How protected is your business from cyber attacks

The digitalisation and free flow of information have transformed global business. In an increasingly interconnected world, cyber risk is a top priority for organisations, and having an effective data breach response programme is no longer optional.

The increase in global data protection laws and the awareness of individual data protection rights and ownership are giving rise to new business challenges regionally and globally.

Cybersecurity was identified by the World Economic Forum as one of the top-10 risks, in its “Global Risk Report 2020”. Cybersecurity Ventures, in its “Cyberwarfare In The C-Suite 2021” report, expects cybercrime costs to grow by 15 per cent per year over the next five years, reaching $10.5 trillion annually by 2025, up from $3 trillion in 2015. Such cyber-attacks vary from ransomware to data breaches and from fake vaccine online registrations to unemployment fraud.

Even before the pandemic, IBM’s ‘2019 Cost of Data Breach Report’, which analysed breaches from 507 organisations in 16 countries, reported that the Middle East had the highest average number of breached records, at 38,300 per incident, compared to the global average of 25,500.

The UAE cyber chief, Mohamed al-Kuwaiti, warns that the Middle East is facing a “cyber pandemic” as hackers take advantage of Covid-related digital adoption, following the country’s 250 per cent increase in cyberattacks in 2021.

On a more positive note, earlier this year, Saudi Arabia, which is aiming to become the new tech hub in the region, jumped up 11 places from 2018 to be ranked second in the world among countries committed to cybersecurity at a global level, according to the Global Cybersecurity Index 2020.

In an effort to regulate data collection and usage in the kingdom, Saudi Data and Artificial Intelligence Authority (SADAIA) was established in 2019. As an independent body, SADAIA is responsible for regulating and overseeing data collection and processing in the kingdom – supervising matters related to personal data breaches, while acting impartially when performing its duties. The kingdom and the UAE have also implemented a National Cybersecurity Strategy, which aims to create a safe and robust cyber infrastructure.

Are businesses prepared for new cybersecurity risks?
Many companies have vulnerabilities in their reaction to and defence against cyber threats. Cyber-attackers see the pandemic as an opportunity to exploit the vulnerability of employees working from home, and capitalise on people’s growing interest in coronavirus-related news.

Before the pandemic, many companies were opposed to allowing remote working, and in particular, accessing confidential data. Almost overnight, companies had to increase their capacity and capabilities for remote working. Unfortunately, cybersecurity was not always a key priority in the accelerated deployment of remote working systems.

Today, a major concern for companies is illegal access by hackers to sensitive information that could negatively impact its reputation – often more crippling than the actual data loss itself. Losing customer information could lead to legal or regulatory action against the organisation – arising from breaches of the privacy laws in many jurisdictions.

When considering cybersecurity priorities, organisations must first consider risks across the whole company, including through sub-contractors and other members of its supply chain to understand where their weakest links lie. It is equally important to ensure that the means of complying with legal obligations aligns with business objectives.

Key considerations
The GCC is taking great strides toward economic diversification, with cities becoming smarter and infrastructure increasingly connected. New laws are also emerging, aimed at imposing strict obligations on businesses concerning how, why, and when personal data can be collected, used and stored. And the steady expansion in cybersecurity capacity is linked closely to overall economic development. Such laws include:

· Anti-cyber crime law: The Saudi Arabia Anti-Cyber Crime Law aims to secure the safe exchange of data while protecting the rights of computer and internet users. The UAE Cybercrime Law also regulates the misuse of electronic information through hacking, identity theft, and fraud. The National Electronic Security Authority (‘NESA’) enforces the cybercrime law and generally regulates communications networks and information systems in the UAE.

· The DIFC Data Protection Law: The Dubai International Financial Center (DIFC), also issued a new Data Protection Law (DIFC Law No. 5 of 2020), replacing the current regime. The law aims to provide enhanced standards and controls for the processing and free movement of personal data by controllers or processors and to protect the fundamental rights of data subjects.

· Electronic commerce law: Like the EU General Data Protection Regulation (GDPR), the UAE and Saudi Arabia e-commerce laws focus on regulating e-commerce business practices, requiring increased transparency and consumer protection, with the goal of enhancing trust in online transactions.

· Cloud computing framework: The Saudi Arabia Cloud Computing Regulatory Framework (CCF) is based on international best practices and governs the rights and obligations of cloud service providers (CSPs), individual customers, government entities and businesses. The CCF is one of only a few examples of cloud-specific regulatory frameworks around the world.

· Internet of Things (IoT) regulatory framework: Published by the Communications and Information Technology Commission (CITC) in Saudi Arabia, and the Telecommunications Regulatory Authority (TRA) in the UAE, the IoT regulatory framework aims to successfully regulate IoT in a more coordinated, coherent, safe and secure manner.

In today’s world, the value of data as a strategic asset and source of economic value is clear, while the pandemic has taught us that preparation is key to successfully limiting the risks related to cyberattacks. This period of post-pandemic recovery and preparation presents an opportunity for organisations to rebuild to a new normal, with enterprise resilience as a major objective.

There is also a growing need for collective action, policy intervention and improved accountability from regional governments and businesses. While governments have recently adopted new regulations to cater to the rapidly evolving digital and fintech ecosystem, the laws and regulations still need to be updated to follow international legislation and cover this new era of business. Such laws will, in turn, provide much more comfort to foreign investors when doing business in the region.

However, governments cannot act alone – these initiatives must take a multi-stakeholder approach. The participation of the tech world and the private sector are essential to building effective cybersecurity resilience capabilities.

Suhaib Hammad is the head of commercial and TMT practice at Hammad & Al-Mehdar Law firm