05 Feb Guarding the Gulf from cyber threats
As cyber threats becomes an epicentre of GCC business risk, James Gerber, CFO of SimSpace, details the preventative measures large organisations should be taking to ensure bottom-line growth in 2024.
In early 2023, the GCC Executive Committee for Cybersecurity held its first meeting, marking a political and technical acknowledgement of the security challenges its countries face. The GCC region now experiences some of the highest costs per cyber incident worldwide, averaging $6.93m, as opposed to the global average of $4.24m, according to the National Data Centre under the UAE’s Supreme Council for National Security.
This financial opportunity has emboldened cyber criminals to redouble their efforts to extort, undermine and damage large organisations in the GCC, with Saudi Arabia and the UAE ranking as the most targeted states in the region, according to a Group-IB report. Macroeconomic, geopolitical and strategic considerations all play a part in shaping global cybersecurity. However, as the threat level elevates for large and listed organisations, the undeclared cyber war enters a critical stage, with companies bracing for their worst day in cyber.
The World Economic Forum’s annual report states that 91% of global leaders believe a far-reaching, catastrophic cyber-event was at least somewhat likely in the next two years. If companies fail to anticipate and prepare for emerging threats before they occur, the reputational and financial fallout could be severely damaging to their stakeholders, share price and customers.
A major incident of this type was recently faced by Clorox, the US manufacturing company, which suffered an estimated $356 million in damages and had $3 billion wiped off of its market valuation following a cyber-attack in August 2023.
The event occurred after Clorox spent $500 million on IT upgrades, earning a spot on the 2023 Forbes Most Cyber Secure Companies list. The incident and resulting financial loss underline the fact that although organisations may be spending large sums of money on their defensive capabilities, they must prioritise where they are investing it to achieve maximum ROI.
Much like Clorox in the US, the GCC region also contains a large number of nationally significant companies on which their economies and sovereign wealth depend. The market size of the Middle East oil and gas sector is set to reach $1.4 trillion by 2030, and without stress-testing the security framework of nationally significant industries, CISOs and CIOs will be playing Russian roulette with their critical infrastructure.
Defending the region
Few companies, at the moment, have their cyber teams practising severe attack incident response in high-fidelity copies of their production environments. Practising such attacks without damaging their operations allows continual uptime while simulating three years’ worth of attacks in just 24 hours. Enterprises need military-grade cybersecurity protections that are just as rigorously tested and validated as the armed forces test its vehicles and weapons. In 2024, a proactive security mindset will be imperative for companies to get ahead of the most pressing threats of the next 12 months and reassure stakeholders of their commitment to cybersecurity.
Many large and listed organisations have awoken to the detriments of in-production testing and its operational constrictions, not allowing cyber teams to go ‘gloves off’. In 2024, organisations must follow in the footsteps of national defence agencies around the world, such as the US Navy, which has implemented mil-spec capabilities such as cyber ranges to bolster their defence.
Through this approach, organisations can ensure their systems are following cybersecurity best practices, effectively measuring their abilities to withstand severe cyber-attacks. Like national airlines that stress test their pilots regularly with engine and hydraulic system failures, cyber ranges conduct attacks capable of crippling NASDAQlisted companies, in the safety of a virtual copy of a production environment.
Preventative cybersecurity should be a key priority for CISOs and CEOs alike in the coming year, especially as companies continue to emerge from a post-Covid economic shockwave.
The International Monetary Fund (IMF) forecasts a recovery in economic growth for the Middle East, from 2% in 2023 to 3.4% in 2024 as inflation eases, but overheads remain high. CISOs and CEOs looking for maximum ROI on their cybersecurity spending must not focus on what tools they have in their stack, but on whether they are working. A military-grade approach to cybersecurity can identify an organisation’s must-have tools and eliminate superfluous ones, too. Avoiding the $500 million mistake Clorox made on its cybersecurity spending should be at the top of every CEO’s 2024 wishlist.
A resolute preparedness for sophisticated threats can also reassure stakeholders about their organisation’s readiness. CISOs require data-driven performance analytics to act decisively on the cybersecurity challenges of their business. In 2024, large and listed organisations in the GCC must go beyond one-size-fits-all solutions. A military mindset to cybersecurity as a risk-mitigation tool eliminates the blind spots inherent to cyber threats, uncovering attack vectors often overlooked by less comprehensive software. As a result, organisations can attain the level of preparedness essential to securing their infrastructure against the unforeseen challenges of the next 12 months.