The Cyber Threat Landscape is Multifaceted and Indiscriminate

Cybercriminals take many forms… it could be nation-states seeking to undermine their adversaries’ critical infrastructure, or organised criminal gangs deploying ransomware on an industrial scale. It may be unscrupulous companies trying to steal a march on their competitors, or even youngsters who do it for the thrill.

While it’s true that many cyber-attacks are targeted at high-profile organisations (look at recent events in the UK retail sector) or national capabilities (e.g. power infrastructure), many are indiscriminate. Cyber criminals can now simply buy ransomware/phishing ‘toolkits’ on the dark web, enabling them to try their luck across a vast array of individuals and organisations. No targeting needed. They just need enough individuals to be fooled by their techniques to justify the outlay.

And don’t forget about sheer accident (or incompetence). Many cyber incidents are down to internal mistakes or poor processes. The recent Crowdstrike incident, which affected many of the world’s IT systems in one fell swoop, is a great example.

A significant misconception is that many assume cybersecurity is a technical problem. Increasingly, it’s a people problem (in crude terms, I’d estimate it at 50% – at least). Why? Because cyber-attacks prey on people, and because strong cybersecurity still relies heavily on people to do the right thing, at the right time.

Vision 2030 Demands Strong Cybersecurity, Backed by Wide-Reaching Regulations

When it comes to the drive towards a cyber-secure society in KSA, the government is leaving nothing to chance. Against the backdrop of Vision 2030 and the National Cyber Security Strategy (NCSS), many organisations are already subject to the National Cybersecurity Authority’s (NCA) Essential Cybersecurity Controls (ECC) and related standards. In addition to this, many sectors are regulated by their own stringent cybersecurity regulations. Examples include the Saudi Monetary Authority’s Cyber Security Framework, the Capital Markets Authority’s (CMA) Cybersecurity guidelines and the Cybersecurity Regulatory Framework (CRF) for IT service providers.

Given the swift pace at which strong cybersecurity governance is being developed at the national level, it is likely that the role of cybersecurity regulation in KSA will continue to expand. If they aren’t already ‘all over it’, organisations should start preparing now!

As a side note, many of the current cybersecurity laws and regulations have overlapping requirements, which brings its own difficulties.

For the reader who understands cyber security control frameworks, you may find our recent blog on the topic, ‘Cracking the Code: Understanding Harmonised Cyber Security Control Frameworks,’ helpful. We also offer a dedicated Harmonised Control Library service to help organisations align compliance obligations with real-world operational needs.

Strong Cyber Risk Management is Non-Negotiable

Compliance with cybersecurity regulations is only part of the picture.

Ultimately, to remain viable, our approach to cybersecurity should align with our strategy to risk, in terms of our business risk appetite, our cyber threat profile, the degree to which we are vulnerable, and the resources available for cybersecurity. While much of this will inherently be centred on our own organisation, we mustn’t forget that our organisation may, in turn, be systemically important to others, so fit-for-purpose risk management can get complex.

The possible ‘leakage’ of cyber risk between suppliers and their clients (and vice versa) is key here. We no longer live in a world where we can put our metaphorical arms around the entirety of our organisation and protect it as we see fit. Interconnectivity between organisations is a reality of the modern world, and so we mustn’t forget that what is my cyber risk may also be your cyber risk. Cyber risk management techniques (and regulations) are increasingly focusing on this aspect.

Cyber Regulatory Compliance and Risk Management are Slowly Converging

Cybersecurity regulation and risk management are slowly converging. Emerging regulations – such as the EU’s NIS2 and the UK’s forthcoming Cyber Security and Resilience Act – require that your organisation’s cyber risk profile should shape how you comply with the regulation. One reason for this is that if every organisation were to apply every aspect of every cybersecurity regulation with the same degree of rigour, bottom lines would soon be creaking, which in turn would undermine economic growth.

Note that these same regulations also require you to consider your own systemic importance to other organisations (such as providers of financial services) and to have cyber risk oversight of your suppliers. In short, you must be able to demonstrate that you have applied a rigorous risk assessment technique, can evidence results of the risk assessment process, and have arrangements in place to monitor your cyber risk profile over time.

When it comes to this risk-based dimension to cybersecurity and its relationship with cyber regulation, there is every indication that KSA will follow suit.

Small and medium-sized enterprises (SMEs) are the backbone of the European economy. They account for approximately 99% of all businesses in the EU, employ close to 100 million people, and generate over half of the region’s economic output. Yet despite their critical role, businesses including small healthcare providers often lack the dedicated cybersecurity infrastructure found in larger organisations, leaving them more exposed to digital threats.