Mideast averages 260 days to plug data breach
Lack of IT security professionals behind the region’s lengthy response times, according to Gartner
The Middle East takes an average time of 260 days to identify and contain a data breach, the highest in the world, an industry analyst said yesterday.
Sam Olyaei, principal research analyst at Gartner, said that it is due to the lack of skilled security professionals.
“The ongoing skills shortages are driving demand for security services, particularly security outsourcing, managed security services and security consulting. The skills shortage may expose organisations to undue risk that increases the likelihood of a breach,” he said.
“[The] number of attacks are down year-on-year, but a number of publicly disclosed attacks have increased. Organisations are facing challenges from regulatory authorities in the Middle East and North Africa to comply with certain security controls in order to keep the entities protected,” he said.
Moreover, he said the GCC is the third-highest spender on security after North America and China, but chief information officers (CIOs) and chief executive officers (CEOs) are spending their money on the wrong things, such as futuristic technologies, as opposed to focusing on basic infrastructure.
GDPR’s effectiveness
“Privacy regulations are going to increase, especially in this region, with the EU’s General Data Protection Regulation (GDPR) taking effect,” he said.
GDPR is a law imposed by the European Union to safeguard personal data and it sets out key rights for individuals, one of which is the right to be informed of what personal data a company holds on them. Among other rights, the law gives individuals the right over their personal data and its usage. The law went into effect last May 25.
A company is required under GDPR to reveal a breach in 72 hours through the proper channels or penalties for noncompliance could cost organisations upwards of €20 million (Dh84.56 million) or 4 per cent of yearly worldwide revenue, whichever is higher.
Olyaei said the problem is for regions like the Gulf Cooperation Council (GCC). “How much jurisdiction does the EU have in the Middle East? Since the GDPR came into effect, we haven’t seen any regulatory audit from the EU into the Middle East,” he said.
Aleksandar Valjarevic, head of Solution Architecture at Help AG, said that it is difficult to comment on how enforcement of GDPR regulations could work in the Middle East. “What we can say is that any organisation that operates in the EU or intentionally and knowingly processes data of EU citizens and residents would fall under auspices of GDPR and can be fined by the EU authorities,” he said.
Can the EU authorities enforce GDPR in the Middle East or fine a UAE company? “We don’t know yet. What they can say is that if a UAE company does not comply with the rules, they may not be allowed to operate in the EU,” Olyaei said.