After high profile cyber-attacks worldwide from Sony Pictures to Saudi Aramco, few Middle Eastern corporate leaders can be unaware of the risks facing their organizations owing to weak cybersecurity. The question for many is what to do about it. We believe that many organizations in the Middle East can and should do more. The starting point for this is a recognition that cyber-security is no longer just a problem for the IT department.

A recent study from global research firm Frost & Sullivan has found that the Middle East cybersecurity market will nearly double in size to $10 billion over the next four years, as organizations increase their efforts to achieve greater cybersecurity.

This compares to a global cybersecurity spend projected to rise to $170 billion over the same period.

Certainly, the first and most important step for any organization is to take measures to prevent intrusions from occurring in the first place. Developing and maintaining adequate computer systems hygiene is the first line of defense in protecting organizations from being infiltrated by hackers.

The Center for Internet Security claims that up to 80% of cyberattacks can be prevented by good IT practices like:

• Maintaining an inventory of authorized and unauthorized devices;

• Maintaining an inventory of authorized and unauthorized software;

• Developing and managing secure configurations for all devices;

• Conducting continuous (automated) vulnerability assessment and remediation; and

• Actively managing and controlling the use of administrative privileges

Unfortunately blocking four out of every five attacks still leaves open the possibility that a substantial number of attacks will succeed. Attempted cyberattacks worldwide are counted in millions per day. Even when an organization does everything possible to prevent an attack, this is unlikely to be preparation enough.

Organizations need to be prepared for the worst-case scenario - a successful cyberattacks on their network, Just as conducting regular fire drills can save lives in the event fire, preparing for the aftermath of a cyber-attack can make an enormous difference to how quickly an organization gets back on its feet and how well its leaders do in the spotlight if a major breach becomes public.

Damage from these attacks can span an organization. They can include the loss of intellectual property, destroyed or altered data, reduced public confidence, harm to reputation, disruption to critical infrastructure, interruption to the business, and legal and regulatory sanctions.

Since the effects are potentially so far-reaching, a vigilant attitude to cyber security needs to become embedded within the culture of an organization. This should be driven, led and prioritized by the C-suite.

Our advice is that organizations should set up a cross-functional team to develop and maintain resiliency to cyberattacks. This team should include representation from business leaders, marketing & communications, IT, finance, legal, risk, human resources, and others.

The team should begin by assessing the company’s cyber-risk profile including the types of cyber-attacks to which their organization is vulnerable. Preventive measures can then be tailored to these risks. To go deeper, the team should then develop scenarios of how those attacks might play out, to identify in detail possible attack modes, targets, vulnerabilities, and impacts on the business.

There is no need for great precision in this exercise, only rough estimates that give enough sense of scale and types of potential harm to enable the team to put together a company-wide mitigation strategy and a plan for recovery. No one can know for certain, ahead of the event, how much damage a successful breach will cause in terms of lost revenue, reputational harm, or infrastructure damage.

A good recovery plan will detail communication and crisis management plans and operating strategies for various types of events, along with roles and responsibilities and external parties that will assist with remediation.

Having an action plan in place prior to an event has been shown to dramatically reduce the cost, time to recovery and reputational damage of a breach.

Even with the best preparation, it is important to realize that the effects of cyberattacks cannot be fully mitigated.

Having the right cyber insurance coverage in place can make all the difference in how an organisation performs in the days, weeks, and months following a successful attack. Cyber insurance can provide critical capital and expert assistance when a cyber security event occurs.

Companies may also want to consider directors and officers (D&O) liability insurance to protect leaders against claims of negligence following a breach. In addition, they may want to review their property, casualty, and business interruption coverage to ensure that sufficient protection exists in the event of a successful cyberattack on the company’s infrastructure.

My advice to any organization in the Middle East is to do everything possible to build your cybersecurity, but also prepare to fail. That way your company will be much better positioned to quickly recover from a successful attack when rather than if it comes.

About Aisling Malone

Aisling Malone is a senior underwriter with the role of PI and Cyber Leader for the MENA region. Within this role she leads and manages the MENA PI and cyber portfolios and implements regional product strategy. Aisling joined AIG Dubai in July 2011 as a Financial Lines Professional Associate with focus on commercial Management Liability and Professional Indemnity for Middle Eastern countries.