By Emile Abou Saleh, Regional Director, Middle East and Africa at Proofpoint
The past year was a busy one in the world of cybersecurity. Ransomware continued to wreak havoc across the globe as new and increasingly devastating attacks confronted organizations of every size and across every industry. According to estimates, over 40 companies in the GCC region fell victim to ransomware attacks between 2021 and 2022.
It’s no wonder that security professionals around the world are worried about what’s next. Proofpoint’s 2023 Voice of the CISO Report found that most CISOs have returned to the elevated concerns about cybersecurity that they experienced early in the pandemic. This year, 75% percent of CISOs in the UAE surveyed feel at risk of a material cyberattack in the next 12 months, compared to just 44% the year before. Sentiments about preparedness levels have also reversed as 57% felt unprepared to cope with a targeted cyberattack, a moderate increase over the previous year.
People risk is a growing area of concern. Poor or non-existent cyber security training for employees creates weak points for threat actors to infiltrate organizational infrastructure. Email and the cloud are today’s primary attack vectors for ransomware, business email compromise (BEC), phishing and other threats.
There are several types of BECs – from CEO fraud where attackers position themselves as the CEO or executive of a company and typically email an individual within the finance department, requesting funds to be transferred to an account controlled by the attacker – to account compromise where an employee’s email account is hacked and is used to request payments to vendors. Payments are then sent to fraudulent bank accounts owned by the attacker.
The pandemic also brought new risks for many Middle East organizations. As hybrid work became the norm, employees were working further outside of their organization’s traditional security perimeters, accessing corporate networks using personal devices, and moving from place to place. Attackers exploited this to breach customer systems, steal confidential data, or install ransomware to trigger a wave of phishing or email fraud attacks.
In addition, pandemic-related job mobility resulted in workers changing or leaving jobs at higher rates than before, making it difficult for organizations to protect data, and resulting in data loss due to insider action. According to Proofpoint’s 2023 Voice of the CIO Report, 47% of security leaders in the UAE reported having to deal with a material loss of sensitive data in the past 12 months, and of those, 75% agreed that employees leaving the organization contributed to the loss.
Unsurprisingly, there is an increase in the number of CISOs in the UAE who view human error as their organization’s biggest cyber vulnerability—59% in this year’s survey vs. 50% in 2022 and 70% in 2021. At the same time, 56% of CISOs believe that employees understand their role in protecting the organization, compared to 51% in 2022 and 69% in 2021; this illustrates a struggle to build a strong security culture.
A proactive approach to preventing insider fraud is vital to monitor collaboration tools for warning signs and to stop fraud before it occurs. This will be especially critical for the UAE as the country aims for digital transformation to add an average of AED100 billion per year in value to the economy.
Security culture is an essential part of any organization’s cybersecurity strategy. It can help create sustained behavior that transforms people from targets to a strong last line of defense. By building a people-centric approach to compliance and security and strengthening data protection against external sources of risk, organizations can accelerate response to risky behavior.
This includes training users to identify and report suspicious impostor email, as well as imparting the knowledge and skills needed to protect the organization from human-activated threats. For example, warning users when a message is sent from an external sender, or a newly registered domain can help them make more informed decisions on uncertain email.
Business continuity depends on information protection. To sustain continuity, businesses must be able to successfully recover from a cybersecurity event. The time it takes for a business to recover from downtime impacts revenue. In addition, downtime can affect future revenue growth and damage the brand. Therefore, having layered defenses, are critical to ensure that UAE organizations are well protected against threats that focus on people as the main perimeter.
