KSA and UAE Firms Face Cyberthreats, Regulatory Risk

Saudi and Emirati cybersecurity professionals are laboring under mounting cybersecurity workloads. In 2022, they’re receiving more malicious email — the first stage of most cyberattacks — delivering ever-more-sophisticated exploits. And they must enhance compliance programs as new regulations aim to increase cyber resilience and drive data privacy protection under national digital transformation strategies. Altogether, the costs are significant and growing.

Mimecast’s State of Email Security 2022 (SOES) describes this challenging landscape and the steps organizations are taking to manage the manifold risks.

Scoping the Email Threat

Saudi and Emirati IT and security professionals responding to the SOES survey saw new and changing threats from 2021 to 2022:

• Attack outlook: Nearly nine in 10 said it was likely to inevitable that they would suffer a negative business impact from an email-borne attack in 2022.
• More, sophisticated threats: There was a 10 percentage point increase in the survey respondents seeing a higher volume of attacks in 2022 than the previous year. Almost half saw this surge, while 45% also saw increasingly sophisticated attacks, for example, attacks combining multiple techniques.
• Phishing and BEC: Four in 10 saw an increase in impersonation fraud email and business email compromise (BEC). About the same number saw an increase in the other most common email attack: phishing with malicious links or attachments.
• Ransomware impact: One of the most troubling trends involved ransomware, with a 10+ percentage-point increase in the past year (from 16% to 27%) of the respondents reporting a significant impact to their organization from a ransomware attack. Another 40% said a ransomware attack had impacted their operations “somewhat”. More of them paid the ransom than in the previous year, but fewer recovered their data. A separate report from IBM estimated in 2022 that the two countries’ average total cost of a data breach was the second highest in the world (after the U.S.), at US$7.5 million per breach.[1] 

Outlook on Cyber Regulation in the Region

With new cybersecurity and data privacy rules coming into effect, cybersecurity professionals are expressing measured hope for improvement:

• Decreased risk: Only about one-third of respondents expect minimum cybersecurity requirements to make a big difference in the cyber risks they face, but about the same number expect a moderate improvement.
• Higher costs: Likewise, about one-third expect such rules to significantly raise their costs, and a similar number expect their costs to rise moderately.
• Operational flexibility: The professionals surveyed expect regulation to impede their freedom to determine their own best course of action in response to cyberthreats.

Demand for Cybersecurity Innovation

Cybersecurity professionals in the region are moving to adopt some of the latest tactics and technologies to strengthen their defenses, even as cyberattackers continue to evolve their own strategies. Among these:

• Integration:Nearly nine in 10 expressed a preference for integrating point security solutions onto more unified platforms, using application programming interfaces (APIs), for benefits including improved threat detection, faster remediation, and greater automation. Those who have already embarked on an API strategy have seen an average efficiency gain of nearly 17%.
• Artificial intelligence: Many more respondents this year described plans to use AI in their cybersecurity programs (43% in 2022 vs. 31% in 2021). Four in 10 said they’re already using AI for greater security. 
• Technology budgeting: Security professionals are pressing for bigger budgets to fund their strategies. While about 17% of the average IT budget in Saudi Arabia and UAE is dedicated to cybersecurity, they said, they’d be better equipped if it were closer to 20%. 

A 4-Step Plan for Better Cybersecurity

Earlier this year, Mimecast published Digital Transformation and Cybersecurity in Saudi Arabia and United Arab Emirates, which included the following recommendations:

• Bake security into digital transformation. The region’s intense focus on digital transformation should be accompanied by an effort to consider security at every step of the way. “Investments in transformation are meaningless if they leave the business and your customers exposed to cyberthreats,” the authors wrote.
• Be proactive against bad actors. Specifically, organizations that integrate threat intelligence across their security ecosystem can get ahead in the race against increasingly sophisticated attacks.
• Integrate best-of-breed tools. The key is to layer in security from your endpoints to the cloud, while leveraging multiple detection technologies together.
• Automate. Automation can help offload repetitive tasks and give security teams room to be more effective where it matters most.

The Bottom Line

In the Middle East, as elsewhere, cyberattackers are switching up their means of attack every day. Cybersecurity regulations are in flux. And security teams need to evolve their strategies, tactics, and tools to minimize both cyber risk and compliance risk. Read Mimecast’s global State of Email Security 2022 report to learn more.

[1] “Cost of a Data Breach 2022,” IBM and Ponemon Institute