Only two of the top 100 companies in the Middle East reported cybersecurity incidents last year, according to SecurityScorecard, a firm that specializes in defense vulnerability scanning. However, most incidents in the region likely went unreported.
When you compare the Middle East and North Africa (MENA) to Europe, the findings are striking. In Europe, 18 of the top 100 firms had security breaches, while in the US, 21% of S&P 500 firms faced similar issues. Gulf states have poured significant resources into cybersecurity infrastructure, driven by a need to protect their transforming economies, which are moving away from their traditional dependence on oil. Despite this investment, experts argue that MENA still lags behind the EU and US in the laws needed for transparent reporting necessary for resilience.
Ryan Sherstobitoff, vice president of research at SecurityScorecard, believes that around 80% of security breaches among large MENA corporations went unreported last year. “The Middle East is not bound by the same reporting requirements as North America or parts of Europe,” he said. Often, when a breach does become public, it’s because hackers attacked a foreign subsidiary that is required to disclose incidents.
The nature of MENA’s geopolitical landscape also invites more attacks. Notably, four-fifths of the top 100 firms in the region are based in Gulf countries, primarily state-owned banks, energy companies, and utilities.
SecurityScorecard stands by its data and claims that top MENA firms outperform their European counterparts in cybersecurity. However, they distribute these findings selectively. The firm evaluates 15 million companies for vulnerabilities and tracks hacking incidents, yet only subscribers can access ratings. Interestingly, SecurityScorecard found a correlation between firms with no reported breaches and those it rated ‘A’. Half of the top 100 MENA firms received ‘A’ ratings, significantly higher than their European rivals and even more than the S&P 500.
Reports of incidents often involve breaches caused by third-party suppliers. SecurityScorecard noted that 84 of the top 100 firms experienced issues stemming from their supply chains. This mirror’s trends seen in the EU.
Experts like Ross Brewer, who has extensive experience in high-level regional security, argue that MENA’s spending on cyber resilience doesn’t always translate to effective defenses. He pointed out, “In the Middle East, if the government is involved, bad news isn’t getting out.” The emphasis on projecting a positive image can overshadow genuine security concerns.
Brewer also noted that the culture promotes face-saving, which discourages reporting incidents. Despite significant investment in cybersecurity, he described it as piecemeal and often executed by expatriates, leading to a “fractured and vulnerable” security system.
Bharat Raigangari, who advises large firms in Dubai, sees a need for an independent security ratings agency to address the region’s security issues. While he acknowledges fewer reported incidents reflect a reluctance to disclose breaches, he believes MENA’s regulatory landscape is rapidly improving.
Experts applaud the efforts of state authorities in bolstering cyber defenses and implementing new legislation. A banking professional, who wished to remain anonymous due to cultural norms, attributed the low reporting of incidents to robust defenses.
The challenge is more than just culture; it’s about reputation and the fear of negative publicity. Firms often avoid reporting incidents because they don’t want to risk business loss. Nevertheless, industry observers point to progress in MENA culture over the years.
As attackers exploit the vulnerabilities brought on by the economic transformation in the region, MENA countries are ramping up regulations to ensure better security investment. According to Munir Subor, a partner at Taylor Wessing in Dubai, it’s common for firms not to report incidents, and those that do report to the government often remain confidential.
Nick Loumakis, managing director at Obrela, suggests the region’s low incident numbers are likely accurate. Government involvement is a constant in his dealings, and he has only known of one significant incident over the past two years. He doesn’t believe that a desire to save face is the main factor at play; rather, effective government oversight and a concentrated economic structure help suppress attacks effectively.
MENA state authorities have not commented on these issues when approached for input.