ALKHOBAR, 1 July 2003 — Statistics, statistics, more than anything else people are always asking me for numbers defining the Saudi IT market. I always tell folks that their guess is as good as mine! Every researcher I’ve ever spoken with has told me that the Saudi market is one of the most difficult in the world to accurately represent and predict, but companies keep trying.
One of the best briefings on the potential market for IT in the Kingdom is available online, free of charge. The country report for Saudi Arabia is part of the third edition (2002-2007) of SPS/Spectrum’s Global Economic and Information Technology Market Forecasts, which identify where IT growth is occurring, how rapidly the markets are growing, and the size of the IT markets in 2002, 2005 and 2007. According to Strategic Planning Services (SPS) /Spectrum Economics, in the Forecasts, “data is provided on a country-by-country basis for 35 nations, five regions, and the world, and analyses consider the effects and implications of the bursting of the ‘dot com’ bubble in 2000 and 2001, global terrorism, and the worldwide economic slowdown. The report summarizes key risks and opportunities related to business activities and IT markets in each country, and the data facilitates a comparative analysis that will pinpoint where market opportunity lies for those companies providing IT products and services, and the magnitude of that opportunity. The foundation for each country’s IT market forecast is a detailed economic and business “climate” analysis that identifies key factors that will affect that IT market. The effects of terrorism are considered, and where there is significant risk of terrorist activities, an assessment is made of the impact of such concerns on IT budgets. An evaluation of each country’s current and potential future use of electronic commerce is also provided.”
Published in February 2002, the Global Economic and Information Technology Market Forecasts (2002-2007) is 407 pages in length, contains 322 tables and exhibits, tracks and forecasts 14 categories of IT spending and three economic measurements. The global report is available in print ($2,450) and electronic form ($5,950). Fortunately for all of us in Saudi Arabia, the country report on the Kingdom is being made available as a sample profile. The 10-page economic and IT market forecast for Saudi Arabia may be downloaded from http://www.spececon.com/sampchap.pdf.
Now, on to my favorite subject, IT security. Ten days ago a technology security round table in Dubai was chaired by Cisco Systems, eHosting DataFort and Tech Data. I couldn’t be there but I did arrange to have a transcript of the session sent over by e-mail. IT Security has the potential to be a massive growth segment in the Middle East market. Unfortunately vendors know this fact and are trying to capitalize on the situation. These days no matter what else a vendor is selling, they are trying to push IT security products and solutions at customers. The problem is that this strategy isn’t working well. Customers, especially small and medium sized businesses, are still extremely confused and hesitant to make significant investments in IT security. Dorian Breakspear-Coyle, Cisco Business Unit Manager at Tech Data summed up the situation, pointing out that, “Many businesses today spend more money on coffee than on their security.”
I have emphasized before in this column the well-known line that security is a process not a product. Education is the key to helping people understand the importance of IT security. Decisions regarding IT security must be based on sound analyses and carefully thought out policy. All IT security specialists consider poorly implemented network security to be worse than no security because of the false sense of protection it engenders.
“Security is a serious business,” said Cisco Systems’ business development manager, Tim Scott. “All organizations, large and small, private or public, need to realize the power of information and the necessity of protecting it. The initial step is having a security policy that establishes standards for what is permitted or denied within the framework of the company.”
In his presentation at the security round table, Jamil Ahmed, senior consultant, security assessment services, eHosting DataFort started out by discussing the Distributed Denial of Service (DDS) attack. DDS has received much focus especially from Internet service providers (ISPs) and large enterprises because such attacks gobble bandwidth and have the potential to be devastating. With DDS, a hacker sets out to bring down a target server.
“To make sure he brings the server down, the hacker is going to need a lot of computers,” explained Ahmed. “Also, he wants to make sure he doesn’t get caught so he’s not going to do it directly. Using tools over the Internet, he identifies a number of machines that he can compromise, and he installs agents on those machines. Finally, the hacker will issue an instruction to begin the attack. All the compromised machines launch a coordinated attack on one server, and are sure to bring that server down.”
While such an attack is serious, it is also apparent. Try a different scenario. What if someone were siphoning off information from a corporate network and the company was completely oblivious that a possibly prolonged intrusion was underway? Welcome to the wonderful world of wireless.
“Wireless is growing at a very fast rate, simply because of the cost and ease of implementation,” said Ahmed. “Before, when you wanted to create a new network, you had to rip up the floorboards and lay cable, etc. If you planned to do that over the weekend, come Saturday morning you’d be lucky if the whole thing was up and running. But with wireless, it’s very easy. You buy an access point, you buy a few wireless cards, you plug them in and away you go. Within hours, you’ve got a new network up and running. But no one really thinks about the security.”
According to Ahmed, that mistake can be an ugly one. Take a network and add a wireless access point. If that wireless access point isn’t securely configured, then a route has been created for a hacker to bypass all a company’s security mechanisms and security investment, and rip straight into the heart of an organization’s information delivery system.
What people don’t understand about wireless access points is that they’re constantly broadcasting information. That broadcast can go anywhere between 100 to 400 meters. This means that someone in the next office can pick up the network. Someone in the next building, someone in the car park even, can access information that’s supposed to be unavailable to outsiders.
“Hundred to 400 meters for a hacker is still not good enough,” commented Ahmed. “So what can a hacker do to increase that range? He can modify his computer’s wireless card to add an external antenna. In tests it has been shown that using this technique a wireless network could be picked up from about a mile away. So a hacker could be sitting in his home, and provided the geographical conditions are right, he could pick up the network.
Actually, even this is not good enough for a hacker. We can now have a PDA, with a wireless card attached to it, and use that as a hacking device. Someone could be in the lobby of a building, playing with a PDA. Everyone would think that this person is looking at his notes or his calendar and he’s actually hacking a network.”
What’s the bottom line in all this? Decision-makers need more education on IT security issues and technologies. Legislation on cyber space security that was promised years ago must become a reality. ISPs have to concern themselves not only with the control of DDS attacks, but it is time that they also offered customers secure connectivity solutions as a value-added service.
“From the smallest to the largest organizations, once logged on the Internet, hardware and software are all subject to intrusion one way or the other,” said Breakspear-Coyle. “Businesses must treat IT security as a primary matter and adopt it as part of the business policy instead of a casual overhead.”
(Comments to: [email protected])
