CyberSecurity – A Threat to the Digital Acceleration in the Middle East

Cybersecurity attacks are a persistent issue, particularly for Middle Eastern businesses and organizations. These threats can halt operations, damage a company’s reputation, and result in costly legal action. The more technology a company relies upon, the more vulnerable it is to cyberattacks and challenges. Hackers are increasingly focusing on Middle Eastern firms that are converting to digital procedures and handling sensitive data.

Data compiled by Kaspersky shows that cybercrime is up 600% due to the COVID-19 Pandemic. It is estimated that worldwide, cybercrimes will cost $10.5 trillion annually by 2025. The global annual cost of cybercrime is estimated to be $6 trillion per year, worth 1% of the Global GDP.

According to The National News, approximately 2.57 million phishing assaults were discovered in the Middle East from April to June of 2020. According to a Gulf News story, the UAE is the second-most targeted country for cybercrime. The yearly cost of assaults in the country is estimated to be $1.4 billion.

The continued success of Middle Eastern nations’ digitalization ambitions carries with it an increased and rising exposure to the risk of cyber assaults. These attacks, carried out by other nations and more sophisticated criminal rings from throughout the world, have the ability to halt digitization’s progress and jeopardize the benefits it provides.

Cyber Crime in the Middle East

As a result of the epidemic, cybercrime has become a top priority for most firms embracing digitalization. In the first half of 2021, there was a 17% increase in cybercrime records, mainly malware assaults, in the Middle East. Oman, Kuwait, Bahrain, Qatar, and Turkey are among the nations that have seen a dramatic increase in cybersecurity threats over the previous year.

Government institutions, financial services, healthcare, education, and technology are among the most targeted industries with large increases in industrial control system (ICS) hazards.

The Middle East is a popular target for cyber-attacks which highlights the importance of cybersecurity in the region. According to ResearchAndMarkets.com’s worldwide estimate, the Middle East cybersecurity market is predicted to rise from $15.6 billion in 2020 to $29.9 billion by 2025, at a compound yearly growth rate (CAGR) of 13.80%.

Every national government in the MENA area is working to establish a safe digital environment, but these efforts are too frequently fragmented, tactical, and reactive. Furthermore, they do not incorporate the engagement of all key players. As a result, government actions frequently lag behind the ever-changing threat landscape, and defensive measures are evaded or exploited. A strategic approach to national cyber security that adheres to the “CCC” paradigm is required — comprehensive in nature, collaborative in goal, and capability-driven.

Governments in the Middle East are highly aware of the emerging security scenario connected with digitalization. Many of them have increased their cyber-security operations in recent years in order to strengthen their national cyber-security capabilities and improve the protection level of their important national information infrastructures.

Security concerns heat up the Middle East

• Data Breaches: Exposed credentials and initial access brokers

According to a Ponemon Institute and IBM Security 2020 report, the average cost of a data breach event per organization in the Middle East is $6.53 million USD, well above the global average incident cost of $3.86 million. The estimated financial effect of data breaches has increased by 9.4% in the last, with threat actors focusing on industries with the most sensitive consumer data for financial benefit. Healthcare organizations were determined to have the greatest cost per record of a data breach, closely followed by the financial services and technology industries.

• Phishing attacks, especially on social media

Phishing-related assaults and frauds increased, owing to the increased success of such acts, with COVID-19-related subject lines driving illicit email opens, and an overall increase as people spent more time online. Phishing is a common method used by both cybercriminals and nation-state entities.

According to a Kaspersky Security research, more than 2.57 million phishing assaults were discovered this year across the Middle East, from Egypt to the UAE, Saudi Arabia, Qatar, Kuwait, Bahrain, and Oman.

• Targeted attacks (ransomware)

In addition to data breaches and phishing methods, security professionals must keep an eye out for more focused assaults such as social media account breaches and ransomware operations that attempt to extract huge quantities of money or sensitive data from their victims.

Over 55 intelligence events targeting the Middle East have been documented by Digital Shadows researchers in the previous six months. 17 of the 55 intelligence events were explicitly connected to ransomware.

Privacy Laws to Ensure Cybersecurity in the Middle East

The General Data Protection Regulation (GDPR)

GDPR went into effect on May 25, 2018. This law was adopted as a global standard for data protection, signaling the development of the personal data protection landscape. GDPR fines can amount to up to 4% of worldwide revenue or €20 million, whichever is greater.

Law No. 13 of 2016 in Qatar

To safeguard the safety and security of personal data, Qatar established a law under the “Personal Data Privacy Protection Law.” This clause became effective once the Ministry of Transport and Communications was tasked with executing the law. Organizations that receive personal data must conform to principles of justice, openness, and human dignity. The financial penalty for non-compliance with the rule, according to this law, can be up to QAR 5 million.

