The Middle East is a complex mix of developed and developing economies, with varying levels of infrastructure deployment, and ICT connectivity. Compounding these variances are the geo-political overtures present in the region, which create a patchwork of allies and adversaries in a concentration that is probably not found anywhere else on the planet.
Security experts understand that contextualisation is the first and most crucial step towards an effective and actionable cyber programme. An entity cannot defend itself from what it does not understand, and so it is crucial it familiarises itself with its cyber risk profile before any management of the risk can begin in earnest. This involves the entity understanding its assets, its vulnerabilities, the full range of threats it may face, and the capabilities of those threats.
Once the entity has a firm handle on its risk profile it can then move to take appropriate steps to implement a cyber security programme, which is effectively a three-part process encompassing visibility, intelligence and integration.
Visibility means truly understanding the assets, configurations, and users of the entity’s network, systems, information, and its current state. Intelligence helps an organisation understand the threats it faces as well as the capabilities, motivation, and resources of the potential attacker. Integration aggregates the information found in the other two phases, and displays them in a format that can be readily understood by decision makers to enable them to act quickly.
These three steps are best undertaken by a cyber security specialist that is based in the region and understands that often-time the success of a sustainable cyber security posture depends on more than just technology, people, and processes. A deeper understanding of cultures, individuals’ risk profiles, as well as the regulatory and governance environment are all factors to also be factored.
The Middle East region appears to be well on its way to accepting the intangible yet significant value of localised cyber expertise. And for good reason. According to a report recently published by PwC, companies in the region suffered larger losses than other places last year as a result of cyber incidents: 56 per cent lost more than US$ 500,000 compared to 33 per cent globally, and 13 per cent lost at least three working days, compared to nine per cent.
While important for framing the scale and scope of the cyber threat landscape in the region, these statistics ignore the impact to reputation, which can not only be significant, it can also be lingering.
The PwC goes on to highlight that businesses in the Middle East are also more likely to have suffered a cyber breach, compared to the rest of the world (85 per cent of respondents compared to a global average of 79 per cent), with 18 per cent of respondents in the region having experienced more than 5,000 attacks, which is higher than any other region, and compares to a global average of only nine per cent.
The report concludes by suggesting that organisations in the region would be more resilient in the face of cyber risks, and would be better placed to exploit the potential of new digital technology if they approach cyber on the following basis:
• It’s a business issue, not an IT issue, and needs to be managed as such
• It’s a Board-level issue, and those on the Board need to understand it, be trained on it, and actively oversee it
• It’s an end-to-end issue that brings in functions like Legal, Communications, Crisis Management, Human Resources, and Risk within the business, as well as suppliers outside.
True cyber resilience will only become sustainable in the Middle East should it be tailored, and this is why we believe expertise for the region, based in the region is integral to this development.