Securing the systems: Tackling cybersecurity concerns is crucial given the cost of data breaches

The threat to reputation and data security posed by malicious or mischievous online attacks presents opportunities for IT companies able to offer cybersecurity solutions to government departments and private companies. New security and control centres have been established in the Kingdom, with IT security experts working in partnership with some of the country’s leading technology companies. “With high levels of physical security spending in the region there should, and will be, increased spending on cybersecurity, because the two complement each other,” Tarik Algain, of Technology Control Group, told OBG.

SECURITY CONTROL: In March 2013 Saudi Telecom Company (STC) inaugurated what it described as the region’s largest information security control centre. The Riyadh-based centre, which will be run in cooperation with US technology company Symantec, is designed to bolster the security features of STC’s systems and applications and is used for control, operation and surveillance services. At the time of the inauguration, STC’s vice-president for IT, Omer Abdullah Al Nomany said: “The incremental hacking activities facing websites and businesses in the world and the Middle East caused STC to set up this centre.” Al Nomany added that the partnership with Symantec would help STC communicate with global experts in the cybersecurity field to detect and identify potential security threats and run support procedures. Fundamental to the partnership between Symantec and STC was a recruitment and training programme designed to equip young Saudis with the knowledge and skills required to work in cybersecurity.

UPSTEAM PARTNERS: In January 2014 STC Business announced that an additional strategic agreement was to be signed by Creative Telecom Company, STC’s upstream reseller, with Symantec in Riyadh. The focus of the agreement is email protection and services designed to boost business efficiency and safeguard confidentiality in email communications. Khalid bin Hussein Bayari, STC’s senior vice-president for technology and operations, said the partnership would enable STC customers to receive the benefit of the latest understanding and technology used to detect, prevent and react to the threat of virus infections and information security hacking perpetrated through email attacks. The partnership between STC and Symantec is designed to provide essential protection for business emails against opportunistic and targeted threats and block the huge quantities of spam mail, which often consume storage space, waste staff time and use up client network capacity. “In order to ensure the smooth flow of this process with highly effective security and reliability, we have adopted cloud computing, which is characterised by the speed of service which allows clients to receive services on the same day,” Bayari said of the deal.

SOC: In July 2013 IBM opened its 10th global security operations centre (SOC) in Riyadh as part of its alliance with Saudi Arabia’s second-largest mobile operator, Mobily. The SOC is hosted in Mobily’s data centre, which has been granted Tier IV Design and Construction certification by the data centre authority, Uptime Institute. IBM says the SOC is completely self-contained and its activity logs never leave the Kingdom. The centre uses IBM security services infrastructure to assist analysts with the aggregation, correlation, analysis and prioritisation of security logs and events.

The same technology is used by IBM to analyse more than 15bn security issues each day from devices in more than 140 countries. IBM operates nine other global security operations centres in Canada, Belgium, Japan, Australia, Brazil, India, Poland and two in the US. All of the centres are designed to protect mission-critical systems, electrical systems, data processing and communication links from any single point of failure, further extending IBM’s ability to provide real-time analysis and notifications to help businesses deal with the latest and most complex security threats.

Khalid Al Kaf, CEO and managing director of Mobily, said at the centre’s launch, “We are witnessing today increasing security threats globally from the adoption of new and existing technologies. Because cybersecurity is important to the business sector... we are providing, through the newly launched security operations centre, our customers in Saudi Arabia with the highest level of security for their data to help protect their company’s reputation and value.”

IBM’s five-year strategic deal with Mobily was signed in 2012 and is worth SR1.05bn ($280m). Under the agreement IBM will offer IT solutions to the business sector in Saudi Arabia including cloud security services. Highlighting the importance of security, Takreem El Tohamy, general manager of IBM Middle East and Africa, said: “Companies and organisations today are faced with a constantly evolving threat landscape, with emerging technologies making it increasingly difficult to manage and secure confidential data. A security breach can impact brand reputation, shareholder value, and expose confidential information.”

In May 2014 the Ministry of Education announced it had chosen Mobily and IBM to boost its information security using managed and cloud security services. The two companies were commissioned to assess data protection capabilities at the ministry, to pinpoint and secure sensitive data within its IT infrastructure and to develop a data protection strategy.

DATA BREACHES: In May 2014 research backed by IBM and conducted by the US-based Ponemon Institute revealed that the average total cost of a data breach to firms participating in the research had increased by 15% in the year to $3.5m. The ninth annual “Cost of Data Breach” study was based on interviews with 314 companies in 10 countries. For the purpose of the study Saudi Arabia and the UAE were counted together, with 24 companies from the two countries interviewed. All firms participating in the survey had experienced some kind of data breach affecting anything from 2415 individual records up to 100,000. The average number of data items compromised in Saudi and Emirati companies was 28,690 records, which was second only to the US where an average of 29,087 records were breached. The study showed that companies in UAE and Saudi Arabia were most likely to be targeted by a malicious or criminal attack, the most costly category of data breaches. However, companies in Saudi Arabia and UAE were least affected by loss of customers following a data breach compared to the other countries surveyed.

COSTS & CAUSES: The average cost of a data breach in Saudi Arabia and UAE was reported as $3.12m. The research showed that firms operating in highly regulated and sensitive industries such as health care, pharmaceuticals, education and finance could expect a much higher cost as a result of a data security breach compared to companies in sectors such as hospitality, transportation and retail.

Globally, 42% of data breaches were caused by malicious attacks, 30% by human error and 29% by technological glitches. In Saudi Arabia and UAE 50% of all data breaches were caused by malicious attacks, 29% by technological glitches and 21% by human error. The most common causes of malicious or criminal attacks included malware infections, criminal insiders such as employees or contractors, phishing or social engineering and SQL injection. The total cost of a data breach divided by the total number of data items compromised showed a per capita cost of breaches from malicious attack of $117 in Saudi Arabia and UAE. By comparison, each system glitch cost $103 per capita, while incidents resulting from human error cost $96 per capita. Across global respondents the cost of each data breach ranged from $135,603 to $23.1m.

The research showed that among the costs related to data breaches, it cost firms in Saudi Arabia and UAE $188,228 to notify customers about the breach and $1.05m to handle the aftermath. The extra costs to the business incurred by diminished goodwill, customer retention activities and loss of customers amounted to some $1.5m. Companies interviewed for the survey said they would ideally like to see $14m per annum spent on preventing malicious breaches, but estimated they were likely to spend half that.