Tech blog

As we continue to present the Essays of the Foundation — reflections from our team, management, and ideas — during Cybersecurity Awareness Month (October) each year, we consistently strive to take the initiative and to open new paths within our available means and capacities.

In light of the growing wave of cyberattacks targeting Libya in recent years, we noted that the National Information Security and Safety Authority (NISSA Libya) had issued its public and advisory policies about six years ago, followed by the National Cybersecurity Strategy in February 2023.

That’s when the lightbulb went on.
Since many policies and strategies in Libya remain inactive — locked away in drawers and cabinets — we decided, in a pioneering and leading step, to take the initiative in May 2023 to begin working toward compliance with the national standards and policies.

And to be completely honest, the journey from May 2023, when we received the first questionnaire, until March 2024, was extremely difficult, exhausting, painful, and costly — in every possible way.

Referring to the point in the National Authority’s strategy which emphasizes “promoting awareness through all means”, and from our belief that we should lead by example by implementing the policies rather than just promoting them, we decided to pursue a Libyan Compliance Certificate — and sought the support of all our private-sector partners.

We encountered many challenges but managed to solve them faster than expected — a surprise even to us — which boosted our confidence that the goal was achievable.

One of the authority’s requirements was to raise staff awareness, and we found that Libyan Spider offered an awareness program developed by Kaspersky, which they generously provided to us free of charge as an in-kind contribution.

We were also required to have a local backup, and Modern Systems Technology (MST) stepped in to provide us with the necessary equipment and servers.
For secure and dedicated internet access, including controlled permissions and access firewalls, we received support from Al-Hadatha for Communications and IT.

What truly saved both time and costs was the Microsoft 365 suite, which Microsoft had provided us free of charge several years ago — a contribution of great value. We then sought help from experts in Microsoft technical and security solutions — Tazamun Integrated Solutions — whose team dedicated their time and effort to implement:

• Data Loss Prevention (DLP) measures,
• Privacy policies,
• System analysis,
• Device ownership and identity security,
• and many other controls that raised our overall cybersecurity compliance score from 40% to 72% — the highest possible rating.

This, of course, caused some discomfort and resistance to change among staff members, but they rose to the challenge responsibly and professionally.

It was a massive effort involving numerous tasks, recommendations, and inevitable mistakes — from something as simple as a lock screen timer exceeding one hour (counted as a violation), to encrypting backups, defining admin and user privileges, controlling paper printouts, securing sensitive documents, and ensuring off-site backups.

Some people thought what we did was just a marketing exercise or publicity stunt.
No, dear reader — this was the result of the work of over 40–50 engineers, specialists, technicians, members, and consultants, verified through a 300+ page audit manual from the Authority, and even on-site inspections where the auditors refused to drink our coffee or accept any form of courtesy hospitality.

I still recall one particular session when I was asked to step out of the office so the auditors could interview our staff privately — to verify whether our statements matched our actual operations. It felt almost like an interrogation (haha).

To this day, we update our systems daily and stay ready for any unannounced visit from the NISSA team, who reminded us that our certificate is valid for three years — but may be revoked at any time if they find violations or breaches of the approved policies.

There are no weak passwords in our systems.
There is no pirated software on our devices.
No suspicious applications are allowed to enter our network.
We continuously update our systems and strive to meet the highest standards.

This does not mean we are immune to hacking, data loss, or service interruptions — but we hope we have risen to implement the strictest standards of the National Information Security and Safety Authority’s policy manual, and we genuinely hope that many other institutions and companies in Libya will follow this path.

Do not underestimate the words “Information Security.”
They are not simple or cheap. The systems are not easy to implement, and raising awareness among employees — from the lowest level to top management — is an extremely costly process.

Reaching this level of compliance was only possible through God’s grace, and the support of our partners, members, and allies.

The success we achieved is satisfying — but maintaining it demands from us and our partners daily effort: continuous learning, updates, purchasing new equipment, developing software, and improving practices.

These simple reflections summarize the journey of the IT Unit at the Libyan Technology Foundation.

Until the next article —
I salute you all and wish you success in your work, whatever your field may be.