Site Search

Menu

Media & insights

Menu

Blogs & Articles

Menu

Radio & TV interviews

Featured

25th CEO Survey: Middle East findings

The New Equation

Loading Results

Digital Trust Insights 2022 - The KSA perspective

KSA companies have leading cybersecurity strategies in several areas, but there might still be work to do.

Saudi Arabia is going through a period of unprecedented change, as organisations embrace rapid digitisation and growth opportunities, spurred on by investments linked to the Vision 2030 national transformation programme and the post-COVID-19 economic recovery. Against this backdrop, cybersecurity is an ‘always on’ critical issue for all large organisations. With an increasing number of KSA companies participating in the latest PwC Global Digital Trust Insights Survey, the results highlight how  organisations in the Kingdom are responding to intensifying cyber threats.

Globally, the survey indicates that cybersecurity is very high on corporate agendas: more than two thirds of companies (69%) worldwide predict a significant rise in spending on cybersecurity in 2022, and more than 50% expect reportable cyber breaches to surge next year. 

Companies in KSA are just as concerned as their global peers about the anticipated increase in cyber breaches across the board, and expectations for growth in some specific types of cyber crime are higher than the global average. Saudi businesses are particularly concerned about cyber attacks from nation states (59% of respondents), from competitors (62%), and also from past employees (54%) who may have retained privileged access to corporate systems. 

Yet the focus of the survey goes beyond the shape and source of specific cyber attacks. The responses concentrate on the proactive steps companies should be taking to prepare for continued growth in cyber threats, with special attention paid to the importance of reducing complexity and the associated cyber risks it brings, and best practice in managing data and limiting supply chain risk. 

These are the strategic areas that all companies should have under continual review:

  • Are you securing against the most important risks today and tomorrow using data you can trust?  

  • How well do you understand the risks posed by third parties in your supply chain? 

  • Is the CEO and C-suite leadership driving change and simplification and enabling the organisation to do the same?

The route to better cybersecurity investments

The overall cybersecurity readiness data from KSA companies does not differ greatly from the responses of global companies, and organisations everywhere report a significant challenge in maximising the return on their cybersecurity investments. For example, almost half of companies worldwide are still close to the start of the process of cybersecurity control implementation. Around a third have implemented advanced controls at scale, but less than one fifth of global companies say they have actually realised the benefits of cybersecurity implementation.

The survey also shows that the top 10% of companies (measured in terms of the four most important cybersecurity factors - CEO engagement, a streamlined organisation, managing data and understanding third party risks) are more than twice as likely as others to report significant progress towards meeting their cybersecurity goals. Here, we take a detailed look at the progress KSA companies are making in these areas. The survey results are drawn from a number of large organisations in the Kingdom.

 

The importance of CEO support

KSA companies are leading the way with  high reported levels of CEO engagement and leadership on cybersecurity – a positive measure of cybersecurity readiness. The level of support offered by Saudi CEOs runs higher than the Middle East region average and also higher than the global average.

For example, 41% of Saudi companies report significant CEO support in embedding cyber and privacy concerns in key operations compared to only 30% of global companies, and similarly  for a cyber-proficient culture throughout the organisation. Almost half (47%) of Saudi CEOs are considered to be significant contributors to inspiring the cybersecurity team, compared to only 28% of global companies.

 

Gaining the edge with data

High-quality data, security controls and review of threats make up the cornerstones of an organisation’s readiness and resilience in response to cyber threats. When asked about the real time visibility of cyber controls in the organisation, KSA companies were markedly ahead of both global and regional respondents. Some 64% of companies utilise real time automated data – which gives the most efficient and complete 24/7 readout on threats – compared to 47% of companies in the Middle East region and 55% of companies globally. 

For KSA companies, best practice in data management has become increasingly important with the implementation of the new KSA Personal Data Protection Law in September. The Law introduced strict obligations on data sharing and data sovereignty and which requires companies and government entities to notify the Regulator of any data breaches or leaks of personal data they hold.

Too complex to secure?

