As enterprises in the Middle East explore different approaches to information technology and security, cybercriminals are also constantly evolving their attack vectors. As a result, the region’s cybersecurity landscape is continuously evolving.
Several Middle Eastern countries, most notably the UAE and the Saudi Arabia, have achieved significant progress in their digital transformation journeys in recent years, and are also prioritising cybersecurity as an enabler of their digital revolution.
Nevertheless, the threat of ransomware and other forms of digital attack are ever-present.
In the latest edition of the annual Hi-Tech Crime Trends report, our experts revealed that 150 companies in the Middle East and Africa (MEA) region had their data published by ransomware groups on dedicated leak sites (DLS) in H2 2021 — H1 2022, with 42 of these companies being from GCC countries.
MEA companies may make up only 5 per cent of the 2,886 enterprises whose data was published on DLS by ransomware groups in this period, but the financial and reputational damage of even a single ransomware attack can be extensive.
Gartner predicted in a recent study that in 2023, spending on products and services related to information security and risk management would grow by 11.3 per cent, reaching more than $188.3bn.
As more and more businesses are investing in solutions to safeguard their digital assets, the face of cybersecurity in the ME is changing. Below we examine the three key developments that will shape the industry over the coming months.
The shift to industry-driven innovation
The Middle East cybersecurity industry consists of multiple vendors and service providers, each with their own unique offering and solution roadmap, leaving enterprises with a myriad of options and solutions to choose from.
However, driven by spending and economic considerations, many organisations are focused on simplifying their security stacks and are moving away from buying multiple-point solutions.
This is particularly prevalent in regional governments, the banking, financial services, and insurance (BFSI) sector, along with telecommunications and oil and gas companies. These industries have prioritised cybersecurity and set up cybersecurity frameworks and compliance standards.
In light of concerns about operational complexity and the need to enhance risk mitigation, these companies understand the value of unified and integrated security solutions.
As a result, vendors are re-adjusting their offerings to serve these core industries. Comprehensive security platforms are the need of the hour, and this trend is accelerating consolidation across the industry. Therefore, there is a move towards industry-driven innovation rather than vendor-driven innovation. We expect that this will have a positive impact on the industry as organisations will be able to create a strategic vision for their integrated cybersecurity portfolio.
The widening cybersecurity maturity gap
As in many markets, buyers of cybersecurity solutions fall into three tiers. The first tier is characterised by highly proactive enterprises that prioritise cybersecurity and are advanced in adopting and deploying solutions. These buyers dictate the standards and are driving the industry-driven innovation we’re seeing today. They may also have dedicated security operation centers (SOC) and cyber defense centers (CDCs).
The second tier adopts cybersecurity solutions as a box-ticking exercise, often to ensure compliance with national or international laws. Finally, companies and organisations in the third tier are still trying to secure the resources and budget needed to keep up with the evolving compliance requirements.
Over time, we’ve observed that the gap between organisations at these different levels is widening, although this was not always the case. Around five to seven years ago, industry-wide adoption of modern cybersecurity solutions was still in its infancy.
However, the digital revolution marked a significant paradigm shift, with certain industries such as telecoms, critical national infrastructure (CNI), and the BFSI industries accelerating the adoption of advanced solutions and capabilities. These industries have invested significant human and financial capital into the security of their digital infrastructure.
The government and BFSI sectors in the UAE and Saudi are at the forefront of this transformation. As an example, the UAE Central Bank established a Networking and Cyber Security Operations Centre to help defend the financial system’s IT infrastructure against cyberattacks.
Moreover, the Saudi Central Bank has issued a cybersecurity framework to enhance the cybersecurity posture of financial institutions. This framework covers many aspects of cyber defense and protection, such as cybersecurity governance, risk management, compliance, and requirements for information assets.
Making security everyone’s problem
Organisations in the Middle East are paying greater attention to the human factor in cybersecurity, the importance of which cannot be overstated. This has caused a significant organisational shift wherein organisations encourage cross-functional collaboration between different departments.
CISOs have realised that regardless of how much their organisations invest in cybersecurity solutions such as Zero Trust Network Access (ZTNA) or cloud security solutions, it only takes a single employee’s action, such as opening a phishing link or mistakenly granting access, to open the door to a range of cyber-attacks.
Humans are considered to be the weakest link in the security chain. Historically, organisations provided computer-based training and certifications to employees. This, however, has proven inadequate in the context of today’s ever-evolving threat landscape, where malicious actors are constantly launching new attacks, with an ever-changing array of tactics, techniques, and procedures.
Therefore, organisations today are focusing on establishing a balanced security scorecard. This involves running assessments such as phishing tests, device security assessments, email vulnerability tests, and rating security across multiple risk factors.
At the same time, recognising the human factor, enterprises are taking ownership of their security and educating their employees on cyber hygiene practices. However, as such training is typically quite basic, it solves just one-half of their problem.
Businesses must also regularly upskill their IT and security teams and train them in cyber defense practices to ensure that they are up to speed with all current and future attack vectors.
Enterprises can also run incident response training, compromise assessments, and penetration testing exercises to prepare their digital infrastructure and test the preparedness of their people and processes.
Overall, regional organisations are now rethinking their approach to cybersecurity and placing significant emphasis on the integrity of their digital assets. The discussion around cybersecurity has now moved from the IT and security teams to the board room.
Organisations recognise the effect cybersecurity incidents can have on their bottom line and brand reputation and thus treat it as a KPI. In the coming months, we foresee many new exciting developments as businesses take the initiative in establishing and raising the cybersecurity benchmarks that will provide greater security to the digital space.