Saudi Arabia is going through a period of unprecedented change, as organisations embrace rapid digitisation and growth opportunities, spurred on by investments linked to the Vision 2030 national transformation programme and the post-COVID-19 economic recovery. Against this backdrop, cybersecurity is an ‘always on’ critical issue for all large organisations. With an increasing number of KSA companies participating in the latest PwC Global Digital Trust Insights Survey, the results highlight how organisations in the Kingdom are responding to intensifying cyber threats.
Globally, the survey indicates that cybersecurity is very high on corporate agendas: more than two thirds of companies (69%) worldwide predict a significant rise in spending on cybersecurity in 2022, and more than 50% expect reportable cyber breaches to surge next year.
Companies in KSA are just as concerned as their global peers about the anticipated increase in cyber breaches across the board, and expectations for growth in some specific types of cyber crime are higher than the global average. Saudi businesses are particularly concerned about cyber attacks from nation states (59% of respondents), from competitors (62%), and also from past employees (54%) who may have retained privileged access to corporate systems.
Yet the focus of the survey goes beyond the shape and source of specific cyber attacks. The responses concentrate on the proactive steps companies should be taking to prepare for continued growth in cyber threats, with special attention paid to the importance of reducing complexity and the associated cyber risks it brings, and best practice in managing data and limiting supply chain risk.
These are the strategic areas that all companies should have under continual review:
Are you securing against the most important risks today and tomorrow using data you can trust?
How well do you understand the risks posed by third parties in your supply chain?
Is the CEO and C-suite leadership driving change and simplification and enabling the organisation to do the same?
The overall cybersecurity readiness data from KSA companies does not differ greatly from the responses of global companies, and organisations everywhere report a significant challenge in maximising the return on their cybersecurity investments. For example, almost half of companies worldwide are still close to the start of the process of cybersecurity control implementation. Around a third have implemented advanced controls at scale, but less than one fifth of global companies say they have actually realised the benefits of cybersecurity implementation.
The survey also shows that the top 10% of companies (measured in terms of the four most important cybersecurity factors - CEO engagement, a streamlined organisation, managing data and understanding third party risks) are more than twice as likely as others to report significant progress towards meeting their cybersecurity goals. Here, we take a detailed look at the progress KSA companies are making in these areas. The survey results are drawn from a number of large organisations in the Kingdom.
KSA companies are leading the way with high reported levels of CEO engagement and leadership on cybersecurity – a positive measure of cybersecurity readiness. The level of support offered by Saudi CEOs runs higher than the Middle East region average and also higher than the global average.
For example, 41% of Saudi companies report significant CEO support in embedding cyber and privacy concerns in key operations compared to only 30% of global companies, and similarly for a cyber-proficient culture throughout the organisation. Almost half (47%) of Saudi CEOs are considered to be significant contributors to inspiring the cybersecurity team, compared to only 28% of global companies.
High-quality data, security controls and review of threats make up the cornerstones of an organisation’s readiness and resilience in response to cyber threats. When asked about the real time visibility of cyber controls in the organisation, KSA companies were markedly ahead of both global and regional respondents. Some 64% of companies utilise real time automated data – which gives the most efficient and complete 24/7 readout on threats – compared to 47% of companies in the Middle East region and 55% of companies globally.
For KSA companies, best practice in data management has become increasingly important with the implementation of the new KSA Personal Data Protection Law in September. The Law introduced strict obligations on data sharing and data sovereignty and which requires companies and government entities to notify the Regulator of any data breaches or leaks of personal data they hold.
It is widely recognised that complexity is an important factor in an organisation’s cyber vulnerability. In a growth phase, companies may develop systems and supply chains at a pace that outstrips their ability to manage the cyber risks that complexity always brings. And many KSA companies are in exactly such a growth phase thanks to the investment surge that has accompanied the Vision 2030 national transformation programme.
Where there is complexity there also has to be cyber awareness and risk mitigation, and the 2022 survey results highlight some specific areas for organisations in the Kingdom to address. Compared to global responses, KSA companies have a higher tolerance of complexity overall. They are less likely to have reduced redundancies in their processes, and at the same time are more likely to consider that their levels of complexity are acceptable across a wide range of corporate processes.
The survey finds that reducing complexity is a long-term challenge and to achieve improvements they will have to consolidate technology vendors, redefine the mix of in-house and managed services, and move processes to the cloud to provide more flexibility and accelerate innovation.
The 2022 survey results make clear that the companies achieving better cybersecurity outcomes are those companies that have leaders that drive cybersecurity principles right through the organisation, hire the right cybersecurity talent and empower them, prioritise actions according to data and analysis, and that continually seek to uncover blind spots in their processes and relationships.
These are the ‘Four Ps’ – Principle, People, Prioritisation and Perception. They need to be watchwords for companies everywhere, but for KSA companies they have a special resonance. The surge of investment and growth that is being driven by Vision 2030 is also bringing with it greater organisational complexity as new markets, new processes and new technologies are added. These investments bring opportunities but also introduce the risk of complexity, which cyber attackers thrive on .
The survey shows that KSA companies have already taken ownership of cybersecurity issues in line with many of their global peers. The next steps are to reduce complexity in the supply chain and within the organisation to build further protection against the rise in cyber attacks.
There is ample evidence to suggest that many cybersecurity threats arise not inside the organisation but in the extended supply chain, where managing third party security postures and controls is intrinsically more difficult than managing internal issues. To understand supply chain cyber risks, companies must assess and manage risks from direct suppliers of software, hardware or cloud services, and the so-called ‘Nth Party’ risks that may be generated by lower tier suppliers to upper tier vendors.
In KSA the picture is mixed, but companies do appear to be reporting knowledge gaps in specific areas of concern: for example Saudi companies are somewhat more likely than their global peers to report they have only anecdotal understanding and no formal assessments of Nth Party risks, and they are markedly more likely to say the same of software supply chain risks: 31% of KSA companies report only anecdotal understanding compared to 19% of global companies.
In addition to their awareness of knowledge gaps, companies in KSA also report taking a higher level of action to reduce third party complexities and risks. Saudi companies are more likely than their global peers to have worked with suppliers to improve their cybersecurity (54% of Saudi companies, compared to 42% of global respondents). They are also more likely to have taken the final step of exiting relationships with third parties to limit risk (44% of Saudi companies compared to only 30% of their global peers).