A glimpse into UAE laws
Jay Krishnan, Partner
Before you plan a visit to any country, be it for a short trip or to start a company, basic knowledge about the laws and regulations governing that place is a must.
UAE has issued several laws related to the economy, trade, trade license and investment since its formation in 1971. There are many local laws pertaining to alcohol consumption, dressing and public displays of affection as well. Expats should be aware of these as ignorance of the law will not be considered or accepted as an excuse in court and breaking the law will get you into legal trouble.
Federal Decree Law No. 11 for the year 2008 governs the labor rights of employees in the public sector and in the private sector, the Federal Law No. 8 of 1980 is applicable. These laws oversee issues associated with working hours, vacation and public holidays, sick and maternity leave, employing juveniles, employee records, safety standards, termination of employment and end of service gratuity payments.
Generally, free zones are not governed by the UAE Labor Law as each free zone has its own employment law.
Commercial Companies Law
The law specifies that UAE should be the nationality of every company established in the country. All mainland companies are subject to Commercial Companies Law, whereas free zone companies are exempt from the provisions of this law. The new UAE Commercial Companies Law (Federal Law No. 2 of 2015) (“CCL”) came into force on 1st July 2015.
As per the new CCL, all companies with public accountability are required to use full IFRS as issued by the IASB. IFRS standards play a pivotal role in global financial reporting as they are being embraced by countries across the globe. Companies listed on NASDAQ Dubai, Dubai Financial Services Authority (DFSA), and Abu Dhabi Securities Exchange need to comply with IFRS standards.
Anti-Money Laundering law
Money laundering, illegal transfers of money and criminal activity are well monitored in UAE and the country maintains a strong Anti-Money Laundering (AML) system. To better scrutinize cash flows and combat terrorist financing, the government has taken various steps. This includes the enactment of Anti-Money Laundering law and the counterterrorism law. Two laws serve as the basis for the country’s Anti Money Laundering (AML) and counterterrorist financing (CTF) efforts: Law No 4/2002, the Anti Money Laundering law, and Law No. 1/2004, the counterterrorism law.
The Federal Bankruptcy Law (under the federal decree No. (9) for 2016) identifies various techniques to avoid bankruptcy cases and the liquidation of debtors’ assets, that include consensual out-of-court financial restructuring, composition procedures, financial restructuring and the potential to secure new loans with respect to the rules and regulations.
The landmark Federal Law No. 7 of 2017 (Law No. 7) issued by The United Arab Emirates (UAE) Ministry of Finance (MoF) “sets the foundations for the planned UAE tax system, regulating the administration and collection of taxes and clearly defining the role of the Federal Tax Authority (FTA).” The law deals with tax procedures, tax implementation, tax rates, tax obligations, cases of tax exemption, as well as procedures and rules of tax registration and cancellation.
There are many more laws in UAE and these are just some of the major laws that primarily concerns businesses. It’s the responsibility of every one of us to follow and respect the laws of a country, if we wish to live and work there.
Sign up for HLB HAMT insights newsletters
Taxation in UAE
Jay Krishnan, Partner
UAE is basically known to be tax-free country, and this was true to a great extent, until the introduction of Value added tax. VAT was introduced in UAE on 1st January 2018 at a standard rate of 5 percent.
Apart from VAT in UAE, there are certain other forms of tax that one should be aware of.
Property tax/ fee
The property registration fee in UAE is 4 percent on the purchase price. For commercial sector, this has to be paid by the buyer and an additional 5 percent VAT is also applicable. In the case of residential sectors that are ready for occupation, as a general practice, the fee of 4 percentage will be split 2 per cent each between the buyer and seller.
However, the transfer of properties between close relatives are charged at a nominal value which ranges from 0.5 – 0.75 percentage.
Excise tax is levied on specific goods that are harmful to human health or the environment. The excise goods that will be charged tax in the UAE include;
- Carbonated drinks
This includes any aerated beverage and any concentrations, powder, gel, or extracts intended to be made into an aerated beverage. Unflavoured aerated water is exempted.
- Energy drinks
Any beverages which are marketed, or sold as an energy drink, and contains stimulant substances that provide mental and physical stimulation or includes caffeine, taurine, ginseng and guarana, will fall in this category. Substances that have similar effects as the ones mentioned above and any concentrations, powder, gel or extracts intended to be made into an energy enhancing drink will also be levied tax.
Tobacco and tobacco products are also categorized as excise goods.
Rate of excise tax
The rates of excise tax in the UAE are;
- 50 per cent for carbonated drinks
- 100 per cent for tobacco products
- 100 per cent for energy drinks.
