Proofpoint: 83% UAE Employees Risk Cyber Threats

Proofpoint, Inc., among prominent players in cybersecurity and compliance, unveiled its tenth annual State of the Phish report. It divulges that 83% of employees in the UAE are knowingly jeopardizing their organizations, opening the door to ransomware, malware, data breaches, or financial loss. While globally successful phishing attacks have slightly waned, in the UAE, they are escalating. In 2023, 92% of surveyed UAE organizations fell victim to at least one successful attack, up from 86% the previous year. The repercussions have surged too, with a 44% uptick in financial penalties and a staggering 300% increase in reports of reputational damage.

This year’s findings challenge the conventional wisdom that risky behaviors stem from a lack of cybersecurity knowledge, and that security training alone suffices to curb unsafe actions. There’s a discrepancy between the belief of security professionals that employees grasp their responsibility for organizational security and the reality of employees’ actions, highlighting a gap between security technology and user education.

Emile Abou Saleh, Senior Regional Director for the Middle East, Turkey, and Africa at Proofpoint, emphasized, “Employees need to recognize their pivotal role in averting data breaches, malware, and financial loss. This isn’t just an IT issue. As traditional work models evolve, conventional data protection methods fall short. Organizations and staff must collaborate to fortify strategies, integrating controls across various fronts to safeguard against threats.”

The report delves into the current threat landscape, detailing how malicious actors exploit generative AI, QR codes, and multifactor authentication (MFA). This information is drawn from Proofpoint’s analysis of over 2.8 trillion scanned emails across 230,000 organizations globally and 183 million simulated phishing attacks over twelve months. It also sheds light on the perceptions of 7,500 employees and 1,050 security professionals across 15 countries, showcasing the disparity between security attitudes and real-world behaviors, as well as the state of security awareness initiatives.

Key findings from the UAE in Proofpoint’s 2024 State of the Phish report include:

• Employees aren’t acting recklessly due to ignorance: 86% of surveyed working adults admitted to risky actions, fully aware of the risks, with 83% of UAE employees knowingly undermining their organization’s security, citing convenience, time-saving, and urgency as main motivations.
• There’s a disconnect between IT teams and employees in driving behavior change: While 90% of security professionals believe employees understand their security responsibilities, 38% of employees aren’t sure or deny responsibility. Despite 97% of employees recognizing risks, there are disparities in perceived effectiveness between security pros and employees.
• MFA offers a false sense of security: Despite over one million monthly attacks bypassing MFA with EvilProxy, 94% of UAE security professionals still consider MFA foolproof.
• Business email compromise (BEC) attacks exploit AI: BEC attacks surged to 85% in the UAE in 2023, aided by generative AI crafting convincing, multilingual emails. Proofpoint detects an average of 66 million targeted BEC attacks monthly.
• Cyber extortion remains profitable: 77% of UAE organizations experienced successful ransomware attacks in the past year, with 80% agreeing to pay attackers, and 66% regaining data access after payment.
• Telephone-oriented attack delivery (TOAD) thrives: With 10 million TOAD attacks monthly, unsuspecting employees unknowingly provide credentials or remote access to malicious actors.

Despite the escalation of threats like ransomware, TOAD, and MFA bypass, many organizations lack adequate preparation or training. Only 13% educate users on TOAD attack recognition and prevention, and merely 21% on generative AI safety.

“Cybercriminals exploit human vulnerabilities, whether through negligence or malicious intent,” remarked Ryan Kalember, Proofpoint’s chief strategy officer. “Individuals are pivotal in organizational security, with 74% of breaches involving human error. Awareness is crucial, but behavior change is the real challenge.”