Five years ago, a major oil producer from the Gulf suffered what was then the world’s largest cyber attack, when the oil company saw 35,000 computers either partially wiped or totally destroyed.
Since then, the Gulf’s businesses have remained tight-lipped about cyber breaches and so data is limited, but there is no doubt the risks to cyber security have increased.
Online activity has mushroomed across the Middle East in the past decade, at the same time as geopolitical conflicts and tensions, causing businesses to wake up to the need for cyber security measures and procedures. When Saudi Aramco, one of the world’s largest oil firms, was hit in 2012 it was forced back to using typewriters and fax machines to continue doing business. The company that supplied 10 percent of global output was hit by a group calling itself Cutting Sword of Justice, citing the oil producer’s support of the local regime. Many claimed the attack was sponsored by Iran.
Today, several Gulf countries remain prominent players in local proxy wars, making them vulnerable to both politically and economically-motivated attacks. The United Arab Emirates, with its growing tourism industry and oil reserves, and Qatar, which has risen to global prominence since being awarded the 2022 FIFA World Cup, are in the spotlight.
Meanwhile, businesses in the Middle East are at high risk, according to Cisco’s recent Middle East ICT Security Study, because 65 percent of employees do not understand the security risks of using personal devices in the workplace, which means cyber criminals are attacking internet infrastructure rather than individual computers.
One reason that awareness of cyber risk is low is because companies do not report breaches, according to Saleem Adam, a partner focused on corporate work in the technology sector at Trowers & Hamlins in the UAE. "The problem is that most companies don’t admit attacks in the way that they do in the West," he says. "There’s no legal obligation to do so, except for companies based in some free zones, and so the tendency is to cover them up."
But he says companies are waking up to cyber security: "I sit on the Board of four power plants in the UAE," says Adam, "and over the last two years, cyber risk has become more than an IT issue and moved into the domain of senior management, the Board and the shareholders. There is a growing focus across the region on business continuity plans, and the need to have cyber attack plans in place."
When the major oil producer was struck, computer technicians literally ripped cables out of the backs of computer servers at data centres around the world to stop the virus spreading. Oil production remained steady, but managing supplies, shipping and contracts with governments and business partners all suddenly had to be done on paper. Corporate email went down, and the company – in one fell swoop – bought 50,000 new computer hard drives. It was five months until the company brought its systems back online.
Since then, attacks on major corporations in the Middle East have ranged from the amateur to the highly sophisticated. In May 2013, for example, an international crime gang was charged in the US after USD45 million was stolen from RAKBank of the UAE, and BankMuscat of Oman, after a massive cyber fraud.
Regulators in the region are increasing the requirements on businesses around cyber preparedness, and free zones like the Dubai International Financial Centre and Abu Dhabi Global Market have data protection rules that are much more akin to those seen in Europe and the US.
But companies across the Middle East should take action to protect themselves and prepare for incidents. Adam advises every business to put in place a Cyber Incident Response Plan, setting out the role of every staff member in the event of an attack, and identifying where the greatest risks may lie. After the Arab Spring series of protests and demonstrations disrupted business in the region in 2010, many private companies developed sophisticated contingency plans, and these now need to be extended to cyber security, he says.
Secondly, firms must elevate cyber security to a boardroom issue, rather than leaving it to the IT department to oversee. Adam says: "Senior management needs to take ownership, so that they can show they have done everything possible to mitigate the risk of attacks."
Third, careful attention needs to be paid to the risks associated with third-party IT suppliers. A lot of IT requirements in the Middle East are outsourced to external providers, particularly within the financial services industry, and plans need to be put in place to manage events in coordination with suppliers in the event of an attack. Adam says: "We have undertaken audits on behalf of clients to make sure that third-party agreements contain the necessary protections to deal with cyber attacks. The key thing is to identify the legal obligations of the supplier and the company."
He says there is a move in the region to address cyber security breaches, but due to a misconception that a cyber attack is a force majeure event, there is often no real consideration given and force majeure is used as a catch-all provision intended to cover any type of act occurring outside either party’s control. This presents risks to everybody involved, and given the legal liability and often severe reputational damage caused by cyber attacks, we have been asked to carefully review and amend existing force majeure clauses. Some of our clients are negotiating a right to continue receiving services under the contract, at pre-agreed levels, during a cyber attack or force majeure event. For example, instead of 24/7 support receive support for 2-4 hours a day.
And finally, businesses need to make sure they do extensive due diligence on their critical IT suppliers around their cyber preparedness before signing up: "There’s a lot of information people can obtain upfront," says Adam. "For example, have they been attacked before, and if so, how well did they deal with the incident? Build a profile of your supplier to identify how vulnerable they could be to a cyber attack."
Longer term, it is likely that regulatory requirements for cyber resilience will increase in the Gulf region, just as they have elsewhere. "We regularly get asked by clients what they need to do in the event of a data breach," says Adam, "and it depends very much where they are. For the most part, there is currently no obligation to report a breach, but over time I suspect there will be. We are certainly finding out about more breaches."
He adds, "There is this lack of reporting which makes it difficult for the region to fully address cyber risk. There is almost a sense that attacks aren’t happening, but you just need to look for them. They often go unreported. But all the time the Middle East has wealth and geopolitical conflicts, attacks are going to occur."
Few in the GCC currently make use of sophisticated encryption technologies, and many conduct business using Hotmail and WhatsApp, leaving them vulnerable to attack. But cyber security is moving up the agenda, and companies are starting to take action.