Excise tax intends to reduce the consumption of unhealthy and harmful commodities. Businesses that are engaged in any of the below activities must register for excise tax;
- the import of excise goods into the UAE
- the production of excise goods, wherein the goods are released for consumption in the UAE
- the stockpiling of excise goods in the UAE in certain cases
Also, anyone who is responsible for overseeing an excise warehouse or designated zone i.e. a warehouse keeper should register for excise tax.
If you are on a vacation and planning to stay in any of the hotels in UAE, do not forget to check the tax charges. Certain restaurants, hotels, hotel apartments, resorts etc. in the UAE charge tax. Hotels charge ‘Tourism Dirham Fee’ per room per night of occupancy in Dubai and the price range from AED 7 to 20 depending on the category/grade of the hotel.
Whereas in Abu Dhabi, a fee of 4 percent of hotel stay bill and AED 15 per night per room will be levied.
In Ras Al Khaimah, hotels charge AED 15 tourism fee per room per night.
The UAE charges corporate tax on oil companies and foreign banks and rest of the industries are exempted. Companies functioning in UAE free zones doesn’t have to pay corporate tax for a specific period.
Unlike many other countries, UAE individuals are exempted from paying income tax.
If you are someone planning to start a business in UAE or going on a vacation to the country, basic knowledge on taxation is a must
Sign up for HLB HAMT insights newsletters
A guide for foreigners who aspire to set-up business in Dubai
Jay Krishnan, Partner
The city of Dubai doesn’t require any special introduction as it is one of the most popular places in the world. We all know the position Dubai enjoys as a tourist destination; but its much more than that. A fertile ground for new businesses, Dubai, is any investor’s dream. Establishing your business in Dubai is not just easy, but highly profitable as well.
There are a couple of things that you should be aware of before you kick-start your business in Dubai.
Economic zone and ownership
Once you decide to setup your business in Dubai, the first step is to figure out the business zone that suits your company. One can choose from mainland, free zone or offshore, to establish their entity, all of which offer diverse advantages.
• Free zone
Free zones are the strongest pillars of UAE’s robust economy. They have been fruitful in attracting remarkable amount of foreign investment, generating thousands of jobs and facilitating technology transfer into the country. The business-accommodating laws, easier labour and immigration procedures and tax structures make these free zones the most sought-after business locations in UAE.
Dubai alone is home to more than 30 free zones, contributing significantly to the economy of the city. The free zones accounted for 32 per cent of Dubai’s total direct trade in the year 2015, driving about 500 billion AED of commerce. As per 2015 data, there were 20,000 free zone firms operating in Dubai, with 100 ‘Global Fortune 500’ companies having established their base in JAFZA.
A mainland company is an onshore company licensed by the Department of Economic Development (DED) of the related emirate. The companies registered in the UAE mainland can do business in the local market as well as outside UAE without any restriction.
An offshore company is a legal business entity that operates outside its registered jurisdiction for the purpose of legally minimizing tax payment.
Types of License
To conduct any form of business in the UAE, one must acquire a trade license. Licenses in Dubai can be divided into three;
- Commercial licenses covering all kinds of trading activity
- Professional licenses covering professions, services, craftsmen and artisans
- Industrial licenses for establishing industrial or manufacturing activity
Carrying out business without a trade license is illegal in UAE and is subject to penalties. In addition, the license needs to be renewed every year.
Starting a business in Dubai begins with selecting the category of business. There are more than 2,100 industrial, commercial, professional and tourism activities available in Dubai.
This is followed by finding the right legal form, which will depend on the business activity, location, the number and the nationality of owners and the ownership options. One will have to check the legal forms that match specific business activities.
A trade name that matches the kind of services the company offers, must be selected. The next step involves applying for an initial approval certificate, stating that Dubai DED has no objection in you starting a business.
Depending on the legal form of the company, a Memorandum of Association (MOA) will have to be signed by the partners and owner and in some cases, a Local Service Agent (LSA) / Corporate Agent agreement between the company owner and the UAE national who is in charge of representing your business.
All businesses in Dubai should have a physical address. For this, tenancy contract must be signed with the landlord and registered with Ejari.
Certain business activities demand special licensing approvals, apart from the one from DED. If your business activity requires additional approvals, the relevant government departments need to be contacted.
Non-UAE nationals seeking to establish an entity in Dubai mainland need to team up with a UAE national. The UAE national will own 51 percent of shares and the non-UAE national will own the remaining 49 percent. But of late, the UAE government has announced a new law that will permit complete foreign ownership in certain sectors selected by the government. This will come into force by the end of 2019.
The new law does not apply to free zones and offshores where 100% foreign ownership is already permitted.
