Organisations in the Kingdom of Saudi Arabia (KSA) are making gains in the fight against cyberattacks, with many organisations seeing a decline in the volume of incoming attacks and suffering less downtime in the wake of a successful attack.
The latest Mimecast State of Email Security 2022 report found that, despite email usage increasing at eight out of ten KSA companies, only 38% are concerned about increasingly sophisticated attacks, and less than a third are concerned about insufficient security budget.
“Organisations in KSA have risen to the challenge of an escalating number of email-based attacks by allocating sufficient budgets, conducting regular cybersecurity awareness training and investing in the tools and technologies needed to build greater cyber resilience”, says Werno Gevers, Cybersecurity Expert at Mimecast. “In fact, nearly all (98%) of companies in the region have a cyber resilience strategy in place or are actively planning to implement one”.
Many respondents actually reported fewer email-based attacks over the last year. Forty percent of surveyed organisations experienced a decrease in phishing attacks, 38% saw a decrease in internal threats or data leaks initiated by malicious insiders and a third (34%) witnessed a decrease in business email compromise.
“KSA organisations are also setting an example in building greater resilience against ransomware attacks, which are expected to cost organisations $265-billion globally by 2031”, says Gevers. “While six in ten organisations suffered a ransomware attack in the past year, the average downtime is only five days compared to a global average of over seven, Seventeen percent of KSA companies say they experienced no downtime, far outpacing other regions where – when looking at a global average – as little as 2% of companies could claim the same”.
Improved employee awareness is paying off
One of the keys to KSA organisations’ success in the fight against cybercrime is the widespread use of cyber awareness training to equip employees with knowledge and tools to avoid risky online behaviour and minimise potential compromise.
“Forty-four percent of organisations in KSA provide ongoing cyber awareness training to employees, nearly double the global average of 23%”, says Gevers. “This appears to be translating into some positive behaviour: only two-thirds of organisations said they were concerned over employees using personal email against a global average of 81%, while 60% admitted to being worried that employees overshare company information on social media, compared to 80% of organisations globally”.
Positive impact of government mandates
It is not only company measures against cyberattacks that are in the spotlight. Due to the sheer scope and sophistication of the global cybercrime industry, governments are becoming increasingly aware of the devastating impact of such attacks on businesses and critical infrastructure.
In response, governments around the world are stepping up their measures to protect citizens and critical infrastructure from cyberattacks. And the respondents expect high levels of change in their organisations due to new government mandates.
“Thirty-eight percent of KSA organisations expect incoming government mandates to bring overall improvements in cybersecurity, while 36% expect a decreased risk of cyberattacks impacting their business”, says Gevers. “However, new mandates are also likely to introduce additional costs: 30% of KSA respondents expect an increase in financial cost to their business, which may put pressure on IT budgets. However, in a positive sign, organisations in KSA report allocating on average 16% of their IT budgets to cyber resilience, slightly ahead of the global average of 14%”.
Getting ahead of brand impersonation
Looking ahead, organisations are expected to invest in measures to protect their brands and email domains from spoofing in the coming year. Two in five organisations admitted to being only somewhat prepared or not prepared at all to deal with attacks that spoof their email domains.
“Nearly all (92%) KSA organisations that were surveyed either use or plan to use a brand protection service, while 88% are using or plan to use DMARC to counter brand spoofing. Such measures are essential to maintaining high levels of security and trust with customers, especially in the wake of growing uptake of ecommerce and other digital customer interactions. The fact that 1 in 10 organisations had no plans or at least no immediate plans to implement brand protection is concerning. And while for some organisations, it may not seem like an immediate concern, they need to be on the front foot and ensure they have adequate protective measures in place before brand impersonation attacks escalate”.