started out at Indian IT services outfit Wipro before moving across to PC vendor Compaq. He then joined Sun Microsystems, managing the storage vendor’s iForce Partner Programme in India.

Leading experts have warned that Middle East businesses are particularly vulnerable to data theft from their own employees as a result of economic slowdown.

Speaking at an IT security summit hosted in Dubai on Monday by IT security provider Paramount, representatives warned that stronger identity management policies would be essential in curtailing malicious attacks by discontented employees and those facing redundancy.

“Last year when we launched our foray into the Identity and Access Management space with an appliance based solution, the market was slow to accept. The economic melt-down is a game- changer,” said Premchand Kurup, CEO, Paramount. “The biggest security threat today is ‘laid off employees’ and the absence of a clearly defined exit process. Concerns arise over data theft by terminated employees. Prudent investments in identity and access management (IDM) is the need of the hour.”

Kurup warned that IDM policies were significantly lacking in the region and that businesses were also vulnerable to data loss because of deficiencies in data loss prevention (DLP) strategies. “You can count on your fingers the number of companies in the Gulf that have implemented IDM & DLP.”

His comments were supported by Maurizion Desiderio, regional director for Imprivata. “Businesses have spent a lot on protecting themselves from external threats,” he said. “However, with the current economic situation, the internal threat is now the greatest.” According to Desiderio, 75% of all IT fraud operations are committed by insiders. “Enforcing and monitoring employing access control is critical,” he said.

There is immense potential in the GCC IT security market, said the head of a regional security solutions company.

And as an industry leader with 12 to 14 per cent market share, Paramount Computer Systems (PCS) has a lot of room for growth, said Premchand Kurup, CEO of the e-security provider. Though enterprises are vigilant about their IT security budgets they are not shying away from employing consultants for security services, he added.

PCS saw a 40 per cent growth in its services division last year, he said. It operates in four GCC states and made revenues of $17 million (Dh62m) last year. Though new implementations are slow for the IT solutions provider, it still banks on its existing customer base and expects to grow 65 per cent this year.

IT security companies have been optimistic despite the global recession. How has the business scenario changed for a solutions provider such as Paramount?

Only companies that have businesses spread across countries are relatively immune to the financial crisis. This is mainly because some better-performing countries make up for the rest. Enterprises are still spending on security but are far more circumspect and comprehensive on their commercial valuation.

From our budgeting point of view, Paramount will grow at 25 per cent above our topline, which is the same level as last year. As an organisation, it was important for us to grow at the same level in recessionary times.

Will the growth come from new business or the existing customer base?

About 65 per cent of our growth will come from existing customers, as they are more knowledgeable on security and technology. These customers understand risks and they realise that technology and processes are insufficient and add on every year.

Only around two to three per cent will come from new business, but I still believe there is immense potential in the security market. The Gulf market is worth $90-$100m and, as one of the market leaders in this space, Paramount has 12 to 14 per cent market share, leaving a lot of room for growth.

How have your business margins been affected?

Business margins are affected more in Dubai. Margins have come down by 15 to 20 per cent. This is again based on the kind of services provided to customers. With value-added services, margins can go up to 30 to 35 per cent. At Paramount, we are also careful about choosing our customers. Paramount works with 19 technology companies and we have 42 internally trained and certified staff in all of them. Therefore service is a big focus for us.

How has the change in pattern of customer purchases affected your finances?

It is difficult to explain our financial situation based on the first six months of the year because we had a bad first quarter. But things became better in the second quarter. We expect to be back on track by the last two quarters. After the completion of the second and third quarters, we will have a clearer picture.

On the other hand, on meeting customers it is clear that Dubai is definitely affected. Customers put on hold their tech purchases, especially in the first six months of the year. The banking vertical, which is a strong business area, has also reduced spending on security. But this will change in the last two quarters of the year.

How much was the banking sector contributing to business and how has it affected your overall business?

The banking sector contributed 30 per cent to overall business. We are not UAE-focused but a regional entity, and in Qatar, Bahrain, Oman and Kuwait we saw significant traction, which has balanced the negative impact in Dubai. Abu Dhabi, Qatar and Kuwait have shown growth, especially in the government vertical.

What are the kinds of implementations happening this year in the region?

In a security architecture, the customer has a large network consisting of LAN, WAN and internet connection. On top of the network architecture we super impose a security infrastructure, which involves the implementation of the gateway, firewalls, IPS and secure content gateways. These are not short-term projects and involve multiple security companies such as Tipping Point, Mcafee and Juniper.