Sign up for HLB HAMT insights newsletters
UAE and its expat-friendly initiatives
Six-month Multiple Entry Visa and Permanent Residency
The UAE government has recently announced a six-month multiple entry visa for certain categories of individuals. Investors, talented individuals and outstanding students will be granted the visa and this gives them the opportunity to prolong their stay in the country.
The Federal Authority for Identity and Citizenship has activated 3 new services on its portal. All the services grant visa for a period of 6 months, with variations in the number of visits. Investors can make multiple visits to complete residency procedures with the help of a 6-month visa. In the case of entrepreneurs and outstanding students, several trips can be made with their 6-month visa to complete long-term residency procedures. Talented individuals will also be granted a 6-month visa, but the number of visits will be restricted to just one.
The new visa scheme will help individuals in identifying opportunities of their interest. An Emirates ID card will be issued by the ICA to the six-month visa holders that will help them complete procedures such as opening bank accounts, property registration and other transactions, easily.
People who fulfil the conditions for long-term residency can apply through e-channels and through their accounts on the system, without a six-month entry visa.
It’s been just a week since the scheme launched and ICA has already received 6000 applications from investors and entrepreneurs.
The government has also come up with a permanent resident system named ‘Golden Card’, for investors and for exceptional workers in the fields of health, engineering, science and art.
According to Sheikh Mohammed bin Rashid, “Gold Card permanent residence will be awarded to exceptional and talented individuals, and to whoever contributes positively to the UAE’s success story. We want those people to be permanent partners in our journey. All of the residents of the UAE are our brothers and part of our large family.”
The permanent residency scheme will be highly beneficial to the country and its property market. It will change people’s perception about UAE; they will start seeing the country as a home and not just a temporary plan.
Sign up for HLB HAMT insights newsletters
Business Setup In UAE: What makes UAE the best location for your business
Lavin T K
Investing your time and money in something worthwhile, that can promise you higher ROI is really crucial. When it comes to investing for your dream business, the risk level increases. There are quite a few points that you must consider before you go ahead with establishing your business.
And, yes, location is a primary concern.
So, where do you plan to set up your company? If you are looking for a place that is progressive, has excellent infrastructure and favorable business regulations, then, UAE is the place for you.
We all are aware of the country’s evolution from an impoverished desert village to a sustainable city with excellent standards of living. The strategic location, world-class infrastructure, political and economic stability are some of the factors that attract people to UAE.
All these years UAE enjoyed a tax-free living and its only a year back that VAT got implemented. But, the rate of VAT is on one of the lowest in the world and it doesn’t affect normal life and businesses to greater extend.
So, after the initial confusion regarding in which country to establish your business, now it’s time to select the type of business structure. You are at the liberty to select from various structures like free zone, mainland and offshore.
While all these business forms offer numerous advantages, the one that best suits your nature of work, should be taken into consideration. If you like to reach out to local market without the help of any distributor, then I/we would suggest Mainland.
UAE mainland opens door to a wider market by letting you trade with other mainland companies. Unlike free zones, you don’t have to go through the task of finding a local distribution agent and pay customs duty.
A mainland business license lets you work on government projects that are extremely profitable. Competition will also be less, as free zone companies are not provided with the opportunity to work for government entities.
Moreover, mainland companies don’t demand for a minimum capital requirement, which makes the establishment even easier and affordable.
Selecting the type of license is the first step in starting a business in UAE. You can choose from commercial, professional and industrial license.
Companies engaged in buying or selling of goods can opt for a commercial license. Entities involved in industrial and manufacturing activities, should apply for industrial license. And, professional license will be granted to service providers, professionals, artisans, and craftsmen.
Mainland Companies are of various types and their activities differ.
LLCs can conduct any industrial, commercial, professional and tourism business. In the case of public joint stock companies, any industrial, commercial or professional business activities can be practiced. But, a Private joint stock company can perform only commercial and industrial activities.
A branch of a local or GCC company can conduct activities included on the main company license and a branch of a foreign company can conduct only selected commercial and professional activities. When it comes to branches of free zone companies, commercial, industrial and professional businesses are permitted as long as the activity of the main company is authorized on the mainland.
The UAE government is on a constant lookout to ease the process of doing business in UAE. The recent amendments in policies prove the same
Sign up for HLB HAMT insights newsletters
Implications of VAT on New Entities in UAE
VAT challenges new entities in UAE face
VAT is a relatively new concept in UAE and hence it is imposing numerous challenges on entities. Organizations that have been functioning in UAE for quite a long time, have gradually got accustomed to the new implementation. But, that’s not the case with new entities.
A company should be able to identify whether they are eligible to register as per the mandatory threshold limit. The UAE VAT registration threshold is AED 375,000 per annum and for voluntary registration, the turnover should be about AED 187,500 per annum. In certain cases, new entities are not sure whether they should register from day one or do they need to wait for the threshold limit.
