by Bianca Wright and Keri Allan

Saudi CIOs consider security their toughest tech challenge

News Analysis
Aug 25, 2020

More than half of Saudi CIOs see managing security as their biggest continuing technology-related challenge, and place cybersecurity investment as their topmost business objective.

programmer developer devops apps developer code hacker dark secrets by peopleimages getty
Credit: PeopleImages / Getty Images

Saudi Arabia continues to be a popular target for cybercriminals, in part due to its oil resources but also because of its location in a region rife with geopolitical tensions. According to IDC’s most recent CIO Survey conducted in Saudi Arabia, 60 percent of Saudi CIOs see managing security as their biggest ongoing technology challenge.

This view is expected to impact the cybersecurity spending decisions of almost half (46 percent) of Saudi CIOs, according to the poll, and 75 percent of those questioned have gone so far as to place investments in privacy and cybersecurity as their topmost business objective, particularly as part of their digital transformation agendas.

“Cybersecurity readiness has become one of the major performance indicators of transformation initiatives across the Kingdom,” says Uzair Mujtaba, programme manager for IT Services at IDC. “Saudi Arabia has taken major steps in mitigating future exposure to cyberthreats, and 85 percent of CIOs think that investments in cybersecurity and privacy technologies will be critical to driving digital transformation initiatives in their organisation.”

And they are right to be concerned. The average data breach in Saudi Arabia now costs companies US$6.52 million, a 9.4 percent increase from 2019, according to a report commissioned by IBM Security.

The country invested heavily in cybersecurity after a well-known cyberattack against Saudi Aramco in 2012 from malware dubbed Shamoon, which disrupted oil production and made 30,000 workstations unusable.

According to Joseph Carson, chief security scientist and advisory CISO at cybersecurity firm Thycotic. Saudi Arabia has strict internet access and monitors it quickly and assertively, meaning that targeting citizens has a low success rate. Therefore, he says, businesses are likely to be the top target, all while new and more sophisticated attacks surface everyday.

Attacks evolve to threaten physical infrastructure

 Xage Security, a three-year-old start-up headquartered in Palo Alto, California, has been working with Saudi Aramco to address cybersecurity concerns around its oil and gas operations through its blockchain-protected security fabric.

The nature of cyberattacks has evolved, explains Roman Arutyunov, Xage’s co-founder and head of product. “We saw IT-style attacks for a long time, like malware or even ransomware, but now we are seeing attacks on field operations as well.”

Cyberattacks are targeting the industrial control systems themselves. These attacks, in the form of RATs (remote access Trojans), penetrate industrial control systems – devices,  software and networks used to operate or automate industrial processes. These are often critical controllers that manage the safety of operations. The RATs try to penetrate as many of these controllers as possible, but they lay dormant and don’t activate until there are enough of them to do maximum damage, not only on IT systems but on the cyber-physical systems as well.

In one recent case, Chafer, a hacking group widely believed to have ties to Iran, launched a malware campaign deploying RATs in a Saudi Arabian company starting January 2019.

Any organisation with networked physical infrastructure now needs to consider how to protect those assets as well. “It doesn’t mean that they shouldn’t be networked. They should be networked, because of the great efficiency it brings and increased safety, but it needs to be done with cybersecurity protection in mind all the way out at the edge, not just in the IT space where we have been battling attacks for a long time,” Arutyunov says.

He adds that there is increasing awareness of the changing nature of cyberattacks. “They all say the same thing: that IT is where the battle was, and now the space has changed,” Arutyunov says.

Smart cities – a new target for cybercriminals

Saudi Arabia is leading the way when it comes to smart cities. Riyadh is becoming one of the top smart cities in the world, and work is underway on giant smart city Neom; a cluster of towns and cities the size of Belgium. The deployment of innovative internet of things (IoT) technology, however, presents another target for malicious hackers.

Mike Loginov, Neom’s chief information security officer (CISO), is in charge of the colossal task of building an intelligent and reliable security system for the mega smart city. As the first large-scale urban project to be designed and built from the ground up in the era of AI and machine learning, there’s no legacy infrastructure around. This, he says, is highly advantageous, and he plans to use integrated and proactive defence technology to ensure Neom is secure.

“We select our vendors carefully. To become one of Neom’s trusted suppliers, vendors will need to show they understand and share our security ethic, allow us to test critical infrastructure beforehand and are prepared to contractually warrant that their applications and platforms are fit for deployment,” he told CIO Middle East earlier this year.

Government invests in cybersecurity

National development plans and diversification initiatives are recognising emerging technologies as the enablers of pan-industry transformation. Adoption of these technologies, though, has exposed both public and private sector organisations to a new wave of cyberthreats.

In response, the government is channeling additional efforts to building capabilities and capacity to secure the technologies enabling the diversification initiatives that are the driving force behind the national transformation program. This has lead to the creation of organisations such as the National Cybersecurity Authority (NCA) and the Saudi Arabia Federation for Cybersecurity, Programming & Drones (SAFCPSD).

Matt Moynahan, CEO of security technology firm Forcepoint, emphasises that all regions are dealing with similar cybersecurity issues, but what’s exciting about Saudi Arabia is that the country has been transforming at a rapid pace and has an opportunity to adopt a new cybersecurity approach from the ground up.

“Due to the national transformation in the region, even the ministries are realising that security is not only about products but programs. When we think about programs, we also need to consider the economy, and the outcomes for citizens of Saudi Arabia and its companies. This is what Vision 2030 is all about,” he says.

The National Information Security Strategy (NISS) is among the most important initiatives taken by the Saudi government to formalise the national-level framework for cybersecurity, risk mitigation, and resilience says IDC’s Mujtaba.

“The draft of this strategy emphasises the need to improve the Kingdom’s overall security and resilience in order to provide a secure foundation upon which a knowledge-based economy can be built,” Mujtaba notes. “In an effort to centralise the approach to national cybersecurity management, the Kingdom released a Royal Decree to establish the National Cybersecurity Authority (NCA), which possesses both regulatory and operational functions. This mandates the NCA to – amongst other things – develop and oversee the implementation of an national cybersecurity strategy, design cybersecurity governance models, policies, standards, and controls, build a National Cybersecurity Operations Center (nSoC) to execute cyber defense operations, and stimulate the development of human capital and local industry capabilities in the cyber domain.”

New laws target cybercrime

In line with legislation in other Gulf Cooperation Council states, Saudi Arabia already has a standalone Anti-Cyber Crime Law through which law enforcement agencies, with assistance from the Communications and Information Technology Commission, the national communications regulatory body, have wide powers to investigate cybercrimes.

Another key piece of Saudi legislation is the recently approved electronic commerce law, designed to curb online fraud and boost economic growth. “The emerging e-commerce environment and other data-rich commercial environments in the Kingdom will also become battlegrounds for cybercriminals where law enforcement actors will need to develop enhanced capacity and capabilities,” says Raza Rizvi, regional telecommunications, media and technology (TMT) head at international law firm Simmons & Simmons.

Maher Jadallah, regional director for the Middle East at security firm Tenable, says that governments around the world have cautioned that the cyber threat will worsen rather than lessen, and Saudi Arabia is no different.

“Finding a solution to any problem begins with acceptance. It’s essential that security professionals understand the increased attack surface if their organisation is to moderate their business risk,” Jadallah says.

He emphasises that, in this context, security professionals are not the only ones who must be aware of the risks facing their environments. Given the potential impact of any damage, executive leaders and company boards also need to understand where their organisation is exposed and to what extent, especially given the evolving nature of the cyberattack threat.