Over the past year, a report ranking Gulf corporations ahead of their US and EU counterparts for cyber security has spurred a substantial debate about the region’s penchant for secrecy and state control. The analysis by SecurityScorecard reveals that only two out of the top 100 listed companies in the Middle East reported cyber security incidents last year, presenting a stark contrast to Europe and the US. In Europe, 18 of the top 100 firms experienced security breaches, while 21% of firms in the S&P 500 stock market index in the US were hit.
Investment in Cyber Security
Significant Financial Commitment
A key factor identified in the report is the significant investment Gulf states have made in cyber security. This investment aims to deter the frequent attacks encountered in the region, especially as these nations shift from being centrally controlled petro-states to diverse economies that rely heavily on vulnerable information communications. The substantial financial commitment has led to the development of robust defense systems, which are considered the primary reason behind the comparatively low direct security breach numbers in MENA countries.
The considerable investment from these states has resulted in sophisticated cyber security infrastructures designed to protect vital sectors. These include state-owned banks, energy firms, and utilities, which are particularly vulnerable to cyber-attacks. The emphasis on securing critical infrastructure highlights the Gulf states’ strategic approach to embracing technology while safeguarding economic assets. Although the investment has been substantial, the true extent of these defenses’ effectiveness remains partly obscured by a lack of transparency, thus raising questions regarding the actual security levels.
ITU Global Cyber Security Index
The ITU Global Cyber Security Index in September ranked Gulf economies among the best globally for cyber security. This ranking reflects the massive investments and efforts made by these states to protect their critical infrastructure, which includes state-owned banks, energy firms, and utilities. These sectors are particularly vulnerable to cyber attacks, making the investment in cyber security even more crucial.
These high rankings in global indices demonstrate a collective commitment to cyber resilience and position Gulf countries favorably on the international stage. However, such accolades might not accurately reflect internal challenges and potential underreporting of incidents. The region’s overall progress in developing and implementing cyber security measures has drawn positive attention, but it also underscores the necessity to evolve regulatory frameworks and transparent reporting standards to better align with global practices.
Discrepancy in Reporting Requirements
Lack of Reporting Obligations
Experts have highlighted the discrepancy in reporting requirements, noting that the Middle East lags behind the EU and US in implementing laws necessary for guaranteeing open reporting and resilience. Ryan Sherstobitoff, vice-president of research at SecurityScorecard, expressed his belief that the majority of security breaches in large Middle Eastern and North African (MENA) corporations went unreported. He estimates that “probably 80% is not reported,” pointing out that the Middle East doesn’t have the same obligations to report breaches as North America or parts of Europe, resulting in these incidents often going unrecorded.
The lack of stringent regulation for reporting creates an environment where many cyber security incidents remain hidden from public view. This underreporting can lead to a misleading representation of the region’s true cyber security status. Without mandatory disclosure, stakeholders, including investors and customers, are left with an incomplete picture of the risks associated with corporate operations in the Middle East. The absence of comprehensive legislative frameworks for mandatory incident reporting exacerbates these discrepancies and challenges.
Subsidiaries of Foreign Corporations
Interestingly, when a security breach in the MENA region does become public, it is typically because the affected entity is a subsidiary of a foreign corporation that is mandated to report incidents by its home country’s laws. This trend underscores the geopolitical complexities that increase the frequency of malicious attacks. Four-fifths of the top 100 MENA corporations are in Gulf countries and are usually state-owned banks, energy firms, and utilities—critical infrastructure that has driven the Gulf states to fortify their cyber security measures significantly.
Given the vital nature of these industries, any significant breach, even if not publicly reported, could have far-reaching implications. In these scenarios, the pressure to maintain national security and economic stability might compel corporations to handle incidents discreetly. The intertwining of foreign corporate regulations and local practices further complicates an already opaque landscape. Therefore, while investments bolster protective measures, the regional reporting practices and external dependencies reveal a complex, layered approach to cyber security management.