A major challenge that companies face is that customers, bankers and free zone authorities ask for TRN number even before these entities get into the registration process. Even when it comes to importing products, businesses registered under VAT will have to provide TRN to the customs department. If TRN is found valid in the system of customs department, you do not have to pay VAT. But if you are not able to provide TRN, 5% VAT will be charged.
Once you get TRN , the next step is to equip your business with correct accounting software, which is FTA accredited. The system should have the ability to automatically generate FTA Audit File, VAT return file and VAT compliant tax invoices and credit/debit notes. Identifying proper software and customizing in terms of VAT accounting will help you sort out complexities at a later stage.
If the software is FTA accredited and if it is able to produce reports as per the guidelines by the authority, then clients won’t face any issues in return filing and it will be error-free. Maintenance of proper records for a minimum period stated by FTA is equally important.
The pre-VAT era in UAE was simple in terms of banking transactions, as in there wasn’t too much scrutiny. But now, authorities such as FTA might check transaction details. If there has been a deposit or withdrawal, you should keep records of the same.
Another area that needs proper planning is VAT grouping. There will be 2 or 3 or even more companies that work as one, may be under the same owner. They can opt for VAT grouping, which will allow them to be treated as a single person for tax purposes. The benefit is that transactions between these entities will be ignored and will be tax-free. On the other hand, if you register as different entities for VAT, one company will have to pay VAT and the other one will have to claim for it. This leads to confusion and complications. Registering as one will benefit the companies in terms of cash flow and it will be easy to comply with.
If you do not meet the threshold limit, and if you stop making taxable supplies, then you will have to apply for de-registration within 20 days. Failure to submit a deregistration application within the timeframe specified by the tax law, will result in a penalty.
Businesses will have to pay penalties if they violate any of the tax laws.
Hence, we would recommend you comply with the VAT laws and if you face any problem, it is always recommended to seek the help of a tax agent, who can take you through the entire process.
Sign up for HLB HAMT insights newsletters
Technologies that Revolutionize Accounting Industry
Technology has had a huge impact on the accounting industry and it is revolutionising how accountants work. Missing out on the technology part, can do real damage to your business and let you out of the competition. We have witnessed the birth of various innovative technologies in the last couple of years, which has game-changing capabilities.
Blockchain is the latest buzzword in technology, that has the potential to transfigure industries. Often called the “future of financial services information”, blockchain technology represents the next step for accounting. The advantages of embracing blockchain in accounting are many. The technology;
- Enables companies to write their transactions directly into a joint register instead of going through the process of keeping separate records
- Ensures that there are nil chances of falsification or destruction of entries as all the entries are distributed and cryptographically sealed
- Secures the integrity of records
- Leads to fully automated audits
- Reduces the cost of maintaining and reconciling ledgers
- Provides certainty over the ownership and history of assets
- Gives ample time to auditors to add more value to the company
Blockchain impacts all the functions within the record keeping process; the way transactions are initiated, processed, authorized, recorded, and reported.
Artificial Intelligence is a ground-breaking technology that has promising opportunities and is in fact taking over the world. The rapid increase in the use of artificial intelligence has been of great use to accounts payable process as well. The technology eases their work and accelerates and simplifies data-related tasks.
Artificial intelligence helps in/ by;
- Handling most of the work related to payment initiation and matching of purchase orders
- Automating data entry and data categorization, leading to faster analysis of broad financial trends
- Pinpointing potential complexities in advance
- Facilitating decision making
- Delivering functions of higher value such as business strategy implementation and financial advising
AI technology has the capability to reshape accounting firms completely. It leads to a competitive advantage and enhances the overall productivity of an organization.
Cloud computing is “one of the most disruptive forces of IT spending,” which is expected to impact more than $1 trillion in information technology spending by 2020. Using cloud computing in accounting makes the process more flexible and it helps in giving real-time reporting and visibility throughout an organization.
With cloud accounting, data can be accessed from anywhere; all you need is an internet connection. Financial information are updated automatically via the cloud accounting software and the chances of error are minimal as account balances are always accurate.
Cloud accounting enables smooth and efficient management of multi-currency and multi-company transactions. It is highly assessible and at the same time affordable.
Embracing technology in accounting process has become more of a necessity and not just an option.
Sign up for HLB HAMT insights newsletters
A Study on Cyber Attacks and Security
It takes decades to build reputation and few minutes of cyber security negligence to ruin it
Vimal Rama Chandran
When a business is at the peak of success and when you feel nothing can go wrong, you become the target of hackers and the business comes tumbling down like a house of cards. Or as in other cases, your company might be already on a decline phase, not being able to survive the tough competition in the market and to add fuel to the flame, you get attacked.
