Article:

VPN usage by business

05 September 2016

Recently an amendment to the 2012 Cybercrime law (Federal Law 5 of 2012) was proposed. The law relates to committing crimes using means to falsify and/or hide a users Internet Protocol (IP) address, thus preventing the discovery of the actual IP address of the user and therefore the identity of the user.

This typically is done through: a. Falsifying a user’s IP address (also referred to as ‘IP spoofing’), which allows the user to take on a different identity on the network. b. Virtual Private Networks (VPNs) which are used to create a secure and private connection through encryption, between the user computer and another computer.

Business and institutions are heavily reliant on VPNs to conduct safe and secure data exchange, and the Telecommunications Regulatory Authority (TRA) has assured businesses and the public of its commitment towards safe and smooth activities for UAE-based companies and institutions. Therefore, Article 9 of Federal Law No. 5 applies to those that misuse this technology for criminal activities and prevention of its discovery.

The 2012 version stated that whomever uses a fraudulent computer network protocol address, by using a false address, or a third party address, or by any other means for the purpose of committing a crime or preventing its discovery, shall be punished by imprisonment and a fine ranging from AED 150,000 to a maximum of AED 500,000, or either of the two penalties. The revision to this article tightens the penalty for violation and proposes temporary imprisonment and a fine ranging from AED 500,000 to a maximum of AED 2 million, or either of these two penalties. The change is significant, and relates only to the quantum of punishment.

Cyber crime is a major concern, due to its significant impact and high likelihood of occurrence. Law no. 5 on combating cyber crimes provides important information on unlawful activities related to Information Technology along with penalties. It is important that individuals and organizations alike understand this and take the necessary compliance measures. Failing to do so can result in serious fines, penalties reputational damage, which may even mean closure of business for some organizations.

Organizations must ask themselves the following:

  • Is there alignment between my policies, employee/third party undertakings, cyber security awareness program and the Federal Laws?
  • Are people in the organization engaging in the download of illegal material and abusing the company’s technology assets?
  • Are people in the organization attempting or successfully compromising the security of systems/ information within and outside my organization?
  • Are any of my systems compromised? Are they controlled by other people/systems to perpetrate attacks on systems within and outside my organization?
  • How well do we know our network traffic? Do we have effective monitoring and incident management procedures in place to adequately protect our technology assets?

Immediate actions organizations must take are:

  1. Boards and Audit committees must provide the necessary mandate and oversight and have cyber security as a key agenda item.
  2. Mature their policies and procedures and ensure compliance with Federal Laws.
  3. Strictly enforce, monitor compliance and regularly review/update of policies and procedures to keep them current.
  4. Regularly update, educate and test employees and associated third parties that use the organizations premises, assets and/or share information.
  5. Detailed and continuous technology risk management, down to the asset level.
  6. Establish a Cyber security program that encompasses the entire organization taking into account customers, suppliers and other third parties. This must include all assets whether physical or electronic and must cover all technology and not just corporate IT systems. Areas  such as Incident Management, Business Continuity must be consistently reliable and comprehensive along with the associated links outside the organization.
  7. Define metrics that are meaningful and can help you (and the Board) monitor and manage your cyber security posture over time.