Methodology and Skepticism
SecurityScorecard’s Methodology
SecurityScorecard’s methodology, which includes scanning 15 million firms for vulnerabilities and tracking hacking reports, gives firms that report no breaches higher ratings. In its assessment, it awarded half of the top 100 MENA firms an ‘A’ rating—this is twice as many as those in Europe and a fifth more than firms in the US S&P 500. It rated 84 of the top 100 MENA firms as either ‘A’ or ‘B,’ suggesting strong cyber defenses attributed to massive investment.
While these ratings suggest robust security mechanisms, they rely heavily on self-reported data, which might not capture the true scope of cyber incidents. The region’s inclination towards non-disclosure further obscures the reality behind these high ratings. Critics have pointed out methodological limitations that could inflate these ratings, thus casting doubt on their accuracy. The reliance on scanning and external assessments without adequate internal data transparency from corporations makes the assessment questionable.
Cultural and Regulatory Factors
However, skepticism remains about the true extent of these defenses. Ross Brewer, a regional security expert, suggested that the impressive figures on paper may not reflect the on-ground reality. He argued that there’s a culture in the Middle East where negative information, particularly government-related, is suppressed to maintain a dignified public image. He highlighted that while government control is effective in intercepting attackers, much of the cyber security investment has been hasty and executed piecemeal by expatriates, which could leave considerable vulnerabilities.
This culture of information suppression contributes to a facade of solid security measures, masking the actual vulnerabilities present within corporate and government infrastructures. Furthermore, the reliance on expatriates and quick-fix solutions instead of long-term strategic investments could compromise the sustained effectiveness of these defenses. Brewer’s observations resonate with a broader concern about the alignment between perceived and actual cyber security capabilities, prompting a need for deeper scrutiny and alignment of both tactical and strategic initiatives in the sector.
Cultural Aspects and Reporting
Saving Face
There is also a cultural aspect where reporting incidents is not encouraged, as firms prefer to save face. This culture also extends to the control of internal and external communications. However, Bharat Raigangari of the Dubai security consultancy 1CxO noted ongoing efforts to establish an independent security ratings agency in the region to address these challenges. Meanwhile, progress in cyber security regulations and defenses continues, with state authorities being applauded for their efforts.
The concept of maintaining face in the business community can significantly impact the transparency of security incidents. Fears of reputational damage often result in organizations opting for a more confidential handling of breaches. However, the move towards establishing independent rating agencies could shift practices toward more transparency and accountability. State authorities’ involvement in formalizing these frameworks signifies a departure from entrenched practices, aiming to align with global standards and promote cyber security maturity.
Differentiating Incident Reports
Yedhu Krishna Menon, head of third-party cyber security at a MENA bank, differentiated between lower incident reports due to strong defenses and those withheld to avoid reputation damage. Despite the pressure to maintain a spotless record, MENA’s cyber security framework and regulatory landscape have seen considerable advancements over the last decade.
Menon’s differentiation highlights the dual edges of strong defenses and the desire to protect corporate images. While some sectors genuinely report fewer incidents due to robust security measures, the trend of non-disclosure to avoid reputational harm cannot be ignored. The advancements in cyber security regulations and defenses indicate a progressive trajectory for the region, paving the way for more integrated and transparent practices. A balance between actual security efficacy and openness in incident reporting could foster a more resilient and trustworthy cyber security environment.
Legal Perspectives and Government Involvement
Confidential Reporting
Over the past year, a report showing Gulf corporations outpacing their US and EU peers in cyber security has ignited a considerable debate surrounding the region’s inclination for secrecy and state control. The study conducted by SecurityScorecard uncovered that only two of the top 100 companies in the Middle East reported cyber security events in the past year. This finding marks a stark contrast to the situation in Europe and the United States, where cyber security breaches seemed far more prevalent. In Europe, 18 out of the top 100 firms experienced security incidents. Meanwhile, a striking 21% of companies within the prestigious S&P 500 stock market index in the US reported similar issues. This marked difference underscores a significant disparity in reported cyber security incidents, raising questions about transparency and reporting practices among these regions. The Gulf’s lower reported rates may suggest effective cyber measures or could imply tighter control over information, fueling the ongoing debate about cyber security and openness in business practices.