Enhancing cyber security awareness in the middle east

The Middle East has emerged as a dynamic and influential region, experiencing rapid digitisation and technological advancements through a combination of increased globalisation efforts and elevated public investment.

With the proliferation of digital platforms, the middle eastern threat landscape has expanded exponentially, necessitating heightened cyber security awareness and preparedness for individuals, employees, and organisations.

According to a cybersecurity report by IBM, the average cost of a data breach in the Middle East is $6.93 million. This is significantly higher than the global average of $4.24 million per incident.

This article aims to provide insights into the current state of cyber security and awareness in the region, official regulations pertaining to data protection and information security, as well as a brief history of cyber-attacks in the Middle East and what we can learn from the ramifications.

The state of cyber security and awareness in the Middle East

The Middle East has witnessed significant growth in internet penetration and digital connectivity, making it susceptible to cyber threats. Euro Monitor states that 92.5% of the population are covered by a mobile cellular network, and mobile internet penetration has grown rapidly due to ease of access and affordability, with the region being the second fastest growing region after Asia Pacific. UAE digital agency Medialinks’ analysis put the number of internet users in MENA now at over 200 million.

However, it is important to remember, cyber security awareness varies across different countries in the region, with some nations being more proactive in adopting robust cyber security measures and educating their citizens on cyber risks, while others may be less prepared.

The region's most common cyber threats and risks:

• Cyber-attacks on critical infrastructure: Middle Eastern countries often face cyber-attacks targeting critical infrastructure such as oil and gas facilities, power grids, and water supply systems. Such attacks can have severe economic and societal implications.
• Phishing and social engineering: Phishing attacks and social engineering techniques remain widespread across the world, let alone the middle eastern region. Cybercriminals exploit human vulnerabilities to gain unauthorised access to sensitive data and systems and they do not discriminate with their choice of target.
• Ransomware threats: Ransomware attacks have become increasingly common, affecting businesses and governmental entities alike. The payment of ransom demands can encourage further attacks and fund criminal activities. With the survival of wealth and capital in the Middle East, even after global periods of financial uncertainty, cybercriminals have a lucrative target that is still in its cyber security awareness infancy.
• IoT vulnerabilities: The growing Internet of Things (IoT) ecosystem in the Middle East, adjacent to the increased digital connectivity of the region, poses significant security challenges due to the numerous connected devices lacking adequate protection. The region is booming in development exponentially. However, with progress, corners can be cut, and security protocols overlooked in an effort for continuous progress. IoT vulnerabilities is one such oversight pertaining to the region and its cyber security efforts.
• Lack of cyber security talent and awareness: The shortage of skilled cyber security professionals and awareness initiatives in the region is a grave concern. This Marsh report reveals that only 4% of Middle East & Africa business leaders are confident in their organisation’s ability to successfully deal with a cyber-attack. In fact, the vast majority of organisations are still struggling to understand the risks posed by their vendors and digital supply chains. Strengthening the focus and knowledge surrounding cyber threats is paramount in combating evolving cyber threats effectively.

Official regulations for data protection and information security

Whilst there is still a lot of work to do at a granular and organisational level, governments in the Middle East have recognised the importance of safeguarding data and have begun to implement various regulations to address cyber security concerns.

Some notable regulations and initiatives include:

