The Middle East features a complex mix of developed and developing economies, with varying levels of infrastructure deployment, and ICT connectivity. Compounding these variances are the geo-political overtures present in the region, which create a patchwork of allies and adversaries in a concentration that is probably not found anywhere else on the planet.
Security experts understand that contextualization is the first and most crucial step towards an effective and actionable cyber program. An entity cannot defend itself from what it does not understand, and so it is crucial it familiarizes itself with its cyber-risk profile before any management of that risk can begin in earnest. This involves the entity understanding its assets, its vulnerabilities, the full range of threats it may face, and the capabilities of those threats.
Once an organization has a firm handle on its risk profile, it can then move to take appropriate steps to implement a cybersecurity program, which is effectively a three-part process encompassing visibility, intelligence and integration.
Having visibility means truly understanding the assets, configurations, and users of your network, systems, information, and its current state. Intelligence helps an organization understand the threats it faces as well as the capabilities, motivation, and resources of the potential attacker. Integration aggregates the information found during the other two phases, and displays them in a format that can be readily understood by decision makers to enable them to act quickly.
These three steps are best undertaken by a cybersecurity specialist that is based in the region and understands that often the success of a sustainable cybersecurity posture depends on more than just technology, people, and processes. A deeper understanding of cultures, individuals’ risk profiles, as well as regulatory and governance environments are all factors to consider.
The Middle East region appears to be well on its way to accepting the intangible yet significant value of localized cyber expertise. And for good reason. According to a report recently published by PwC, companies in the region suffered larger losses than other places last year as a result of cyber incidents: 56 percent lost more than $500,000 compared to 33 percent globally, and 13 percent lost at least three working days, compared to nine percent.
While important for framing the scale and scope of the cyber-threat landscape in the region, these statistics ignore the impact to reputation, which can not only be significant, it can also be lingering.
The PwC report goes on to highlight that businesses in the Middle East are also more likely to have suffered a cyber breach, compared to organizations in the rest of the world (85 percent of respondents compared to a global average of 79 percent), with 18 percent of respondents in the region having experienced more than 5,000 attacks, which is higher than any other region, and compares to a global average of only nine percent.
The report concludes by suggesting that organizations in the region would be more resilient in the face of cyber risks, and would be better placed to exploit the potential of new digital technology, if they approach cyber on the following basis:
- It’s a business issue, not an IT issue, and needs to be managed as such
- It’s a Board-level issue, and those on the Board need to understand it, be trained on it, and actively oversee it
- It’s an end-to-end issue that brings in functions like Legal, Communications, Crisis Management, Human Resources, and Risk within the business, as well as suppliers outside.
True cyber resilience will only become sustainable in the Middle East should it be tailored, and this is why we believe expertise for the region, based in the region, is integral to this development.