Yahoo is one such victim of a massive cyber-attack. All three billion accounts of Yahoo were affected by several security breaches in 2013 and 2014; but it took Yahoo two years to disclose the breach. Email addresses, telephone numbers, encrypted or unencrypted security questions and answers, dates of birth, and hashed passwords of millions of users were stolen and the incident remains one of the biggest data breaches in history.
The cyber breaches resulted in a huge loss for the company and they had to agree for a settlement package, that required it to pay a $50 million settlement to roughly 200 million people affected by the email service’s 2013 data breach. Yahoo’s UK wing was fined £250,000 by the UK Information Commissioner’s Office (ICO), for the 2014 breach.
The data breach adversely affected Verizon’s acquisition of Yahoo. The sale which was announced with a $4.8 billion price tag, was later on revised with a discount of $350 million, following the disclosure of cyber-attacks.
According to experts, Yahoo had ample opportunity to implement appropriate measures, and potentially stop customers’ data being compromised. But they failed to do so.
The world of cyber crime is vaster than ever and cyber attacks have become more of a sensitive issue, with companies losing not just their data, but money and fame as well.
The issue has become so crucial that companies, irrespective of the size and reputation, remains at the mercy of hackers. Cyber attacks hit businesses almost every day. According to former Cisco CEO John Chambers, “There are two types of companies: those that have been hacked, and those who don’t yet know they have been hacked.”
Your data might be safeguarded with multiple layers of advanced security; but do not turn a blind eye to the fact that hackers are skilled masterminds. A small vulnerability in your computer system’s defences is all it takes a hacker to exploit it. They will find flaws in the code of a website and insert their own code and then bypass security or authentication processes.
Negligent employees are one of the primary causes of cyber security breaches at SMBs. Choosing an easy-to-guess password or not changing the default password on something like a router, makes the job of a hackers easier and hassle-free.
Phishing, an oldest form of cyber-attack, still remains the most widespread and dangerous. With phishing messages and techniques becoming increasingly sophisticated, even technical users find it extremely difficult to recognize it. The method involves extracting personal information under false pretences. A hacker will send you an email asking you to change your password. The mail might look so genuine and professional that you might actually end up changing your password, without giving it a second thought. This is what happened in the run-up to the 2016 US election.
Russian hackers were on constant strive to get into major US institutions, including the White House and the state department. Their method was as simple as sending thousands of phishing mails, in the hope that at least one person will click on it. John Podesta, the chairman of Hillary Clinton’s campaign, fell prey to the tactics of the hackers. When he received the mail, he forwarded it to his chief of staff, who then sent it to the campaign’s IT team. Things took a U turn from here. The IT team mistakenly identified the email phishing for Podesta’s password as genuine and directed him to change his password. This resulted in Moscow accessing about 60,000 of Podesta’s emails. The hackers also breached the Democratic National Committee (DNC). The hackers didn’t have to rack their brains in this case, they rather played it smart.
Another common method of attack is a Distributed Denial of Service (DDoS), where a system is crashed by sending large amounts of traffic. In such incidents, users won’t be able to access the service, which results in revenue loss for the organization. If the service is essential, like in the case of a healthcare company, the consequences will be more than unpleasant. DDoS attacks have become bigger and devastating than ever before. A Cisco report reveals that the number of DD0S attacks exceeding 1 gigabit per second of traffic will rise to 3.1 million by 2021.
The attack on GitHub in 2018, which lead the development platform to struggle with intermittent outages for a brief period, is regarded as one of the world’s largest DDoS attacks. GitHub had to rely on its DDoS mitigation service, Akamai Prolexic, for support following the attack. Prolexic took over as an intermediary and steered all the traffic coming into and out of GitHub and sent the data via its scrubbing centers to remove and block malicious packets. After eight minutes, the attack was dropped off.
Hacking takes various forms and malware attack is one among them. There has been an alarming growth in the number of malware attacks in the last couple of years; nearly 9.32 billion malware attacks were identified in the year 2017. You would have absent-mindedly clicked on a link to download a file, or opened an attachment that may look harmless, unaware of the hidden danger. The malware then takes control of your system, monitors your actions and sends confidential data from your computer to the attacker’s home base, without your knowledge.
Viruses, worms, Trojan horses and ransomware have the capability to wreak havoc across business, government and personal computers. The 2017 WannaCry incident, dubbed as the biggest malware attack in history, infected 230,000 computers across 150 countries. WannaCry is a ransomware that functions like a network worm and spreads rapidly across a number of computer networks. After attacking a system, it encrypts files on the PC’s hard drive and hence, users won’t be able to access it. Decrypting the files will require you to pay a ransom amount in bitcoin.