In the case of banks, new projects started at the end of last year spilled over to this year. Identity and access management have been a major business area, which involves qualifying the person coming into the network apart from the basic user ID and password based on a token. Passwords for these applications have to be changed every month and a single sign-in will sit in between the user and the application. There are biometrics for senior management.

Technologies such as identity and access management happened only at the end of 2007 and the beginning of 2008. Therefore, most of the implementations only happened last year. Fourteen were implemented in the region in telecom, oil and gas, and banking sectors.

Customers don't need a huge budget and can justify this cost unlike other security technologies. They also want to see a faster return on investment – within six to nine months.

Just 14 implementations in the Gulf – isn't that a small number?

Yes, that's true because customers have still not understood the value of this. In many cases, IT security has come in focus lately, only after the global recession. Employees being terminated are huge so security risks exist. Therefore technologies and processes have to be put in place.

Another area that is not given its due importance is data leak prevention (DLP), as customers only focus on the perimeter but not the security of data. This message has to be conveyed to large customers as information is at huge risk.

Among the 14 implementations, at least 80 per cent are in the UAE. Most are first implementers of such technology. Banks are normally the early adopters followed by the government and telecom. This year at least 10 more new implementations will be finalised, including Kuwait, Bahrain and Qatar.

In IT budgets, do you see enough resources allocated to security?

If you look at American and European companies, at least 10 per cent of the IT budget is spent on security, while in the Gulf its only two to three per cent. The reason is lack of knowledge among customers on security risks. If the senior management is not aware of the current risks they will not spend. This can be done if a risk assessment process is put in place. By doing this, an organisation is able to understand the vulnerability of its assets. Paramount has a consulting practice and we see a good number of customers looking at services before making a buying decision.

For Paramount, the growth in consulting services has been 40 per cent.

What is the next level of growth for Paramount? Would you venture into non-security areas?

Paramount will continue to focus on security as there is a lot of untapped market potential. As I mentioned, it is worth up to $100m not including Saudi Arabia, which is another $100m. We are now looking at increasing our market share to 20 per cent from the current 14 per cent.

Paramount's next level of growth in services will be in the Indian market. The market there is not crowded and we see immense potential. In the DLP and application security practice, there are few specialists in India.

Soon water, oil, gas and security will be controlled by one network. Today the network for these utilities is closed and managed by devices based on metres. But these networks are connected to the internet and therefore a backdoor entry is possible. It will be possible to stop electricity from the data network as the security is the same for IT and the utility.

Today there is no one specialising in this sort of security systems, but we are gearing up and already have four employees trained in this area.

In information technology, forensic services involve similar ambitions and goals.

“Cyber forensics is the term used for the technology related to forensics activities. It is the application of investigation and analysis techniques used to gather evidence which is to be presented in a court of law or relevant authorities to arrive at a conclusion after a particular incident,” says Ahmed Baig, head of business management and advisory services at eHosting DataFort (eHDF).

“Cyber forensics employs digital evidence from multiple areas such as deleted files or erased partitions on hard drives and other memory storage devices, reviewing log files from various devices like firewalls, intrusion prevention, as well as security events and information management (SEIM) tools,” continues Baig.

There are others in the industry who believe that forensic services can incorporate both post-event analysis as well as prevention techniques.

“Certain expressions can mean different things to different people. I think for many businesses you could bring this down to one of two things. It is either pre-emptive analysis of their environment, which many people do and is called penetration testing. This is basically going into an organisation and looking for weaknesses that could lead to some sort of security breach and that can be everything from the technical, to implementation and processes. Equally we could be called in after the fact as well to understand how and why things have been done, to help them understand how security is achieved and to make sure that it is not done again in the future,” opines Greg Day, EMEA security analyst, McAfee Avert Labs.

While most security companies offer penetration testing as a service in the region, there are also a few that offer forensic services to analyse what went wrong after a particular attack.

“People ask us to analyse some incident or other and we perform a full examination of the material provided. We pass on our findings which are then used in court or by other agencies. Our descriptions are also used by organisations to formulate preliminary expert appraisals,” explains Stefan Tanase, researcher, global research and analysis team over at Kaspersky Lab EEMEA.

Similar services are offered by eHDF, which has a team based within the region, as well as McAfee which calls in experts from Europe. While a significant number of large enterprises in the Middle East, especially those who are sensitive to data loss, call in the resources offered by these firms, especially for pre-emptive penetration testing, many of them still do not believe in having an in-house person to constantly test their network and applications for vulnerabilities.

“Ethical hackers are traditionally security experts or analysts who perform penetration testing activities on the applications, systems and networks upon formal approval by the business. They are important elements of security as they provide the technology and the guidance required to proactively strengthen related elements before an external hacker exploits the same,” points out Baig.

