With abundant energy reserves, ambitious national government initiatives, and major organisations based in the region, the Middle East has always attracted plenty of attention and with Expo 2020 coming to Dubai in two years, that focus is only going to increase. Unfortunately, this also includes cyber-attacks, and many organisations in the region are struggling to cope with increasing threat levels.
According to Sam Olyaei, principal research analyst at Gartner, companies in the Middle East all-too often underestimate or misunderstand the security threat: "Most organisations want to prevent an attack, and they spend all of their resources trying to do so. That is not the right approach - in this digital age, it is no longer a case of whether you will be breached, but a case of when this will happen and being able to manage the impact of such an attack."
The impact of attacks can be severe. According to Cisco's 2018 Security Capabilities Benchmark Study, 94% of companies in the Middle East and Africa suffered a breach in the past year, in line with a rise in breaches globally, and 48% of attacks in the region resulted in damage over $500,000.
"The escalating number of data breaches and advanced persistent threats, and the publicity around hacks are making users even less confident that their sensitive data and privacy will be protected," says Fady Younes, cyber security director - Middle East & Africa, Cisco.
"Middle East organisations need holistic data protection strategies and solutions to prevent, contain, and re-mediate data breaches."
Rather than trying to focus on prevention strategies, companies should shift their investment to detection and response, and make decisions based on the risks that they face within the enterprise.
"We see a lot of organisations take a checkbox approach to security, but that doesn't provide a true picture - they need a clear understanding of what risk they are facing if data is compromised and more importantly, they have to mitigate these risks based on their own risk appetite, not what is happening around them," says Olyaei.
However, the problem becomes more pervasive for organisations today as they are increasingly becoming part of digital ecosystems, linking them with their customers, partners and suppliers in ways they haven't previously been doing. "Companies today are collecting a much greater range of information about their customers, using apps and methods that didn't even exist a few years before - making it harder for them to know what risks they are facing," says Olyaei.
"Information has never been more readily available and transmittable. Businesses, especially banking and financial organisations, are increasingly processing and exchanging individual data electronically and across borders," says Hussam Sidani, Symantec regional manager - Gulf Enterprise.
"With each passing year, not only has the sheer volume of threats increased, but the threat landscape has become more diverse, with attackers working harder to discover new avenues of attack and cover their tracks while doing so. From attackers using illicit coin mining as a revenue source, to injecting malware into the software supply chain and exploiting legitimate and commonly used software, there is no shortage of ingenuity to infiltrate organisations."
While Sidani points out that the UAE government has gone to great lengths to keep its data and citizens safe, and to make businesses aware of the need to safeguard people's data, the UAE ranks high in the region for crypto mining, malware, phishing and web attacks.
According to Symantec's research, nearly three quarters of all targeted attacks start with a phishing message, as attack groups look to gather confidential information.
Unfortunately, organisations still seem unprepared for such tactics, with research from Mimecast showing that 20% of C-level executives sent sensitive data in response to a phishing attack, and 49% of companies admitting that their management and finance teams aren't knowledgeable enough to identify and stop an impersonation attempt.
Employees are "the easiest route into an organisation," says Jeff Ogden, general manager, Mimecast Middle East. "Phishing and other social engineering tactics have evolved into highly advanced attacks that are difficult to spot. Increased reliance on technology for government, business and citizens demands a greater focus than ever before on securing the human."
"Lack of IT security awareness among staff remains a worrying reality for businesses," says Amir Kanaan, managing director of Kaspersky Lab for the Middle East, Turkey and Africa.
According to a recent study conducted by Kaspersky Lab and B2B International, only 18% of employed respondents in the META region are aware of the IT security policies and guidelines set in their workplace. "This, combined with the fact that 40% of employees consider protection from cyberthreats a shared responsibility, presents additional challenges when it comes to setting the right cybersecurity framework," Kanaan adds.
While Gartner encourages organisations to invest in people and processes, rather than buying technology for the sake of buying it.
Olyaei points out that "the skills market is also proving extremely challenging for organisations here, as in many cases they simply can't find the skills that they want - they just don't exist in the region, and this issue is even more pervasive on a global scale."
The research analyst adds that to address this, organisations have to optimise their security functions operationally, and invest in a range of programs to develop the current staff that they have.
As the region sees increasing smartphone penetration and greater deployment of Internet-of-Things (IoT) technologies, cyber security is only going to increase in importance. For instance, Fortinet research shows that cyber-criminals are increasingly targeting IoT devices - which tend to be always on and connected - to deploy cryptomining malware.
"Security risks continue to grow, and understanding the risks you face and the tactics your cyber enemies are using is critical to developing and implementing an effective and adaptive security strategy," says Kalle Bjorn, director, systems engineering, Fortinet.
The good news is that organisations seem to be waking up to the issues around data security, helped in part by new regulation such as the EU's General Data Privacy Regulation, which came into force in May (see box).
"GDPR is clearly having a substantial impact on the regional security market, as companies increasingly understand that they need to address issues like data privacy - something many organisations hadn't previously considered," says Gartner's Olyaei. Gartner is seeing double digital growth in data security spend and an increase in demand for security services, particularly outsourcing, managed services and consulting as a result of the increased awareness of data security issues related to regulations such as GDPR.
Olyaei highlights the speed at which British Airways recently reacted to a security incident. After BA discovered last month that 380,000 passengers had been affected by a hack on its website and mobile app, it announced the information within three days.
By contrast, Dubai-based ride sharing platform Careem waited three months before revealing that personal data of up to 14 million people in the region had been stolen in January.
While the full impact of data security regulations such as GDPR remains to be seen, awareness of the importance of data security seems to be firmly on the up.
"Cyber Security is finally becoming a ‘top of mind' business objective, with many organisations making the Board hold accountability, which makes sense considering a large security breach/incident doesn't only affect finances and productivity but can severely damage customers' trust towards the brand," says Cisco's Younes.