Law No. 30 of 2018 in Bahrain

On August 1st, 2019, Bahrain implemented the PDPL (Personal Data Protection Law). It was inspired by the European Union. Offenders face a maximum punishment of one year in prison.

Egypt’s Personal Data Protection Law No.151 of 2020

Egypt established PDPL in July 2020. This law was intended to address the issue of data privacy and protection. This law restricts the gathering of personal data to just lawful reasons. It also outlined the procedures for firms to get permits to handle sensitive and personal data. If any unlawful behavior is discovered, the culprits can be fined up to EGP 5 million or imprisoned for up to 6 months.

UAE-DIFC Law No. 5 of 2020

The UAE adopted the DIFC Data Protection Law on July 1, 2020, and it went into effect on October 1, 2020. This law applied to all countries that were signatories to the DIFC. The EU’s General Data Protection Regulation impacted this regulation. This legislation is intended to protect personal data, and noncompliance may result in fines.

The state of national cyber-security policies in the Middle East

The majority of present programs adopt an IT-centric approach to national cyber security. They are tactical remedies to a strategic problem. A national cyber-security program necessitates a coherent, comprehensive plan that identifies critical national cyber capabilities and explicitly allocates ownership of these capabilities and responsibilities for national cyber security to a committed lead agency.

At the moment, most of the existing cyber-security initiatives are reactive. Their priority is recovery from a cyber assault rather than attack prevention. A robust and long-term national cyber-security policy must include proactive cyber-capabilities that can aid in the prevention of attacks, such as information exchange and constant monitoring for enhanced situational awareness.

The majority of current efforts are centered on the government’s involvement in developing and maintaining cyber security. A national cyber-security effort, on the other hand, must be comprehensive. It must include the private sector and citizens, and enlist their help in addressing the security of important digital assets and infrastructure throughout the country.

A practical approach to the Middle East

The governments of the Middle East are the only stakeholders with the power, reach, and resources to develop and drive a truly national cyber-security agenda, ensure alignment of efforts, and drive collaboration and continuous improvement through sector-specific, national, and eventually regional governance bodies.

The Middle East’s strong economy, along with rising digitalization, has piqued the interest of cybercriminals worldwide. As a result, it is up to the government to create a national cyber-security program, allocate ownership and responsibilities at the highest level, and start it. All that is left for Middle Eastern governments to do is confront this fundamental issue, which jeopardizes their national digitization initiatives and hopes for successful twenty-first-century economies.

Preliminary actions that can be taken in the adoption and execution of cyber-security plans –

• Establish a central national cyber-security body: The national government should create a central national cyber-security body (CNCB) to define and oversee the national cybersecurity strategy. This body must be autonomous and separate from any existing public organization, such as ministries, councils, or regulatory bodies. This ensures the body’s neutrality, which is essential for removing any lack of cooperation from a group of stakeholders and ensuring collaboration. At the same time, this newly formed entity must be enabled by the highest authorities, such as the national security council, and publicly mandated by laws or decrees in order to establish its legitimacy and authority over public and private entities.

• Define a national cyber-security strategy: The CNCB should develop a national cyber-security plan in accordance with the country’s vision, national interests, and national/regional security imperatives. As previously said, the strategy should be all-encompassing, collaborative, and capability-driven. One of the plan’s main success factors is the complete participation of key national stakeholders throughout the strategy development process, to ensure that crucial ideas and aspects are included in the strategy. This technique is better for certain authorities’ approach to establishing a plan in silos, which makes socializing the strategy and obtaining stakeholder support harder.

• Establish a national dialogue: To begin the partnership process, the CNCB should convene a nationwide forum with important stakeholders. This communication can take the shape of a national cyber-security governance body presided over by the CNCB, working groups focusing on certain themes or industries, or regular conferences and other events.

• Build preventive national cyber-security capabilities: The CNCB should take the lead in developing national preventative cyber-security capabilities. This includes creating national cyber-security rules and standards, such as a national information assurance standard. It also requires establishing a national compliance authority to ensure that such standards and rules are followed.

• Build reactive national cyber-security capabilities: The CNCB should also push for the development of reactive national cyber-security capabilities. This includes the formation or strengthening of a national Computer Emergency Readiness Team. Because such organizations currently exist in most countries in some form or another, it is critical to match the strategic direction of the Computer Emergency Readiness Team with the national cyber-security plan. This harnesses the power of cooperation to define the sorts of answers that the country wishes to develop.

The gap between the cyber-security capabilities of the public- and private-sector enterprises in the Middle East and their enemies in cyberspace is already a palpable concern, and it is widening on a daily basis. To address this gap, the Middle Eastern countries must take a strategic approach to rethink and reform their national cyber-security initiatives. Until then, tactical and technological responses to cyber-attacks can only function as band-aids.