The growing significance of cyber-risk management in SMEs: a focus on the Middle East

The growing significance of cyber-risk management in SMEs: a focus on the Middle East

Security planning is a must for small- and medium-sized enterprises (SMEs) as they continue to face a complex and evolving cyberthreat landscape. This feature focuses on the landscape in the Middle East, where technological acceleration in the region dominates business decisions, and cybercriminals are taking advantage of vulnerabilities in SMEs’ systems, networks and processes. Daniel Caban, Regional Leader – META, Mandiant Consulting (now part of Google Cloud), tells us more about cyber-risk management and why it is so important.

As businesses in the Middle East continue to dive deeper into Digital Transformation, cyber-risk management has become a crucial component of business strategy. With the rapid expansion of technology, vulnerabilities in cyber infrastructure are constantly exposed, making businesses susceptible to cyberattacks and data breaches.

Middle East-based SMEs increasingly face a complex and evolving cyberthreat landscape. Technological acceleration in the region dominates business decisions, and cybercriminals are taking advantage of vulnerabilities in SMEs’ systems, networks and processes. Mandiant’s recent Global Perspectives on Threat Intelligence report highlighted that despite the widespread belief among Middle East respondents that understanding the cyberthreat actors who could be targeting an organisation is important (94%), 83% stated that their organisations make most or all of their cybersecurity decisions without insights into the threat actors that are targeting them. To effectively manage these risks, SMEs must better understand and proactively address cyber-risk within their organisations, leveraging intelligent technologies and strategies.

The Middle East has witnessed an increase in cyberattacks in recent years. In 2020, the United Arab Emirates recorded a 250% increase in cyberattacks compared to 2019, according to its Telecommunications Regulatory Authority. This further underscores the need for businesses to adopt proactive cyber-risk management strategies.

Why is cyber-risk management as important as other business concerns?

Cyber-risk is in some ways no different from any other business risk. It is an aggregation of the threats and vulnerabilities present across a company, any of which could lead to financial loss, reputation damage and regulatory concerns. In a rapidly evolving threat landscape, companies must defend themselves against cybercriminals motivated by financial gain and nation states intent on economic disruption, espionage and the targeting of critical infrastructure. A majority (79%) of respondents to Mandiant’s survey said their organisation could focus more time and energy on identifying critical trends within cybersecurity, while 98% said they need to be faster at implementing changes to their cybersecurity strategy based on new intelligence.

Key security decision-makers understand the importance of threat intelligence and make better decisions when they have it. However, SMEs in the region often lack the resources and expertise to effectively manage cyber-risks, making them attractive targets. The rapid adoption of digital technologies, such as cloud services, remote work and Internet of Things (IoT) devices, increases the attack surface and introduces the risk of new vulnerabilities. As someone with extensive experience in the Middle East market, I have witnessed firsthand the devastating impact of a data breach. The average cost of a data breach in 2020 was approximately US$6.53 million, emphasising the gravity of the situation for public and private sector to take proactive steps to enhance cybersecurity measures and stay ahead of potential threats. Moreover, businesses in the region have started investing heavily in cybersecurity solutions and training their staff to identify and respond to potential threats.

What exactly is a cyber-risk profile?

Cyber-risk profiles assess a company’s exposure to attacks, vulnerabilities and potential consequences of security incidents. It shapes cybersecurity strategy by identifying and managing digital risks and helps evaluate key factors, including assets, threats, likelihood, impact, controls and risk tolerance.
Assets include critical digital components, such as hardware, software and data. Threats refer to external and internal actors capable of exploiting digital vulnerabilities. Likelihood estimates the probability of threats materialising, while impact assesses the potential consequences of successful attacks. Controls evaluate existing security measures, highlighting areas for improvement. Risk tolerance defines acceptable risk levels.

With a cyber-risk profile, companies can allocate resources effectively, implement better security measures and develop a proactive cybersecurity strategy aligned with business objectives and risk tolerance, ultimately minimising the likelihood and impact of incidents. While information overload is clearly identified as a challenge for almost every organisation based on the above, nearly half (47%) of respondents to Mandiant’s report said applying intelligence effectively throughout an organisation was one of the biggest challenges they faced when using threat intelligence and 38% said another was knowing what to do with the information.

Cyber-risk management framework implementation

A comprehensive cyber-risk management framework (CBRMF) provides a structured approach to identifying, assessing, mitigating and monitoring cyber-risks within a company. A CBRMF helps organisations understand their exposure, make informed decisions and allocate resources effectively to minimise the likelihood and impact of cyber incidents. The critical outcomes of such a framework include implementing technical controls, developing security policies, educating employees, creating incident responses and Business Continuity plans and, ultimately, continuous risk monitoring with regular reporting.

By incorporating this framework, companies can proactively address cyber challenges, align security efforts with business objectives and enhance resilience in the face of an ever-evolving threat landscape.

Embedding cyber-risk management into company culture

A company’s culture can benefit significantly from embedding cyber-risk management, particularly when it comes to smaller businesses where you have a more close-knit and personalised working culture. In most SMEs, digital asset management is less stringent than in large-scale corporations that have a robust IT division, becoming prone to a lax sense of security. According to the Mandiant report, only 35% of respondents said their company has a comprehensive level of understanding about different threat groups and their tactics, techniques and procedures (TTPs). A strong security culture ensures employees understand their role in protecting digital assets and are aware of risks. It fosters a proactive approach to cybersecurity, where recognising and reporting threats, following security policies and adopting safe online practices is second nature. This can reduce the likelihood of incidents resulting from human error, negligence or insider threats. It also enhances overall resilience, enabling better adaptation to threats and minimal impact on operations and reputation.

The Role of Leadership

Leadership plays the most critical role in promoting a culture of cyber-risk awareness. Particularly with SMEs which follow a strong ‘leading from the top’ attitude, leaders set the tone on approaching cybersecurity, with a proactive, risk-based mindset.

They are responsible for allocating resources, setting priorities and establishing a strategic cybersecurity vision that aligns with business objectives. By supporting continuous security awareness training, they ensure teams are equipped with knowledge and skills to recognise and report threats, adhere to security policies and practise safe online behaviour. This is a crucial consideration, given that 67% of the survey respondents believe their senior leadership team underestimates the cyberthreat to their organisation. In fact, respondents from the Middle East are most likely to lack faith in their senior leadership’s knowledge of cyberthreats (68%).


The importance of cyber-risk management in today’s business landscape, and in particular to the fast- growing regional SME market, cannot be overstated. To protect financial interests, maintain customer trust, and comply with regulatory requirements, businesses must prioritise cybersecurity measures and invest in robust management strategies. The resulting threat intelligence can be used to anticipate threats before they become a problem and deal with them more effectively.

Click below to share this article

Browse our latest issue


View Magazine Archive