Dubai: The Middle East takes an average time of 260 days to identify and contain a data breach, the highest in the world, an industry analyst said on Monday.

Sam Olyaei, principal research analyst at Gartner, said that it is due to the lack of skilled security professionals.

“The ongoing skills shortages are driving demand for security services, particularly security outsourcing, managed security services and security consulting. The skills shortage may expose organisations to undue risk that increases the likelihood of a breach,” he said.

Add to this the time it takes to detect the incident, which allows hackers more time to do the damage, he added.

“[The] number of attacks are down year-on-year but a number of publically disclosed attacks have increased. Organisations are facing challenges from regulatory authorities in the Middle East and North Africa to comply with certain security controls in order to keep the entities protected,” he said.

Moreover, he said that GCC is the third-highest spender on security after North America and China, but chief information officers (CIOs) and chief executive officers (CEOs) are spending their money on the wrong things, such as futuristic technologies, as opposed to focusing on basic infrastructure.

GDPR’s effectiveness

“Privacy regulations are going to increase, especially in this region, with EU’s General Data Protection Regulation (GDPR) taking effect,” he said. “The GDPR has created an impact on organisations and pushed organisations to realise that a lot of basic security and privacy controls around customers and business partners are not adequate.”

GDPR is a law imposed by the European Union (EU) to safeguard personal data and it sets out key rights for individuals, one of which is the right to be informed of what personal data a company holds on them. Among other rights, the law gives individuals the right over their personal data and its usage. It went into law from May 25 this year.

A company is required under GDPR to reveal a breach in 72 hours through the proper channels or penalties for non-compliance could cost organisations upwards of €20 million (Dh84.56 million) or 4 per cent of yearly worldwide revenue, whichever is higher.

“There has been an awareness of GDPR and businesses are spending more to comply with the regulations,” Olyaei said. “British Airways and Facebook did that recently after the data breach. So, it has an impact. If the rules were not there, BA and Facebook would not have released the information within 72 hours.”

But, he said the problem is for regions like the Gulf Cooperation Council (GCC).

Political conversation

“How much jurisdiction does the EU have in the Middle East? That is a political conversation. Since the GDPR came into effect, we haven’t seen any regulatory audit from the EU into the Middle East. We don’t know how it would work from an enforcement point,” he said.

Aleksandar Valjarevic, head of Solution Architecture at Help AG, said that it is difficult to comment on how enforcement of GDPR regulations could work in the Middle East.

“What we can say is that any organisation that operates in the EU or intentionally and knowingly processes data of EU citizens and residents would fall under auspices of GDPR and can be fined by the EU authorities,” he said.

Can the EU authorities enforce GDPR in the Middle East or fine a UAE company?

“We don’t know yet. What they can say is that if a UAE company does not comply with the rules, they may not be allowed to operate in the EU,” Olyaei said.

He said that his personal opinion is that every country should have its own privacy regulations much in the same vein as GDPR. However, Valjarevic said that each country has its own political landscape, reputation and appetite.

“But we can see that after the introduction, we are seeing that many different countries have introduced similar regulations. For example, California has come out with its own regulations in the last couples of weeks and we are seeing movement in Singapore and the US,” he said.

In the GCC, he said that there are authorities to deal with privacy but the problem is they are not being “enforced appropriately”.

Valjarevic said that every country should have a legal framework to protect privacy of data.

“In some counties/regions there is an overarching privacy law, such as POPIA [the Protection of Personal Information Act] in South Africa, but there are many other countries including the likes of the US and the UAE, where matters of data privacy are regulated in several separate laws and regulations. There is no prescribed or ‘better’ way to approach this and laws and regulations will depend on uniqueness of the jurisdiction and existing legal framework,” he said.

Although there is no general data privacy law at federal level in the UAE, he said that there is a number of laws and regulations setting the scene in this area, including but not limited to the constitution itself, the Penal Code (Federal Law 3 of 1987), the Cybercrime Law (Federal Decree Law No 5 of 2012) and Telecommunications Law (Federal Law by Decree No (3) of 2003) and these prescribe severe fines and even possible imprisonment for data privacy related offences.

“The UAE Government effectively enforces these laws,” he added.