• General Data Protection Regulation (GDPR): While not exclusive to the Middle East, GDPR compliance is vital for organisations handling the data of European citizens. Many Middle Eastern countries have aligned their data protection laws with GDPR to facilitate international business transactions and ensure smooth day-to-day data handling.
• UAE's Federal Law No. (2) of 2019: The United Arab Emirates' Cyber Crimes Law aims to combat cybercrime and protect the country's critical information infrastructure, specifically healthcare organisations. The law addresses various cyber offenses, including unauthorised access to computer systems, hacking, phishing, and spreading malicious software. It also criminalises the misuse of technology to invade privacy, defame individuals, or harm the public interest. Violations of this law can result in substantial fines and imprisonment.
• Saudi Arabia's national cybersecurity authority: In 2019, Saudi Arabia introduced its Cyber security Law to enhance the protection of critical information infrastructure and ensure the confidentiality, integrity, and availability of electronic systems and data. The law mandates government entities and critical infrastructure operators to implement cyber security measures, conduct regular risk assessments, and report any cyber incidents to the National Cybersecurity Authority (NCA). It also outlines penalties for non-compliance, which may include fines and suspension of licenses.
• Qatar's Personal Data Privacy Protection Law (Law No. 13 of 2016): Qatar enacted the Personal Data Privacy Protection Law to regulate the processing of personal data and safeguard individuals' privacy rights. The law outlines the lawful bases for processing personal data, establishes data subject rights, and imposes obligations on data controllers and processors. It also establishes the Privacy Protection Department, responsible for overseeing data protection compliance and investigating breaches.
• Oman's Electronic Transactions Law (Royal Decree No. 69/2008): Oman's Electronic Transactions Law provides a legal framework for electronic transactions and electronic data interchange. The law addresses electronic signatures, the recognition of electronic records as evidence, and the confidentiality and security of electronic information. While it does not specifically focus on data protection, it indirectly influences information security practices in electronic transactions.
• Bahrain's Personal Data Protection Law (Law No. 30 of 2018): Bahrain's Personal Data Protection Law governs the processing of personal data by public and private entities. It regulates the collection, use, disclosure, and transfer of personal data and aims to protect individuals' privacy rights. The law requires data controllers to implement appropriate security measures to safeguard personal data and establishes the National Data Protection Authority responsible for enforcing compliance.
• Kuwait's Cybercrime Law (Law No. 63 of 2015): Kuwait's Cybercrime Law criminalises various cyber offenses, including unauthorised access to computer systems, data interference, and cyber stalking. The law also addresses offenses related to spreading false information, promoting extremism, and engaging in terrorist activities online. Penalties for cybercrime convictions can include imprisonment and fines.

These regulations demonstrate the Middle Eastern countries' commitment to enhancing data protection and information security in the region – however, regulation is still very broad and needs to be drilled down and specified. Nevertheless, organisations operating in these countries must comply with these laws to ensure the privacy and security of personal and sensitive data and mitigate the risk of potential legal and reputational consequences.

What are the most common cyber-attacks we see in the region?

The Middle East has not been immune to cyber-attacks, and some significant incidents have shaped the region's cyber security landscape.

• DDoS attacks: Denial-of-service attacks overload a network or website and make a system unable to respond to service requests. DDoS attacks do not provide any direct benefits to the attacker, contrary to attacks that aim to gain access or increase access to the system. However, they are hugely disruptive to the target and can have massive financial and reputational consequences for organisations impacted. The first half of 2022 saw a significant increase in DDoS attacks worldwide, with adversaries constantly innovating and using new methods, vectors and motivations. According to Threat Cop, the Middle Eastern region experienced a 7% increase in DDoS attacks in 2022.
• Malware attacks: Malware attacks harm devices and exploit users for the financial benefit of the attacker. There are various ways to deploy a malware attack and in the first half of 2021, the Middle East witnessed a 17% surge in malware attacks, totalling a staggering 161 million (The National News). Oman, Kuwait, Bahrain, Egypt, and Qatar all reported a sharp rise in malware attacks, with Oman recording the biggest increase of 67%. The UAE, the second biggest Arab economy, recorded a 7% rise in malware attacks.
• Ransomware attacks: Ransomware attacks infects users and organisations through malicious websites or infected email attachments. Once a device is infected, the malware encrypts important files, leaving them inaccessible to your organisation. The attackers then demand a ransom in exchange for the decryption key and the safe return of your data. According to the Middle East Institute, the majority of UAE companies (84%) paid ransoms following ransomware attacks. This is higher than the global average. Furthermore, of those that paid, 90% faced another attack and 59% had their data compromised even after paying a ransom.
• Phishing: According to the Khaleej Times, in the second quarter of 2022, the UAE detected a staggering 3.4 million instances of phishing attacks. The most targeted country was Saudi Arabia, with a massive growth of 168% in phishing attacks. Khaleej Times also found that attackers target customer data, and that these attacks often occur during the vacation season when people are looking for travel deals. Phishing attacks are always about social engineering – catching users at their most vulnerable and passive state and hoping to induce a mistake. To protect against these types of attacks, it is important to be cautious of overly generous offers, and to carefully check the URL and certificate of a site before entering. Awareness knowledge like this isn’t compulsory on an organisational level or personal level.