It is widely recognised that complexity is an important factor in an organisation’s cyber vulnerability. In a growth phase, companies may develop systems and supply chains at a pace that outstrips their ability to manage the cyber risks that complexity always brings. And many KSA companies are in exactly such a growth phase thanks to the investment surge that has accompanied the Vision 2030 national transformation programme. 

Where there is complexity there also has to be cyber awareness and risk mitigation, and the 2022 survey results highlight some specific areas for organisations in the Kingdom to address. Compared to global responses, KSA companies have a higher tolerance of complexity overall. They are less likely to have reduced redundancies in their processes, and at the same time are more likely to consider that their levels of complexity are acceptable across a wide range of corporate processes. 

The survey finds that reducing complexity is a long-term challenge and to achieve improvements they will have to consolidate technology vendors, redefine the mix of in-house and managed services, and move processes to the cloud to provide more flexibility and accelerate innovation.

 

Securing the supply chain

The way forward

The 2022 survey results make clear that the companies achieving better cybersecurity outcomes are those companies that have leaders that drive cybersecurity principles right through the organisation, hire the right cybersecurity talent and empower them, prioritise actions according to data and analysis, and that continually seek to uncover blind spots in their processes and relationships. 

These are the ‘Four Ps’ – Principle, People, Prioritisation and Perception. They need to be watchwords for companies everywhere, but for KSA companies they have a special resonance. The surge of investment and growth that is being driven by Vision 2030 is also bringing with it greater organisational complexity as new markets, new processes and new technologies are added. These investments bring opportunities but also introduce the risk of complexity, which cyber attackers thrive on .

The survey shows that KSA companies have already taken ownership of cybersecurity issues in line with many of their global peers. The next steps are to reduce complexity in the supply chain and within the organisation to build further protection against the rise in cyber attacks.

Securing the supply chain

There is ample evidence to suggest that many cybersecurity threats arise not inside the organisation but in the extended supply chain, where managing third party security postures and controls is intrinsically more difficult than managing internal issues. To understand supply chain cyber risks, companies must assess and manage risks from direct suppliers of software, hardware or cloud services, and the so-called ‘Nth Party’ risks that may be generated by lower tier suppliers to upper tier vendors. 

In KSA the picture is mixed, but companies do appear to be reporting knowledge gaps in specific areas of concern: for example Saudi companies are somewhat more likely than their global peers to report they have only anecdotal understanding and no formal assessments of Nth Party risks, and they are markedly more likely to say the same of software supply chain risks: 31% of KSA companies report only anecdotal understanding compared to 19% of global companies. 

In addition to their awareness of knowledge gaps, companies in KSA also report taking a higher level of action to reduce third party complexities and risks. Saudi companies are more likely than their global peers to have worked with suppliers to improve their cybersecurity (54% of Saudi companies, compared to 42% of global respondents). They are also more likely to have taken the final step of exiting relationships with third parties to limit risk (44% of Saudi companies compared to only 30% of their global peers).

The way forward

The 2022 survey results make clear that the companies achieving better cybersecurity outcomes are those companies that have leaders that drive cybersecurity principles right through the organisation, hire the right cybersecurity talent and empower them, prioritise actions according to data and analysis, and that continually seek to uncover blind spots in their processes and relationships. 

These are the ‘Four Ps’ – Principle, People, Prioritisation and Perception. They need to be watchwords for companies everywhere, but for KSA companies they have a special resonance. The surge of investment and growth that is being driven by Vision 2030 is also bringing with it greater organisational complexity as new markets, new processes and new technologies are added. These investments bring opportunities but also introduce the risk of complexity, which cyber attackers thrive on .

The survey shows that KSA companies have already taken ownership of cybersecurity issues in line with many of their global peers. The next steps are to reduce complexity in the supply chain and within the organisation to build further protection against the rise in cyber attacks.

How well do you know the risks posed by your third parties and supply chain?

Less than half of the UAE respondents say they thoroughly understand their third-party cyber and privacy risks.