A security vulnerability in older versions of Windows paved way for the attack. National Health Service was the main victim of the attack, with 70,000 devices hit, that included computers, MRI scanners and blood storage refrigerators.
If it wouldn’t have been for, Marcus Hutchins, a British web security researcher, who stumbled on a kill switch by registering a domain name found in the code, the outcome of such an attack would have been much more horrendous. But, even before that, $130,000 had to be paid in ransom!
According to FBI reports, number of ransomware attacks exceeds 4,000 per day, and 230,000 new malware samples are produced daily(as per other research agencies).
Not content with the current pattern of ransomware attacks, cybercriminals moved one step further by offering Ransomware-as-a-service, wherein they write ransomware code and sell or rent it to others. Even if a person is new to the world of cyber-attack or even if they lack the technical knowledge of how to create ransomware, they can launch attacks without much difficulty with this subscription-based malicious model.
Cyber-attacks are growing significantly, so are the victims. A survey conducted by Symantec, which involved interviewing 20,000 people across 24 countries, revealed that 69% of them were prone to some form of cyber-attack. On an average, 14 adults become the victim of a cyber-attack every second. The data gives us an insight about the seriousness of the issue. We know the method and frequency of cyber-attacks, but what is the motive behind these attack? Is money the only concern?
There are several possibilities that force people to commit such atrocious crimes. They might be young hackers who just want to show-off to their friends, organised cyber-criminal organisations who might be behind money or criminals aimed at political manipulation. A data from Radware, depicts the reasons behind why hackers hack:
• Ransom (41%)
• Insider threat (27%)
• Political (26%)
• Competition (26%)
• Cyberwar (24%)
• Angry user (20%)
• Motive unknown (11%)
Hacking for fun can be better explained with the example of Jonathan Jones, the first juvenile sentenced to serve term for computer hacking. James entered the hackers’ hall of fame, by hacking into NASA and Defense Department computers. He accessed the Marshall Space Flight Center in Huntsville, Alabama, and downloaded the proprietary environmental control software for the International Space Station, that controlled the temperature and humidity in the station’s living space.
While the above incident might sound like an immature teenager’s fun activity that went horribly wrong, some adults attack system for their personal gains. Kevin Lee Poulsen, an American former black-hat hacker, hacked into a Los Angeles radio station and blocked all the incoming calls. He took the extreme step to win a Porsche in a competition by the radio station, that was offered to the 102nd caller.
The rise in internet users has led to a significant growth in cyber-attacks. But that does not mean that the process is new; it’s history can be traced back to centuries. France was hit by the world’s first cyber-attack nearly two centuries ago. A national medical telegraph system that was created in the 1790s was attacked by a pair of bankers in 1834 to get a trading advantage in the bond market.
One of the first computer worms distributed via the Internet was the Morris worm or Internet worm of November 2, 1988. A graduate student at Cornell University unleashed a maliciously clever program on the Internet which soon started to propagate at an alarming speed. 6,000 of the approximately 60,000 computers that were then connected to the Internet were hit within a span of 24 hours. Files were not damaged or destroyed, but the impact of the attack was extremely powerful and emails were delayed for days. Some institutions had to stop using the internet for days. It was then that the world realized how important and vulnerable computers had become. Cyber security became a serious concern which was evident from the creation of country’s first computer emergency response team in Pittsburgh, just days following the attack. The incident served as a wake-up-call for everyone across the globe.
The viruses and worms that attacked networks in the olden days has transitioned to something more powerful and challenging in the current era.
Cyber attacks can be categorized into five generations, with the first generation beginning in the 1980s. The process involved transferring files between stand-alone PCS using floppy disks. The attack by Elk Cloner, one of the first known microcomputer viruses, falls in this category. The virus which was developed by a 15-year-old high school student, originally as a joke, attached itself to the Apple II operating system and spread by floppy disk.
In the mid-1990s internet started to become popular and it soon gave rise to the second generation of cyber-attacks. Compared to the first-generation viruses, much more malicious type of super-fast spreading worms took over that resulted in loss worth millions. Companies had to install firewall that helped in tackling the problem to a certain extend.
With the third generation came the demands for remuneration and cyber attacks became more of a business, contrary to the previous generations that were more prank-oriented. Hackers started to exploit vulnerabilities in applications, like in the case of Love bug, a computer worm that attacked millions of Windows personal computers in 2000. The email message which began with the words “Kindly check the attached love letter from me!”, launched the virus once you clicked on the attached file. The virus which was regarded as one of the most aggressive and nastiest, would spread by sending itself to all contacts in the recipient’s email address book. It had the capability to download more hazardous software from a remote website, rename files and redirect internet browsers, once embedded in a host computer.