History of significant cyber attacks in the Middle East and what we can learn from them

• Stuxnet Critical Infrastructure malware attack: In 2010, Stuxnet, a malware believed to have been jointly developed by the United States and Israel targeted Iran's nuclear facilities, specifically the Natanz uranium enrichment plant to disrupt the country’s uranium enrichment processes. The malware attack successfully damaged around 1,000 centrifuges in the Natanz facility, significantly setting back Iran's nuclear program. To prevent critical infrastructure attacks, these important organisations must prioritise robust cyber security measures and keep them consistently refreshed. In a political space, critical infrastructure is the only target for cyber criminals, and you must behave like you are always at risk. Regular security awareness and training programs for employees can help them identify and report suspicious activities, ensuring a rapid response to potential threats and the continued operation of critical infrastructure.
• Shamoon Saudi Arabia malware/spear phishing attack: In 2012, threat actors wiped data from approximately thirty-five thousand computers belonging to Saudi Aramco, one of the world’s largest oil companies. Malware called Shamoon found its way onto the device of a user with privileged access via spear phishing techniques and stole passwords, wiped data, and prevented computers from rebooting. Hackers calling themselves the "Cutting Sword of Justice" claimed responsibility for the incident, asserting they were retaliating against the al-Saud regime for what the group called widespread crimes against humanity. Later, U.S. intelligence sources attributed the attack to Iran. This nation-state attack is multi-layered: it’s both malware and phishing based and it both sought to damage day-to-day activities but also send a geopolitical point. Shamoon malware actually operated on Saudi Arabian networks undetected for numerous years. Why? The knowledge and awareness levels just weren’t there for individuals to spot, report and flush it out.
• Dubai Cheers Exhibition phishing attack: In 2019, the full-service exhibition company recently fell victim to a cyberattack where a hacker breached their email server and sent out fraudulent emails to clients, purporting to be from the company. The attack led to the theft of $53,000 from a Russian client through a transfer to an overseas account. The company also discovered that the hackers had taken control of their website to further trick their customers into thinking they were being contacted legitimately. Your organisation’s digital image is key to reputation and customer security and must be a major pillar in your cyber security protocols.
• Moorfields Eye Hospital ransomware attack: In 2021, the Dubai branch of the world renowned Moorfields Eye Hospital fell victim to an attack by the ransomware group Avos Locker. The hackers targeted patient data, downloading 60GB of information including copies of ID cards, insurance forms, accounting documents, hospital call records, internal memos, and certificates. The attack was likely initiated through a malicious email or advertisement, and the data was encrypted once accessed. Kaspersky stated that hackers exploited remote working vulnerabilities which increased following the Covid-19 pandemic and persists still. Teaching employees how to work securely from home or from roaming remote stations must now be a standard of all cyber security training and awareness initiatives or you will be expanding the attack surface for grinning cybercriminals.
• Gems Education School Network insider attack: In 2022, Gems Education, which operates 18 schools in the UAE, discovered that their former IT department head had hacked into their system and deleted crucial files over the past 16 years. The individual, who had a deep understanding of the system, was able to carry out the attack successfully. The school filed a police report and subsequently upgraded their security measures, restoring the deleted files. This is a bug lesson on the important of authorisation, credentials, and data maintenance. The former employee should have had his access privileges revoked as soon as he had left the enterprise but due to lax security behaviours and an established protocol network, Gems Education was open to a devastating insider attack.

What does the middle east's cyber future look like?

The Middle East is facing an increasing number of cyber-attacks as the region continues to digitise and invest in its industries. These attacks are becoming more sophisticated and are being perpetrated by state-sponsored actors and experienced ransomware groups. Security teams and cyber security leaders in the Middle East must keep up with the constantly evolving threat landscape and implement effective measures to combat these threats.

However, you cannot be blinded by only hardware solutions as the proof is in the Middle East cyber breach time; cybercriminals will continue to target individuals they classify as vulnerable, due to a lack of training and awareness, to access systems, data and financial records. You must invest in your employees’ cyber security development.

If you would like information about how The Security Company can help you to deliver cyber security training and awareness initiatives for your organisation and how we help support security leaders in setting up a fresh cyber security awareness framework ... please contact our Head of Business Development and Sales, Jenny Mandley.

The Security Company's vast library of customised and non-customised products and services are tailored for small, medium and large organisations and are available in a variety of languages. We also offer bespoke solutions for organisations that desire training and awareness materials built from the ground up.