According to defence vulnerability scanning firm SecurityScorecard, only two of the top 100 listed companies in the Middle East reported cyber security incidents last year. However, most incidents in the region went unreported.
SecurityScorecard’s findings revealed that the Middle East and North Africa (MENA) had a better record compared to Europe and the US in terms of security breaches among the top 100 firms.
Gulf states have heavily invested in cyber security to combat attacks in the region. However, experts noted that the region still lags behind the EU and US in terms of laws required for open reporting.
Ryan Sherstobitoff, vice-president of research at SecurityScorecard, suggested that many security breaches in large MENA corporations went unreported last year.
Sherstobitoff mentioned that approximately 80% of security breaches in the Middle East are not reported, highlighting the lack of mandatory reporting requirements in the region.
Incidents of security breaches in MENA often involve attacks on subsidiaries of foreign corporations, with geopolitical factors contributing to higher vulnerability. The majority of top MENA corporations are state-owned entities.
SecurityScorecard claimed that the top 100 MENA firms outperformed European counterparts in cyber security. However, the agency did not publicly announce this information.
SecurityScorecard does not disclose the names of firms in its reports but offers cyber risk assessment services to paying clients in the MENA region.
The agency noted a correlation between firms reporting no breaches and those receiving high ratings, emphasizing the impact of incidents on a firm’s security rating.
A majority of the top 100 MENA firms received A ratings for cyber security, indicating strong investment in security measures. MENA economies were recognized for their cyber security strength in the ITU global index.
Reports of incidents in MENA often involve indirect attacks, with many top firms attributing breaches to errors by their suppliers. This trend was also observed in top EU firms.
Experts in the region acknowledged the progress made by state authorities in strengthening cyber defenses and implementing relevant legislation.
Firms in the region have been hesitant to report incidents due to cultural norms favoring face-saving. However, investments in cyber defenses have been noted to be hasty and incomplete.
Bharat Raigangari, board adviser to a Dubai security consultancy, highlighted the need for an independent security ratings agency in the region to address third-party breaches.
While incidents may be underreported in MENA, the region’s security measures and regulations are rapidly evolving to align with global standards.
Experts commend state authorities in MENA for their efforts in enhancing cyber defenses and legislative frameworks.
Yedhu Krishna Menon, head of third-party cyber security at a MENA bank, praised the region’s strong defenses, attributing the low incident numbers to effective security measures.
Hiding security breaches to avoid reputation damage is a global concern, not limited to MENA. The fear of negative publicity and stigma drives many firms to conceal incidents.
Businesses in MENA have progressed in their approach to security incidents, moving away from traditional practices of non-disclosure.
The region’s response to cyber threats has led to the implementation of regulations to bolster security measures, surpassing efforts seen in other parts of the world.
Munir Subor, a partner at a law firm in Dubai, highlighted the common practice of non-reporting of incidents by firms in the region.
Nick Loumakis, MENA managing director at Obrela, supported the low incident numbers in the region, indicating strong security measures.
Government involvement in incident responses has been significant in MENA, contributing to effective handling of security threats and incidents.
Attempts to contact MENA state authorities for comments on the matter were unsuccessful.
