Middle East firms need to focus on people to fight cybercrime

Brid-Aine Parnell

Thursday 21 December 2017

Companies in the Middle East still believe that cybersecurity is an IT issue, which means a lack of leadership from the board and a lack of training and awareness for employees. But no amount of investment can take the place of a strategy that works across the company for every worker.

Middle East companies pour billions into cybersecurity, but despite their efforts, the region is attacked more than any other worldwide.

According to PwC’s 2016 Global State of Information Security Survey, Middle East firms suffered larger losses than other regions from cyber incidents – 56 per cent of them lost more than $500,000 compared to 33 per cent globally, and 13 per cent lost at least three working days.

Not only are they being harder hit, companies in the region are also more likely to suffer cyber incidents compared to the rest of the world – 85 per cent of respondents said they had had some intrusion compared to the global average of 79 per cent.

Targeting the Middle East

A combination of factors make the Middle East a rich target for cybercriminals. Economies are booming and there is high internet penetration and mobile usage. There is also a greater prevalence of malware in the region and there are more fax-based scams than are typical elsewhere, which are very difficult for businesses to track.

But Middle East firms and government bodies aren’t sitting back and doing nothing – they are aggressively investing in cybersecurity. The regional market for cybersecurity is expected to grow from $11.38bn in 2017 to $22.14bn by 2022, according to Research and Markets. This growth includes funding for cloud security and managed security services partnerships to source the technology needed to combat malware, ransomware and advanced persistent threats (APTs).

The problem is that neither investment nor technology alone can combat cybercrime. Cybersecurity requires a company-wide strategy, powered and championed by the board, and visible to every employee.

“Companies in the Middle East are in the top 10 in the world in terms of their investment in cybersecurity technology, but in the bottom 50 for education and training in this area,” PwC stated. “This is where companies in the region could be focusing their efforts.”

Cyber strategy from the top down

In many cases, employees in Middle East firms are unaware of their company’s cybersecurity policy, privacy regulations or good practices. Only 37 per cent of the region’s respondents to PwC’s survey have a comprehensive security and training awareness programme, compared with 53 per cent worldwide, and only 32 per cent require employees to complete training on privacy policy and practices.

This lack of emphasis on training and education may stem from the ongoing view of management that cybersecurity is an IT problem confined to that department.

“Current security models are minimally effective against cybercriminals, the key to addressing these risks starts by recognising that cyber threats are in fact not a technology problem but rather a business risk with strategic implications”, said Fadi Mutlak, partner in charge of Cyber Risk Services in Deloitte Middle East, when announcing the Deloitte/Symantec Cyber Security Alliance.

Companies need to realise that cybersecurity only works if it is executed across the business, not siloed in the IT department. Cybersecurity has to be governed like any other business risk, all the way from the board down and across the firm.

“While this is becoming the norm elsewhere in the world, it is not yet the case in most parts of the Middle East,” PwC stated. “Only 56 per cent of respondents in the region have an executive champion in this area, compared with a global average of 73 per cent.”

According to Sam Olyaei, senior research analyst in the Risk and Security Management group at Gartner, the Middle East is at a crossroads in cybersecurity practices. “Technology investments [need] to be augmented with a combination of agile people, repeatable process and, most importantly, a realistic security strategy plan that takes into account the preceding factors.”

The talent gap

Companies in the region must also face the same challenge that’s occurring worldwide: the lack of cybersecurity talent.

“CIOs in the region see talent (especially in security and risk) as significant barriers to achieving their objectives,” Olyaei said.

However, the same factors that make the Middle East rich pickings for hackers also give it the potential to be able to meet the shortage of cybersecurity professionals with homegrown talent.

“A reset of focus is required and alternative practices need to be adopted in cybersecurity talent management,” Olyaei said. “The Middle East is poised to be in a position to pump out the future generation of cybersecurity leaders through its urban adoption of emerging technologies that continue to shape up the future of cybersecurity. But money isn’t the solution. Commitment, persistence and a digital collaboration platform is your ticket to the future.”

The key to cybersecurity in the Middle East isn’t money (although investment is still needed) – it’s people. Companies in the region need to find the right talent to fill cybersecurity posts, but perhaps more importantly, they need to make cybersecurity the purview of everyone in the office, to a certain extent. A well-trained, cyber-aware workforce under the governance of a clued-in management will do more to combat cybersecurity than an army of experts siloed in the IT department or a billion-dollar investment.