RIYADH: As Saudi companies become more technologically advanced, cybersecurity experts have warned of a general lack of awareness about industry best practices and are worried that businesses are not adequately protecting their systems.

A survey commissioned earlier this year by cybersecurity firm Tenable found that 95 percent of businesses in the Kingdom last year were the victim of a cyberattack.

In addition, 85 percent of Saudi respondents said that they had witnessed a dramatic increase in the number of attacks over the past two years. Companies said they had suffered loss of customer or employee data, ransomware payment demands and financial loss or theft.

Cybersecurity Ventures, a US-based researcher and publisher in this sector, estimated that the global cost of cybercrime could reach $10.5 trillion by 2025.

The rising number of cases, combined with the huge financial impact, will hopefully spur Saudi business executives into action, said Dr. Muhammad Khurram Khan, professor of cybersecurity at King Saud University and founder and CEO of the Global Foundation for Cyber Studies and Research.

“This huge and lucrative price tag entices hackers and cybercriminals to innovate their hacking tactics against individuals and organizations. The ignorance of cybersecurity measures and lack of awareness are the two fundamental loopholes that enable hackers to compromise sensitive data and perform financial fraud,” Khan told Arab News.

Cybersecurity risks can take many shapes and forms, from phishing (impersonating a legitimate organization to access sensitive personal information) to malware (malicious software created to cause damage to a computer or server). Types of malware include viruses, ransomware or spyware, while hacking takes place when outsiders gain unauthorized access to a computer from a distance by exploiting weaknesses in a computer’s defenses.

All of these are serious issues, and the region’s experts have urged computer users to become more cautious about their online security.

Mimecast, an international company specializing in cloud-based email management, highlighted the dangers of phishing. 

“Scams are becoming increasingly difficult to identify, so the average user might not be able to spot fake messages if they haven’t had the necessary cybersecurity awareness training,” said Maen Ftouni, country manager for Mimecast, Saudi Arabia.

Mimecast’s State of Email Security 2020 report states that 74 percent of organizations in Saudi Arabia are concerned about a web domain, brand exploitation or site spoofing attack. The report also found that 48 percent of organizations had seen an increase in phishing over the past 12 months.

“Phishing scams are everywhere, and individuals need to be constantly alert and on the lookout for malicious emails and text messages to avoid falling victim to these increasingly sophisticated attacks. Your bank will never ask you to update information via a link, so if you receive a message like this, alarm bells should be ringing,” Ftouni said.

Another threat is the growing incidences of ransomware, a type of malware that allows hackers to block access to a victim’s data, or in some cases to publish it, unless a ransom is paid. For many companies this could be their worst nightmare as sensitive data is placed in the public domain.

Veritas Technologies, an international data management and protection company, stated in its annual ransomware resiliency report that only 36 percent of respondents said that their security had kept pace with their IT complexity (43 and 39 percent in the UAE and Saudi Arabia, respectively).

According to Veritas, some businesses that fall victim to ransomware and are not able to restore their data from a backup copy of their files may look to pay the hackers to return their information. Its research showed that companies with greater complexity in their multi-cloud infrastructure were more likely to make these payments.

Johnny Karam, vice president of emerging markets at Veritas, said that cloud technology was offering some solutions, but he warned that Saudi business owners should not get too comfortable just yet.

“Whilst this is positive news, our research shows that there is still more that needs to be done. For instance, 29 percent of businesses’ data protection strategies in KSA aren’t keeping pace with the levels of complexity that they’re introducing. As a result, the majority of businesses are feeling the impact of ransomware more acutely,” Karam said.

Businesses of all sizes should be concerned about their security, said Saudi cybersecurity expert, Abdullah Al-Jaber, and small-scale entrepreneurs should not assume it is a problem only for big corporations.

“Even small businesses such as local shops are getting hit and losing their data due to their lack of cybersecurity protections. Large organizations are getting more mature and protecting their systems, and attackers are moving to small- and medium-sized organizations where they lack security awareness and controls. Even individuals can be subject to targeting,” he warned.

Al-Jaber applauds the new government improvements being implemented by the National Cybersecurity Authority (NCA) and the new Saudi Cybersecurity strategy, and recommends that those concerned brush up on their cybersecurity protocols to ensure that they are being protected.

“Having backups, applying the system updates regularly and making sure the systems are not exposed to the Internet, as well as using complex passwords and enabling two-factor authentication, will reduce the risks significantly,” he said.

So, no matter what size a company is or what sector it is involved in, good cybersecurity and data protection are priorities that no business should ignore.