Middle East Cyber Resilience
Opinion: The State of Cyber Security in the Middle East
Cecilia Limonta works with some of the industry’s leading practitioners and leads the production of high-level cyber security events across the world. Here, she gives us her thoughts on how the Middle East is reacting to the challenges of staying cyber resilient in today’s world.
Over the last few years, the Middle East – especially the Gulf Cooperation Council Member States – has become a very inviting target for perpetrators of cyber-attacks. These have typically been carried out by hackers targeting critical infrastructure, primarily the oil and gas sectors along with other key industries, such as utilities and chemicals.
As a result, awareness levels are increasing, and the market for associated cyber security services is expected to grow from USD 11.38 billion in 2017 to USD 22.14 billion by 2022, representing a growth rate of 14.2%. According to a report carried out by the firm Research and Markets, this growth will come from the adoption of integrated next generation security solutions and rising demand for cloud-based security solutions.
It is of paramount importance that large enterprises look beyond themselves in terms of up-to-date cyber security strategies, but also the SMEs in their supply chain.
These need to be integrated in a comprehensive corporate risk strategy that sees all departments involved and places employees at the core – humans have been widely recognised as the weakest link in terms of enterprise security and need to be educated accordingly. Enterprise-wide, tailor-made training programmes need to be set up, and awareness regarding advanced and sophisticated cyber threats must be raised throughout the whole region. To this end, governments need to play a role in designing funding programmes as well as investing directly, for budget constraints and high cost for innovation security technologies are hampering progress.
Alarmingly, both the sophistication and the frequency of cyber-attacks have been growing over the last year. Interruption of operations, infrastructure damage and customer data theft are only a few examples of what a cyber-attack could entail, and the consequences range from loss of revenue and loss of IP to losing customers. Attacks on critical infrastructure could easily have damaging physical consequences too. Secondary costs could include legal costs of litigation, regulatory investigations and penalties, as well as major falls in stock prices.
One thing is crystal-clear: in this part of the world, cyber-attacks have a devastating impact not only on businesses, but on national economies as well, since these are poorly diversified. Just think – in Saudi Arabia, the largest economy of the peninsula, the oil sector accounts for roughly 60% of GDP. Another reason why cyber-attacks are so disastrous in the Arab Peninsula is that the security measures adopted by public and private sectors are not keeping up with the fast digitisation taking place.
In a move that acknowledges the volatility of the status quo, many countries have started to prioritise the development of high-skilled, service-oriented private sectors. Pivotal to this transition is the growing adoption of disruptive technologies. “In 2017, cyber is business, and business is cyber –that requires a different conversation, and very different outcomes. Relentless improvement is required and that should be measured via efficacy, cost, and well managed risk” commented Shukri Eid, Managing Director – East Region of Cisco Middle East.
Particularly striking is the 2017 FM Global Resilience Index, which ranked 130 countries on indicators including resilience against cyber-attacks, natural hazards and supply chain failure. In terms of vulnerability to cyber-threats, Middle Eastern countries including the United Arab Emirates, Saudi Arabia, Qatar and Azerbaijan feature among the top five countries with inherent cyber-risk well above-average.
Governments have acknowledged the need for tougher information security policies as well as furthering awareness of security threats, but efforts are being slowed down by the lack of cohesive and consistent national and supranational policies and legislation. On one hand, the need for establishing a common framework with overarching security standards and principles is now more urgent that ever before; on the other hand, it is imperative for countries and businesses to switch from a reactive approach to cyber security to a proactive one. To achieve resiliency on a national scale, development of government strategies must go hand in hand with changes in corporate strategies and culture.
Last year’s PwC’s Middle East Cyber Security Survey outlined many of the region’s frailties and stressed that Middle Eastern companies do invest in security technology, and other things such as cyber insurance; however, these are often not supported by the people, processes and governance required. In addition, cybersecurity in the region is connected to issues such as socio-economic challenges and regional and transnational terrorism. Terrorists have started to employ hackers to conduct their operations and the only way to fight cybercrime effectively is for all key stakeholders to collaborate and adopt a unified approach on a supranational level. UN Group of Governmental Experts member, Dr Sameh Aboul-Enein, commented that “through an examination of the threat that cyberattacks pose to both national and individual security, it can be said that there are four ways to address the problem of cyber threats: capacity-building, diplomacy, legislation, and the establishment and implementation of appropriate norms.”
On the same note, Sevag Papazian, a Principal with Strategy& in Dubai, argues that “governments in the region have to act quickly in establishing foundational capabilities across all critical information infrastructure organizations. National governance models must be enacted to make sure efforts are coordinated across various agencies. But governments alone will not be able to drive such a massive endeavour. Partnerships, especially with private-sector partners to deliver training, services and solutions across organizations, will be fundamental to deliver any successful cybersecurity strategy.” There are many initiatives already in the pipeline, but more substantial improvements, investments and partnerships are needed to uplift the region’s cyber capabilities and secure it as a whole.