The threat from cyber attacks is significant and continuously evolving. One estimate suggests cyber crime could cost businesses more than $2 trillion by 2019, nearly four times the estimated amount in 2015.

The disruptive forces that are driving today’s business growth and efficiency are the same dynamics contributing to this widened attack surface for cyber assaults. Internet, cloud, mobile and social technologies, which are inherently designed for sharing, have become mainstream platforms. Outsourcing, contracting and remote workforces are shifting operational control. Data is continuing to expand, along with the requirement to protect it.

Attackers, meanwhile, range from hackers to nation states. In all forms, they are constantly innovating and subverting common controls, some beyond the reach of a country’s law enforcement.
In the Middle East, the growing political instability since 2010 has given rise to various hacktivist groups and nation-state threat actors. These groups have wrought havoc on governments and both public and private institutions on almost a daily basis. Shamoon, the aggressive disk-wiping malware used against Saudi Arabia’s energy sector in 2012, made a surprise comeback in late 2016 and early this year.

As the regional conflicts intensify, so too will the frequency and intensity of cyber attacks, as cyber threat actors continue to look to cyber space to engage in political activity and disrupt the parties they are in direct conflict with.

In addition, the Middle East, particularly the GCC states, is perceived as having significant economic wealth, making the region a target for attack. It is widely accepted that Middle East individuals and institutions are twice as likely to encounter malware compared to the global average.

A recent report by the US’ Microsoft found that, for four consecutive quarters from the third quarter of 2015, every country in the Middle East had at least double the number of computer systems infected by malware compared with the world average.

Lines of defence

Amid growing concerns about potential financial, operational and reputational damage, cyber crime has quickly become one of the top enterprise-wide risks faced by organisations around the world. Boards of directors, executive management and front-line employees have been forced to sit up and take notice.

Addressing cyber risk is an imperative for everyone within the enterprise, but the ultimate responsibility for overseeing risk rests with top leaders.

Many board members and C-suite executives, however, are far removed from the day-to-day challenges of monitoring, detecting and responding to evolving cyber risks. Those leaders who develop a deeper view of where their organisation stands when it comes to cyber risk will gain a critical understanding of the issue.

Effective risk management is the product of multiple layers of risk defence. The following three lines of defence are not unique to cyber security, but should be in place and operating at a robust level to deal with any risk to the business. Most importantly, these measures will help the board to understand and address the diverse risks of the digital world.

■ Management should retain ownership of cyber risk:

Companies that are good at managing information security risks typically assign responsibility for their security regimes to the highest levels of the organisation. Management retains ownership, responsibility and accountability for assessing, controlling and mitigating risks.

■ Implement risk management and compliance functions:

Risk management functions facilitate and monitor the implementation of effective risk management practices by leaders, and help risk owners in reporting adequate risk-related information throughout the firm.

■ Strong internal audit is vital:

The internal audit function provides objective assurance to the board and executive management on how effectively the organisation assesses and manages its risks, including the manner in which the first and second lines of defence operate. It is imperative that this line of defence is at least as strong as the first two.

Without a function that provides competent and objective assurance, a company faces the real risk of its information practices becoming inadequate or even obsolete. It is a role that internal audit is uniquely positioned to fill. But to do so, it must have the mandate and resources to match.

Fadi Mutlak is partner for cyber risk services at Deloitte & Touche Middle East