The 4th generation of cyber-attacks began with Red October, an advanced Cyber-Espionage Campaign, that was aimed at global Diplomatic and Government Institutions. Highly-flexible malware was created by hackers to thieve sensitive data and geopolitical intelligence.
Hackers started to embrace higher levels of sophistication in the 4th generation, which had large-scale financial and reputational impacts on the public.
Currently we live in the 5th generation of cyber-attacks, wherein attackers have started to use latest technology to exploit vulnerabilities. The attacks can happen on networks, mobiles and even on clouds and are often large-scale, state-sponsored mega attacks.
Cyber-attacks are growing as rapidly as technological innovation, but how about cyber security? Are the current measures sufficient to combat attacks? Unfortunately, the answer is no. Many of the organizations use outdated security infrastructure and hence, aren’t equipped to handle these highly sophisticated attacks. According to a recent report, 97 percent of organizations are not prepared for these Gen V cyber threats.
Firstly, one need to understand the fifth-generation threat scenario and then take appropriate measures to protect your system from attack. Unless you have protection that is updated according to the current trends, you won’t be even aware that your network has been hacked.
Cyber defence strategies to strengthen your business against any form of attack is not an option anymore, it has become mandatory. There are numerous ways to defend yourself and your company against an attack and among them Two Factor Authentication (2FA) is one of the simplest yet effective measures. Adding an extra layer of security, other than a single password to gain access to your systems, will help in minimizing attacks drastically. This can take various forms such as an OTP( One Time Password), fingerprint scan, voice recognition or a question and answer. The process promises excellent results without much expense or complication.
Phishing scams have become more sophisticated over the years and separating wheat from chaff is indeed rocket science. These mails look so authentic that it somehow convinces the user to click on the link or open the attachment that comes along with it. So, the best thing to do is, ignore any such mail from an unrecognized sender or the ones that ask for personal or payment details.
A skilled IT team that can defend your company and help you recover in case you become the target of hackers, is more than obligatory. They should be updated with current industry standards and must adopt new Tools, Tactics and Processes (TTPs) for defending the company’s network.
All the employees within an organization might not be digitally skilled and hence, they are highly vulnerable. When you are not vigilant and ignorant of the various methodologies in which your network can be prone to attack, the scenario becomes much more tense.
A risk mitigation strategy adopted by certain companies is to “do nothing – accept the risk.” “If business owners are not willing to take necessary steps or actions to fix the security risks, they should keep the fund ready for the expected loss”, says Vimal Rama, Director of Information Technology, HLB HAMT.
Companies invest tremendous amount of money and resources into securing their networks, but when it comes to training their staff on the various aspects of attack and security, most of them lag behind. Security awareness programs will help you identify different target groups and methods and it ultimately creates a secure environment. Hackers will find it difficult to prey on employees’ ignorance once you are aware of the Do’s and Don’ts.
The rise in Internet-of-Things has posed many challenges to cyber security. On the one hand, your life has become quite easy, where you can control the devices at your house sitting at your office, but on the other hand, the technology can causer serious threats to security. IoT increases the vulnerability towards a cyber-attack, which forces you to step up and take measures to secure your devices. You should test your infrastructure before and after integrating IOT devices, which will help you identify potential security flaws, if any. If you haven’t installed a reliable and effective firewall on your devices, it’s high time you did it. Also, using an Intrusion Detection System, that will help in monitoring your networks, devices and systems for any suspicious activities, can help mitigate problems. To segment and limit the access privilege of certain devices, a device management tool can be of great help.Secure Socket layer(SSL), a standard measure for secure internet browsing, helps in data encryption. Only the intended user will be able to access the data, thus providing privacy, security and data integrity. It enables secure online transactions between consumers and businesses.
These emerging security technologies will ensure data security to a large extend, but what if your system gets hacked even after protecting it with numerous layers of security? Discovering a malicious attack is indeed a tough call; it might take days and even months to identify an attack.
Hackers won’t inform the victims about their attack; most of the times they carry out their activities without the knowledge of the user. But a hacked system or network exhibits many symptoms and to figure out the same, you need to be extra vigilant.
Look out for these signs to know whether your system has been hacked;
• High outgoing network traffic
• Annoying ads on display
• Pop-up messages
• Disabled security solution
• Unfamiliar icons displayed on your desktop
• Unusual error messages
• Control panel not accessible
• Suspicious shortcut files
The first few hours following the discovery of an attack will be panicking and confusing. You might on the lookout for answers for various questions; when and how did this happen? Are the hackers still in our network? What will happen next? While it is human nature to freak out when a crisis like this occurs, it your action that should speak. Some companies just pull the plug out of the socket to protect their system. But the question is, is that the remedy?