The role of ethical hackers within an organisation is to constantly test the integrity of the systems to ensure that they are not prone to attacks. Much of this testing is done by simulating attacks and trying to get through the company’s defences, just like any true-blue hacker.

“Ethical hackers in a customer’s internal environment are a definite value add as they will enable the company to answer the question of where the organisation stands today with respect to information security. We need to bear in mind at all times that we cannot protect ourselves from an external threat environment that is dynamic with an internal security architecture and protection process that is static,” says Premchand Kurup, CEO of Paramount Computer Systems.

While the relative availability of ethical hackers remains limited in the region, enterprises that do need such in-house resources can tap into talent pools in either India or Europe. Despite these advantages, hackers remain in the minority within regional organisations.

Counting advantages

Forensics, whether performed remotely or by an in-house team, comes with various advantages.

“People will think twice before committing a crime if they know they may end up being punished. You could say that legal aspects help keep societies in check to a certain degree,” points out Tanase.

Despite this, most enterprises in the Middle East shun forensic services and never invite experts in to understand what could have gone wrong when attackers do manage to infiltrate their protective walls.

One major reason for this is the prevailing mindset, wherein most organisations in the region do not feel the need to reveal any breaches and prefer to keep this information locked within the organisation.

“Just like many other areas, lack of awareness and maturity in the security domain could be the possible reasons. Many organisations don’t realise the importance of security until it fails and results in a major catastrophe,” says Baig.

Even if they do call in external experts for forensic services, most organisations never employ an ethical hacker to monitor internal networks. The major reason for this is that most organisations suspect that any hacker could not be all that ethical.

“The problem with ethical hacking is that some of these “white hats” were once “black hats”. Companies wishing to use such services should be very careful in choosing their ethical hacking partner. The risk they are getting exposed to should be treated seriously. Gathering all historical information and feedback about the partner before getting involved in such a procedure is just the minimum,” warns Tanase.

Moreover, Kurup points out, “Assembling in house talent and retaining this talent will continue to be a challenge for end-user organisations. This space calls for expertise fine-tuning on a regular basis and is best suited for outsourcing.”

Organisations are also likely to be faced with other challenges when using forensic services, enough sometimes to prevent them from entirely using them.

“There are a couple of challenges that you need to get over. The first one is that even when I get information from the analysis it requires some knowledge and expertise to really translate into what it means for my business. This maturity of expertise is still evolving in the Middle East,” says Day.

He continues, “The other challenge is to constantly work on improving your baselines. Businesses often do assessments to get started off and may continue to do that. But they often don’t improve on standards or a set baseline of security. This needs to improve in the Middle East.”

Other common mistakes, that can turn dangerous later on, involve the making of process-oriented decisions.

Baig points out, “In most cases, companies try to hire and evaluate security services like a product or other common services, where the commercial aspect of the proposal is given more importance than the technical evaluation of the security partner. The hiring and background verification process of the people engaged in these services need to be closely reviewed prior to making a choice. The track record of a security partner and their previous engagements and history also need to be comprehensivly evaluated.”

However, the biggest mistakes that are most prevalant regionally are those that involve general apathy and the prevailing mindset that refuses to acknowledge these tests as a continuous process.

“Many organisations say, ‘I am not the biggest business in the world, why would somebody target me. And since I am not a big target, then I won’t need to do this kind of testing.’ What people don’t understand is very often attackers are not targeting businesses per se, they are targeting a weakness that they have discovered and then they will go hunting around to see which businesses are vulnerable to that,” says Day.

He continues, “One of the other mistakes is not realising that this is something that needs to be done on an ongoing basis. It is easy to say we have gone out, we have got the assessment, we have ticked the box. Threats evolve on a day-to-day basis. This is not just a one off assessment.Kurup agrees, adding, “Audit of networks and applications should be seen as an activity that you perform with ritualistic regularity- quarterly, half yearly or annually depending on the criticality of your information assets. This has not yet become a practice in the Gulf. Today it is just a knee jerk reaction to a problem but I am confident that we will eventually get there.”

Along the maturity curve

Most industry experts believe that the Middle East is on the maturity curve with regards to information security, and it won’t be long before more enterprises, large and small, adopt forensic services as well as ethical hackers.

“The nature of most emerging markets dictates that such services will take a lot more time to be fully adopted. Computer forensics or ethical hacking are such niche services that can reach popularity only in a mature market,” states Tanase.

The ongoing recession is likely to curb any growing interest in this area. However, there is every chance that the region will see increased adoption of forensic service and in-house ethical hackers, along with resources that facilitates this interest.