Organisations across the Middle East are investing vast sums in digital technology to future-proof themselves and make sure they are competitive in an increasingly digital economy. However, without making similar investments in the security of all those laptops, modems and servers they are leaving themselves wide open to a potentially very costly cyber attack, say experts.

Much like the hurricanes that sweep through tropical countries wreaking havoc and causing misery, cyber attacks are now so infamous they are being given names. Locky, Wannacry and NotPetya are all large-scale international ransomware attacks that have been initiated with malicious intent during the past couple of years.

Last year researchers at the University of Illinois in America conducted an interesting cyber security experiment, involving dropping USB sticks on the ground around their campus. Almost all (98 per cent) were picked up and people opened files on 45 per cent of the sticks, sometimes within six minutes of the device being left on the ground.

When asked why they had accessed the files, the majority (68 per cent) said they were trying to locate the drive’s owner, although 18 per cent admitted they had given in to curiosity. This is precisely the kind of method hackers could use to initiate a damaging and expensive cyber attack.

A KPMG study showed that a third of all UAE organisations suffered cyber security breaches in 2015 and Oxford Economics reported that the average large business loses £120m (US$156m) when it is hit by a hacking attack. So how can HR work alongside the IT professionals to make an organisation more secure?

Consultancy firm PricewaterhouseCoopers’ report ‘Cyber security in the Middle East: A strategic approach to protecting national digital assets and infrastructure’ suggests that waiting for a government-approved plan of action on cyber security is impractical.

“Every national government in the region is striving to create a secure digital environment, but too often these efforts are fragmented, tactical, and reactive,” said the report. “Consequently, governmental responses often lag behind the ever-evolving threat and the defensive measures taken are circumvented or exploited.”

Bringing in the right IT professionals to stay ahead of the cyber security curve is part of where HR comes in. Making sure new staff are aware of IT security protocols should be considered to be just as important (if not more so) than an induction day to find out more about the company’s corporate values and culture.

“Businesses need to be aware that hackers are after a company’s most valuable asset – data,” Sebastien Pavie, enterprise & cyber security director for Middle-East, Africa & Turkey at digital security experts Gemalto told the Saudi Gazette. “It’s important to focus on protecting this resource, otherwise reality will inevitably bite those that fail to do so.”

Pavie believes that many Saudi organisations are making the mistake of thinking they’re more secure from cyber attacks than they actually are. Many are not taking adequate steps to be compliant with the General Data Protection Regulation (GDPR) act, which comes into force in May 2018. Security protocols such as encryption and two-factor authentication will become mandatory.

“Investing in cyber security has clearly become more of a focus for businesses in the last 12 months,” he said. “However, what is of concern is that so few are adequately securing the most vulnerable and crucial data they hold, or even understand where it is stored. This is standing in the way of GDPR compliance, and before long the businesses that don’t improve their cyber security will face severe legal, financial and reputational consequences.”

Earlier this year, Research and Markets published a report predicting the Middle East's cyber security market will almost double in the next five years, from US$11.38bn in 2017 to $22.14bn by 2022. It also projected that investment in cyber security across all sectors would grow at an average of 14.2 per cent per year. This could lead to cost-cutting measures in other areas of business operations, another dilemma for HR to consider.

The Geneva Centre for Security Policy (GCSP), in its paper ‘Cybersecurity challenges in the Middle East’, recommends cyber security becomes part of higher education. This could prevent those who are about to enter the workforce from being the source of a security breach in their first job out of university.

“It is crucially important to build competencies in information management and governance and the techniques of cyber security into higher education programmes on two levels,” said the GCSP.

“The first is the technical level, where students learn the basic techniques of information management and cyber security as part of computer studies.

“The second is the training of managers who may not be computer technicians themselves, but will be responsible for the management of those carrying out technical processes. These managers should increase their understanding of the management of information and above all the principles of information governance to prevent unauthorised access to secure information.”

For those already in the workforce with university years long since passed, another approach is needed. With that in mind, PwC has designed Game of Threats, a digital game designed to mimic a cyber attack on an organisation, as a learning tool for clients.

“[Game of Threats] engages people in a scenario, in a playful, gamification of cyber security,” says Anthony Bruce, HR consulting partner at PwC. “It’s about engaging people in a way that is stimulating, fun, not traditional – not sitting in front of a screen pressing buttons.”

Professional training like this is also a recommendation of the GCSP’s report, in addition to university training. “Cyber security is a rapidly evolving field and therefore updating knowledge is a vital part of building and maintaining competence levels,” said the GCSP.

“It is important to ensure that both technical and management personnel have the relevant qualifications. This in itself is an important part of maintaining security. Whereas universities have their own degrees and diplomas, corporations and governments need an equivalent range of professional qualifications, which could be offered through professional certification bodies.”