Once a hack has been confirmed, you need to act quickly and carefully since every second counts. Try to get in touch with the incident response team, which can be an in-house group or an external company, as early as possible. “The way you react to a disaster shows how well you are prepared for it”, says Rama.
A study by IBM & Ponemon Institute reveals that leveraging an incident response team significantly reduces the cost of a data breach – saving companies nearly $400,000 on average.
Verifying the attack involves identifying the systems that has been hacked, determining which IP addresses were used and confirming the type of attack. You should immediately warn other users on the network about the attack, so that it doesn’t spread. The infected computers should be isolated and the breach should be disclosed to necessary parties.
Even if you were able to overcome the consequences of a cyber-attack, there is nil assurance that it won’t happen again.
Sign up for HLB HAMT insights newsletters
UAE , KSA Double Taxation Avoidance Agreement in Force
The double taxation avoidance agreement between the UAE and KSA is in force now. The agreement, which was signed in May 2018, came into effect in April 2019, nearly a year later. This is the first agreement between two GCC countries and it is expected to ease the two-way investment flow along with boosting bilateral trade and economic ties. It will benefit individuals and corporates of these two countries.
Below listed are some of the key provisions of the agreement;
- Withholding tax won’t be charged on interest and service fees
- A cutback on the withholding tax rate on royalty payments
- A maximum 5% WHT on dividends
- Transfer of shares or immovable property won’t be exempted from non-resident taxation
It’s not just the natives of these two countries who can benefit from the agreement, even foreign national residents can make use of the provisions.
Residents covered by the double taxation avoidance treaty include any individual who is responsible to pay tax by reason of domicile, residence, place of incorporation or place of management, corporate entities, sovereign wealth funds and similar government entities and other individuals exempted from tax due to religious, educational, charitable, scientific or any other reasons similar to these.
According to the agreement, a company need not pay tax on profits in the other contracting state unless business activities are conducted there through a permanent establishment(PE). Revenue from services that are not delivered through a PE in the other contracting state should not be levied WHT or any other types of tax in that state.
According to Younis Haji Al Khoori, under-secretary of the Ministry of Finance, the agreement is a vital move towards enhancing bilateral relations between KSA and UAE, especially in financial and economic spheres. “This agreement will contribute to a more flexible investment climate that will underscore the country’s position as a key destination for Saudi investments. It represents a qualitative leap forward in terms of the framework of financial, economic and tax cooperation between GCC countries,” said Al Khoori.
“These agreements contribute to the elimination of double taxation, facilitate cross-border trade and investment flows, and provide protection to taxpayers from direct and indirect double taxation. This in turn enhances the country’s investment climate and makes it more attractive as a destination for foreign investment,” he added.
Sign up for HLB HAMT insights newsletters
Enhancing the productivity of your organization
Internal Audit, an integral part of every organization
Internal audit and risk advisory service have become an integral part of every organization’s core advisory requirements. It is imperative for organizations to have productive internal audit and risk advisory function, that consistently contributes to business performance.
Why internal audit?
Every entity, whether a conventional for-profit organization, a government entity or NGO, have two things in common. They aim to achieve some specific organizational objective and they are all governed at the very top by owners, shareholders or board.
The people at the top have two critical roles; one is to provide oversight and direction to the organization and then to identify and manage risk.
Why HLB HAMT?
Internal audit and risk advisory are continuously undergoing change and we at HLB HAMT are drivers of this change.
To our clients, we are trusted advisors, analysists, explorers, reporters and problem solvers. This is what differentiates us from others. Our audits are objective, fact based and there is no room for any sort of bias. We focus only on the issues and the risks that arise out of these issues.
Our auditors focus on process improvement rather than compliance, because we believe that compliance to a process is not an end in itself.
We deploy more auditors in our field and offer a wide bandwidth to our clients. Our access to HLB International resource pool gives us an access to global best practices across several industries.
Within the internal audit spectrum, we provide numerous services such as IA outsourcing, IA co-sourcing, forensic audit, policy drafting and compliance audit.
We have an excellent bunch of auditors in terms of academic excellence and professional experience, who believes in the use of technology for project management and documentation. We offer services across diverse industries that include manufacturing, trading, retail, facilities management, real estate, food and beverage, pharmaceutical and financial services, across Dubai, UAE.
HLB HAMT offers wide cross functional experience and our specialization include right from the top, where we help organizations with the audit of corporate governance and policy formation. We follow a risk based internal audit procedure; there is a risk assessment, risk testing, risk review with auditee and internal risk review with our team. Prior to preparing internal audit reports, we discuss with the auditee and give heed to their inputs. This results in process improvement.
We believe in being an organizational improvement partner and not just a compliance checker.