You can’t secure what you can’t see, and most respondents to the PwC 2022 Global Digital Trust Insights Survey seem to have trouble seeing their third-party risks — risks obscured by the complexities of their business partnerships and vendor/supplier networks. 

Among all UAE respondents, 59% expect an increase in reportable incidents in 2022 from attacks on the software supply chain, but only 44% have formally assessed their enterprise’s exposure to this specific risk. 

But the UAE respondents have started taken action to minimise third-party or supplier risk: 

  • refining their criteria for onboarding and ongoing assessments of third parties (62%)

  • rewriting contracts with certain third parties to mitigate their risks (56%) 

  • providing knowledge-sharing or assistance to third parties shore up their cybersecurity postures (51%).

An organisation could be vulnerable to a supply chain attack even when its own cyber defences are good, with attackers simply finding new pathways into the organisation through its suppliers. Detecting and stopping a software based attack can be very difficult, and complex to unravel. That’s because every component of any given software depends on other components such as code libraries, packages and modules that integrate into the software and are necessary for its operation.

However the more complex the connection, the harder it becomes to see the risks buried within.

71% of Middle East consumers have become more healthy during the pandemic

As with their counterparts globally, COVID-19 has dramatically increased awareness of health and wellness among Middle East consumers. In the 2020 Global Consumer Insights Survey, more than half (58%) of respondents said they were making time each week to improve their health and general wellness and adopt a better diet. This rising health consciousness is reflected in our Pulse 2 results, particularly in Saudi Arabia where 79% of consumers said they have become more healthy. 

When shopping for groceries, 41% of respondents say that they are willing to pay more for healthier options. Surprisingly, men are more likely to pay for healthy grocery options than women – 45% vs. 41%. Responding to this demand, food retailers in the region are increasing their range of healthy or diet products.

Find out more

65% of Middle East consumers have become more eco-friendly during the pandemic

COVID-19 has reinforced the growing awareness of Middle East consumers about social and environmental sustainability. Overall, seven out of 10 Middle East shoppers say that they engage in sustainable behaviours, with respondents from the region consistently outscoring the global survey participants on a range of questions in this area.

It is interesting to note that this environmental consciousness has seen an uptick from our Pulse 1 survey – at the time six out of 10 consumers agreed with our sustainability statements – and that younger, Generation Z, consumers are less likely to agree with those statements. In fact, the older the shopper the more likely they are to care about sustainability.

Consumers who are not prioritising sustainability, believe there is a lack of sustainable options (39%), that the quality of those products is inconsistent (36%) or that they are priced too high (35%).

With social and environmental sustainability more in focus than ever before, retailers need to rethink how they approach these considerations and ensure they are committed to environmental, social and governance (ESG) factors before governments start regulating them.

Find out more

Related content

{{filterContent.facetedTitle}}

Contact us

Matthew White

Matthew White

Partner, Digital Trust Leader, PwC Middle East

Tel: +971 056 113 4205

Linkedin Follow Email
Simone Vernacchia

Simone Vernacchia

Partner, Digital & Technology Consulting, PwC Middle East

Tel: +971 4 304 3203

Linkedin Follow X Follow Email
Follow us
Issues Navigating data privacy regulations New world. New skills. Responding to the potential business impacts of COVID-19 Doing Business in the Middle East VAT in the Middle East Megatrends Now: The need to ADAPT
Services Assurance and Audit Consulting Deals Entrepreneurial & Private Business PwC's Academy Tax and Legal Strategy&
Industries
Banking and Capital Markets Consumer Markets Energy, Utilities & Resources Financial Services Government/Public Services
Health Industries Industrial Manufacturing Real Estate Transportation and Logistics
About us PwC office locations in the Middle East Our purpose and values Corporate Sustainability Code of conduct Transparency reports Health, Safety and Environment Policy Third party code of conduct PwC’s global human rights statement Alumni
Publications
Careers Graduate & undergraduate careers Experienced careers Opportunities for Omani nationals Opportunities for Saudi nationals PwC's Watani Graduate Programme for UAE Nationals
Media centre Press releases Articles and blog posts TV and radio interviews

© 2017 - 2024 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.