Increased growth and business activity from fintech organisations, private equity firms and sovereign wealth funds, and governments committed to complex, capital-intensive “mega-projects,” present the Middle East as an increasingly attractive target for cyber criminals. Yet, insufficient cybersecurity readiness and resiliency across the region in the face of threats like data breaches and ransomware is concerning. The Middle East has maintained its second place in the global ranking for the second consecutive year in terms of the total cost of data breaches: USD8.07 million.
The aspiration to transform the Middle East into a global hub for sectors such as finance, energy and transportation is evident through initiatives like Saudi Arabia’s Vision 2030, Abu Dhabi Economic Vision 2030 and Oman Vision 2040. To successfully achieve these ambitions, countries and businesses must adopt international cybersecurity best practices not only for themselves, but also for their supply chains and third-party vendors. Threat actors will not pause their activities while these strategic plans unfold, and without the necessary security and preparedness measures in place, cyber risks will threaten the vitality of key sectors and the overall economic growth of the region.
Organisations should start mitigating the risks from cyber attacks by adopting a holistic approach to cybersecurity. Vulnerabilities extend across all departments of an organisation, so awareness and engagement should as well, instead of just residing in the offices of those nominally responsible for responding to attacks: general counsels, chief information security officers (“CISO”), chief risk officers (“CRO”) and the heads of IT departments. Effective companies implement a holistic approach in four key ways: developing a comprehensive cybersecurity strategy; focusing on the basics; accounting for relevant regulatory requirements; and developing and implementing an incident response plan.
Develop a Comprehensive Cybersecurity Strategy
Implementing a comprehensive cybersecurity strategy requires taking a long-term, multidimensional view, beginning with evaluating the organisation’s overall cybersecurity maturity while scrutinising policies and procedures. Regular assessments systematically evaluate systems for irregularities, inconsistencies and anomalies that could potentially expose the organisation’s network to security vulnerabilities. Cybersecurity risk is perpetual, with threats continually evolving, meaning there is no ultimate state of “completion.” Once established, a cybersecurity strategy should undergo regular reviews and updates to its control, programme and risk frameworks. The strategy should align with external threat assessment and management standards, such as those outlined by NIST or CIS.
Focus on the Basics
Once proper planning is in place, organisations can address cybersecurity training and procedures with everyone from executive suites to frontline employees. Employees should be educated on the organisation’s overall strategy and receive regular security awareness training on how to spot phishing emails, the importance of using strong passwords and the proper procedures for handling sensitive information. Basic cybersecurity protections, such as multifactor authentication (“MFA”), should be implemented wherever possible. Organisations should regularly patch and update software, operating systems and applications, making it more difficult for threat actors to exploit known vulnerabilities in software systems.
Account for Regulatory Requirements
These strategic and tactical efforts need to evolve with relevant regulatory regimes, as governments take steps to refine and strengthen their own cybersecurity strategies. To ensure compliance and avoid penalties, organisations should account for applicable regulations, including laws on data protection, and track the activities of regulatory bodies like the National Cybersecurity Authority (“NCA”) in Saudi Arabia or the Cyber Security Council (“CSC”) in the UAE.
Develop and Implement an Incident Response Plan
Finally, developing an incident response plan with a well-structured map of critical systems and data repositories, a clear delineation of responsibilities and roles and a precise understanding of where the organisation’s most valuable assets lie is essential. The plan should seamlessly align with an organisation’s comprehensive cybersecurity strategy and receive buy-in from all relevant stakeholders. It should cover the identification of the incident, containment of the threat, eradication of the cause, and the recovery of systems and data. If applicable, include any cyber insurance the company may hold. To create a continuous cycle of assessment and improvement, an incident response plan should encourage an organisation to learn from an incident by fortifying defenses to prevent future attacks.
Organisations in the Middle East must take decisive actions in response to the escalating threat of cybercrime. In the spring of 2023, the Council of Arab Foreign Ministers of the Arab League achieved a pivotal milestone by establishing a Council of Ministers for Cybersecurity. This initiative brings together relevant government bodies across the Middle East and North Africa (“MENA”) region with the shared mission “to develop and strengthen cooperation and coordinate efforts between Arab countries in all aspects related to cybersecurity issues.”1 Cyber attacks transcend individual organisations, posing a threat to the broader economic stability and growth aspirations of the Middle East.2 Organisations must step up to confront this challenge, securing their digital landscape and ensuring prosperity for the region.2
