Nearly half of business organisations in the GCC do not conduct third-party assessments of their existing information and communication technology systems (ICT) to detect and fix known vulnerabilities.

Not doing so is “an open invitation to adversaries to exploit the known weaknesses and take control of the organisation’s assets”, cites a report based on a survey of 700 executives and information technology (IT) professionals across key sectors in the GCC.

The survey was conducted by Gulf Business Machines (GBM), one of the largest IT systems integrators in the region, which counts the US’ IBM and Cisco among its key partners. Sectors included in the survey are IT, healthcare, education, oil and gas, and hospitality.

The survey also reported that 43 per cent of the respondents do not have an effective security awareness programme in place.

Large enterprises, or organisations with more than 1,000 IT users, are relatively well-placed when it comes to addressing security issues, with 75 per cent indicating they have a dedicated function for governance, risk and compliance. However, this ratio still lags behind the global average of 92 per cent, according to the 2016 Cisco Annual Security Report.

The survey also revealed 43 per cent of enterprises believe they do not have the capabilities to predict and prevent cyber-attacks, while the percentage is higher, at 51 per cent, among small- and medium-sized enterprises (SMEs).

On average, 29 per cent of the surveyed firms plan to invest more in IT security in 2016, with the percentage slightly higher among enterprises (34 per cent) compared with SMEs (25 per cent).

IT security threats range from those orchestrated by organised criminal organisations, money launderers, disgruntled employees, and individuals who work directly or indirectly for their government to steal sensitive information and disrupt enemies’ capabilities.

In December, a power outage affected some 225,000 customers in Central and Western Ukraine. The US Department of Homeland Security confirmed in February that the power outage resulted from a coordinated cyber-attack, which prompted Kiev to review its cyber defence policies.

The growing adoption of Internet-of-Things (IoT), cloud services, and the need to integrate and collaborate with partners and suppliers are also being seen to increase cyber risks for business organisations.