Corporate cover-up behind world-beating cyber security record in Middle East

Only two of the top 100 listed companies in the Middle East reported cyber security incidents last year, according to defence vulnerability scanning firm SecurityScorecard, but most incidents in the region went unreported, it said. 

SecurityScorecard’s findings highlighted an impressive record in the Middle East and North Africa (MENA) when compared with Europe, where 18 of the top 100 firms had security breaches, and to the US, where 21% of firms in the S&P 500 stock market index were hit. 

Gulf states in particular have invested heavily in cyber security to deter rampant attacks in the region as they transform from central, state-controlled petro-states to diverse economies more dependent on vulnerable information communications. But experts said it still lagged EU and US in laws required to guarantee open reporting deemed necessary for resilience. 

Ryan Sherstobitoff, vice-president of research at SecurityScorecard, said he believed most security breaches that large MENA corporations suffered last year went unreported. 

“I would say probably 80% is not reported,” he said. “The Middle East isn’t exactly required to report breaches in the same way as North America, or even some locations in Europe. So, it’s never going to be recorded.”

When a MENA security breach did become public, it was usually because hackers had hit the subsidiary of a foreign corporation whose home rules required it to report the incident, said Sherstobitoff. Moreover, the geopolitical situation spawned more attacks than elsewhere. Four-fifths of the top 100 MENA corporations are in Gulf countries – usually state-owned banks, energy firms and utilities. 

That impelled Gulf countries in particular to invest heavily in cyber security and build robust defences that ranks them, according to the ITU Global cyber security index in September, among the best in the world. Robust defences were the main reason why direct security breaches were so low in MENA countries, said Sherstobitoff. 

SecurityScorecard did not state the data was unreliable when, upon publishing its findings in November, it claimed that the top 100 MENA firms beat European rivals on cyber security. It distributed a press release making the claim privately, but did not publish it with other releases on its public media page. 

It also withholds names of firms in its reports, though it styles itself as doing for cyber risk what credit ratings agencies do for financial investors. It scans 15 million firms for vulnerabilities and tracks reports of hacking attacks, but only firms that pay get to see ratings. It sells its services in the region. 

The would-be ratings agency noted a correlation between firms that reported no breaches and those it scored ‘A’, after assessing detailed scans it did of their security vulnerabilities, along with incident reports. Breaches diminish a firm’s rating significantly, but only briefly, according to its methodology. 

It gave half the top 100 MENA firms A ratings – twice as many as Europe, and a fifth more than the US S&P 500. SecurityScorecard rated 84 of the 100 as either A or B. The strength of MENA cyber security, widely attributed to massive investment, was confirmed in the ITU global index, with Gulf economies ranked among the most secure in the world. 

MENA incident reports that appear more reliable involve indirect attacks, with 84 of the top 100 firms admitting they suffered breaches caused by the mistakes of their suppliers, according to SecurityScorecard. Almost every single top EU firm reported the same. A spokesperson said that it has not produced comparable third party breaches of US firms. 

Ross Brewer, an expert with deep experience of high-level security in the region, said MENA’s immense spending on cyber resilience was not as good in reality as on paper. “In Western societies, bad news travels fast. In the Middle East, if the government has anything to do with it, bad news does not travel at all. When you are building a utopian future that will attract global tourists, you want to present the absolute best image,” he said. 

Firms “in these pretentious countries” did not report incidents because the culture encouraged dignified face-saving, said Brewer. Intense government control of all communications in and out of the region, and internally, was effective at catching attackers. But MENA investment in cyber defences, according to Brewer, had been hasty, shoddy and done piecemeal by expats who left behind them a fractured and vulnerable security architecture. People were afraid to speak out, he claimed. 

Bharat Raigangari, board adviser to Dubai security consultancy 1CxO, a company which large firms in the region, said an independent security ratings agency was just what the region needed to address the security problems implied by its third party breaches. Raigangari said was trying to create one, with the backing of the UAE cyber security Council, “but it is much easier said than done”.

It was true MENA had fewer reported incidents because firms were not inclined to report them, he said. But the region’s security, and its regulations, were maturing fast and catching up with the West. 

Experts in the region applaud state authorities for their progress in building cyber defences and enacting legislation. 

Yedhu Krishna Menon, head of third-party cyber security at a MENA bank, who asked for his employer to remain anonymous because it is culturally unacceptable to reveal it, said that reported incidents were low because the region’s defences were particularly good. 

Whereas hiding security breaches to save face was not limited to MENA, a bigger concern is “reputation damage, fear of negative publicity, of stigma – it’s a global thing”, he said. 

“They don’t report the majority because they don’t want to lose business,” he added. MENA culture had also progressed. “It’s not like 10 years back.” 

Attackers, aiming to bring down economies and exploit vulnerabilities introduced by the region’s transforming economies, had merely prompted MENA countries to implement regulation to drive investment in security. The regulatory impetus had been momentous and like nowhere else in the world, said Menon. 

Munir Subor, a partner at law firm Taylor Wessing in Dubai, said that it was common practice for firms in the region not to report incidents. Those reported to government would remain secret. 

Nick Loumakis, MENA managing director at Obrela, a Greek firm working closely with UAE cyber security authorities, believed the region’s low incident numbers were correct. 

Government was “always in the room” whenever he had dealt with an incident, but he knew of only one large firm hit in the past two years. He didn’t think saving face played a factor. “It’s not easy to keep this information hidden,” he said, believing that government control of large firms and an oligarchical economy has allowed MENA countries to stamp out attackers more effectively. 

MENA state authorities contacted by Computer Weekly were unavailable for comment.