RIYADH: Only 8 percent of organizations in Ƶ are considered “leaders” in “cyber resilience” compared with 17 percent globally, according to a new study that identifies how well organizations are prepared to defend themselves against cyberattacks.
The study, carried out by the multinational professional services company Accenture, said that companies in Ƶ are less than half as likely as their average global peers to be leaders in cybersecurity performance. It is a particularly timely warning in light of the COVID-19 pandemic.
With so many people working from home — outside of their companies’ security network — security breaches are on the rise, according to experts.
The study was based on interviews with more than 4,600 enterprise security practitioners around the globe, including 111 in Ƶ.
It is Accenture’s third “Annual State of Cyber Resilience” study exploring the extent to which companies prioritize security, the effectiveness of current security efforts, and the impact of new security-related investments over 24 industries, including energy, software, telecom, biotech and banking.
“When looking at different countries, we look at regulations on different industries and (take into account) that some countries are more regulated than others,” Ahmed Etman, who leads Accenture Security in the Middle East, told Arab News.
METHODOLOGY
Accenture Research surveyed 4,644 executives representing companies with annual revenues of at least $1 billion in 24 industries and 16 countries across North and South America, Europe and Asia Pacific. Nearly all respondents (98 percent) were the sole or key decision-makers for their organization’s cybersecurity strategy and spending.
“We track year-on year progress whether it’s positive or negative. We track cost as well. And overall, we track the effectiveness of some of the capabilities that our clients are building.”
While Etman admitted that Ƶ’s 8 percent “does not look very positive” in comparison to the global average, he believes the situation in the Kingdom is improving rapidly.
“Working with Saudi clients, we see a lot more investment,” he said. “There is an increase in security spending in the last few years. I think (there is) an increase of 25 percent on cyber resilience in Saudi businesses, which is ahead of everyone else.”
For a company to be recognized as a “leader” in the study, it needs to be among the highest performers in at least three of four categories: Stopping attacks; finding breaches quickly; fixing breaches quickly; and reducing the impact of breaches. “Leaders stop four times as many attacks as other groups,” Etman said, adding that leaders also detected breaches and fixed them much quicker than other groups, which also means that the impact of those breaches is lessened significantly.
The study showed that — worldwide — more than 80 percent of organizations are failing to identify and fix breaches in time to minimize their impact. Saudi organizations were only one-third as likely as their global counterparts to resolve breaches in 15 days or less.
“The survey findings should be a wake-up call for companies in one of the most critical markets in the region,” said Etman.
“There is an enormous opportunity for Saudi businesses to improve their cyber resilience by reducing the time it takes to detect and respond to attacks.”
Etman also noted that the speed at which technology changes can make it difficult for many organizations to keep up with new threats.
“It takes time to get technology transformation happening. And, at the same time, to realize that this transformation is opening doors for new attacks,” he said, adding that while direct attacks are becoming less common, “what we’re saying is a more sophisticated breed of attacks.”
That might mean attacks targeting weak links in an organization’s supply chain, rather than the organization itself, Etman suggested.
“It could be the food company that has a supply chain, an ecosystem of partners that they work with. It could be an e-commerce company that has a supply chain and a lot of data and many places that could be targeted (even though) the actual business itself is well looked after.”
Organizations should absolutely be focusing on “creating more capabilities that would allow them to stop more attacks,” Etman said.
“They should be shaping their investments to shrink these two time frames — ‘time to detect’ and ‘time to respond’ — which will eventually lead to higher effectiveness.”