Corporate cover-up behind world-beating cyber security record in Middle East

Only two of the top 100 listed companies in the Middle East reported cyber security incidents last year, according to defence vulnerability scanning firm SecurityScorecard, but most incidents in the region went unreported, it said.

SecurityScorecard’s findings highlighted an impressive record in the Middle East and North Africa (MENA) when compared with Europe, where 18 of the top 100 firms had security breaches, and to the US, where 21% of firms in the S&P 500 stock market index were hit.

Gulf states in particular have invested heavily in cyber security to deter rampant attacks in the region as they transform from central, state-controlled petro-states to diverse economies more dependent on vulnerable information communications. But experts said it still lagged EU and US in laws required to guarantee open reporting deemed necessary for resilience.

Ryan Sherstobitoff, vice-president of research at SecurityScorecard, said he believed most security breaches that large MENA corporations suffered last year went unreported.

“I would say probably 80% is not reported,” he said. “The Middle East isn’t exactly required to report breaches in the same way as North America, or even some locations in Europe. So, it’s never going to be recorded.”

When a MENA security breach did become public, it was usually because hackers had hit the subsidiary of a foreign corporation whose home rules required it to report the incident, said Sherstobitoff. Moreover, the geopolitical situation spawned more attacks than elsewhere. Four-fifths of the top 100 MENA corporations are in Gulf countries – usually state-owned banks, energy firms and utilities.

SecurityScorecard did not state the data was unreliable when, upon publishing its findings in November, it claimed that the top 100 MENA firms beat European rivals on cyber security. It distributed a press release making the claim privately, but did not publish it with other releases on its public media page.

It also withholds names of firms in its reports, though it styles itself as doing for cyber risk what credit ratings agencies do for financial investors. It scans 15 million firms for vulnerabilities and tracks reports of hacking attacks, but only firms that pay get to see ratings. It sells its services in the region.

The would-be ratings agency noted a correlation between firms that reported no breaches and those it scored ‘A’, after assessing detailed scans it did of their security vulnerabilities, along with incident reports. Breaches diminish a firm’s rating significantly, but only briefly, according to its methodology.

It gave half the top 100 MENA firms A ratings – twice as many as Europe, and a fifth more than the US S&P 500. SecurityScorecard rated 84 of the 100 as either A or B. The strength of MENA cyber security, widely attributed to massive investment, was confirmed in the ITU global index, with Gulf economies ranked among the most secure in the world.

MENA incident reports that appear more reliable involve indirect attacks, with 84 of the top 100 firms admitting they suffered breaches caused by the mistakes of their suppliers, according to SecurityScorecard. Almost every single top EU firm reported the same. A spokesperson said that it has not produced comparable third party breaches of US firms.

Ross Brewer, an expert with deep experience of high-level security in the region, said MENA’s immense spending on cyber resilience was not as good in reality as on paper. “In Western societies, bad news travels fast. In the Middle East, if the government has anything to do with it, bad news does not travel at all. When you are building a utopian future that will attract global tourists, you want to present the absolute best image,” he said.

Firms “in these pretentious countries” did not report incidents because the culture encouraged dignified face-saving, said Brewer. Intense government control of all communications in and out of the region, and internally, was effective at catching attackers. But MENA investment in cyber defences, according to Brewer, had been hasty, shoddy and done piecemeal by expats who left behind them a fractured and vulnerable security architecture. People were afraid to speak out, he claimed.

Bharat Raigangari, board adviser to Dubai security consultancy 1CxO, a company which large firms in the region, said an independent security ratings agency was just what the region needed to address the security problems implied by its third party breaches. Raigangari said was trying to create one, with the backing of the UAE cyber security Council, “but it is much easier said than done”.

It was true MENA had fewer reported incidents because firms were not inclined to report them, he said.