Cyber security needs to be embedded into the very culture of organisations

With technology advancement high on the GCC governments’ agendas, countries in the region are increasingly investing in smart, technology-enabled ways of living and working. The social infrastructure, financial sector, manufacturing industries, government services, schools, and hospitals in the region are gradually increasing their reliance on technology and the internet. This may expose them to significant risks online, emphasising the need to develop effective cybersecurity strategies at a local and regional level.

Perpetrators of cybercrime may exist anywhere: they can be unknown parties based in other continents infiltrating networks, hacktivists trying to further a political agenda, or unscrupulous employees wreaking havoc in-house. Threats are not only limited to such sectors as IT and banking. In retail, for instance, hackers can go as far as discovering a company’s details on supplier costs, enabling a competitor to underbid for contracts.

The recent high-profile attacks, such as the Bangladesh Central Bank, Panama Papers, and Ukraine power grid have resulted in heightened cyber-risk awareness among companies around the world. Closer to home, two leading banks in the UAE and Oman saw their cards being used to steal over $45 million from ATMs in more than 25 countries; Saudi Aramco, after the cyberattack in 2012 saw 35,000 of its computers affected, was recently on high alert again for another possible attack.

What is also concerning is that cyberattacks have moved on from having the intention of shutting down systems or stealing data or money. Last year, a petrochemical company’s plant in Saudi Arabia saw systems being compromised maliciously, with the intention of derailing operations and inflicting physical damage to the surroundings.

This level of sophistication and the dangerous intent some hackers have are prompting more organisations to assess their own internal cyber-security frameworks. Organisations are realising that compliance-oriented risk assessment and “ticking-the-box” defence mechanisms are no longer going to keep hackers at bay. Business processes may need an overhaul to ensure optimum level of cyber security. At the most basic level, cyber security needs to be embedded into the very culture of businesses, with strong commitment from the board.

Traditional ways of looking at cyber security, i.e. solely through an IT lens, may no longer get the desired level of preparedness. The current state of affairs calls for an organisational shift in moving the cyber security function to a wider level in the organisation.

Many companies and governments are also looking at how they can use Artificial Intelligence and machine-learning technologies to improve trust and security in business transactions. This will be critical in the future, especially as GCC nations progress their smart city programs.

At the national and regional level, governments may like to stress the need for cyber-related legislation, cyber-security education in schools, an information-sharing platform for cyber threats, and a broader governance mechanism to evaluate the effectiveness of cyber-security effort. Some nations have already initiated actions. The UAE, for example, has set up the National Electronic Security Authority (NESA), to develop, monitor and supervise the implementation of cyber-security standards across the UAE’s critical information infrastructure. NESA aims to provide a robust collaboration platform for organisations to share their risk and incident data, not divulging any confidential attribution.

Saudi Arabia also recently announced its plans to establish the Presidency of State Security, the new state security agency responsible for counter-terrorism, domestic intelligence and cyber security. The authority seeks to enhance the country’s cyber readiness by developing and formalising a national cyber security framework and strategy. Similarly, Bahrain recently announced the establishment of the Central Agency for Information (CAI), in order to prepare a national strategic plan for integrated electronic security.

Cyber threats tend to grow more sophisticated every day. While investing in prevention is imperative, it would be prudent to be prepared to face an outright attack. A reliable cyber insurance service may help organisations to minimise damage in case of data loss, identity theft and operational interruption. With their capabilities of forming a tight loop from detection to response, to prediction and finally prevention, cyber insurance services can provide organisations and governments with the ammunition to respond to some of the most sophisticated challenges.

— Shadab Nawaz is Head of Cyber Security at KPMG in the Lower Gulf.