Investing in up-to-date cybersecurity technologies that address the challenges of today rather than those of yesteryear is the secret to staying cybersecure in the Middle East. That is according to Hadi Jaafarawi, Managing Director – Middle East at Qualys, who discusses the importance of Middle East organisations adopting comprehensive cybersecurity strategies that include short- and long-term measures to address imminent threats and build future resilience.
Which industries are the biggest targets for cyberattacks in the Middle East and what advice can you offer to best secure themselves?
It is all about low-hanging fruit. Threat actors look for a payday that is some combination of easy and lucrative. Because of that, all industries will be under threat. However, the Middle East’s well-known focus on petrochemicals makes the oil and gas industry a major lure for cybercriminals, hacktivists and state-sponsored groups. Lately, following a series of high-profile supply-chain attacks around the world, governments have looked anew at the vulnerability of critical infrastructure such as energy facilities, power plants and transportation hubs. The region’s high degree of interconnectedness presents a constant probability of a cyberattack on one industry triggering a domino effect, jeopardising national infrastructure on a larger scale.
IBM’s latest Cost of a Breach report calculates an US$8 million average between Saudi Arabia and the UAE alone. This is a 156% increase from a decade ago — a jarring sign that attackers are becoming more sophisticated and that the nightmare scenario is more alarming than ever. Few organisations can take a million-dollar hit in their stride. And so, we must act. Middle East organisations must adopt comprehensive cybersecurity strategies that include short- and long-term measures to address imminent threats and build resilience for the future. Regardless of your scale or industry, you must be proactive. You must have a plan. You must know where your risks lurk. And you must make security part of your corporate DNA, promoting transparency and awareness, breaking down information silos and fortifying defences.
How has the convergence of IT and OT impacted the cybersecurity landscape?
This is one instance where the breaking down of a silo is a double-edged sword. The convergence of Information Technology (IT) and Operational Technology (OT) across the Middle East has led to many challenges. For a start, IT and OT skills are very different. Someone who is trained in data and networks will traditionally know little about physical plant machinery. And engineers that look after OT will likely be unaware of the vulnerabilities in business software. IT is used to taking systems offline to update and patch vulnerabilities. But in an OT setting, going offline even for a moment can be very costly or even downright dangerous.
IT and OT merged to accommodate the rise of Industry 4.0. The Industrial Internet-of-Things (IIoT) brought many benefits but it also expanded the attack surface as previously air-gapped OT systems, such as those governing industrial control systems (ICS) and critical infrastructure became linked to corporate IT networks and, by association, the savage wilds of the Internet. Thus, threat actors were given an opening. Ironically, OT systems, which were designed primarily for the preservation of safety and the maximisation of uptime, have been put in a position where those core missions are under threat because of well-intentioned initiatives to improve their efficiency.
So, because attackers can use your IT to hit your OT, critical infrastructure has become vulnerable and must be protected through a holistic cybersecurity plan that encompasses both sides of the technology stack.
What stands out to you most about the Middle East cybersecurity market and what do you think will be the catalyst for change in the years to come?
The amount spent on Digital Transformation in the Middle East is set to double in the five-year-period to 2026. This is an extraordinary expansion that brings with it considerable risk and the cybersecurity market has seen rapid growth as the region’s enterprises have operated more and more on the global stage. Many countries here play critical roles in global energy production and have profound geopolitical significance. Moving into this global (and undeniably digital) space demands a recognition of the importance of cybersecurity.
When looking forward, the first change catalyst I can see is the escalating frequency and sophistication of attacks. Another is the everchanging regulatory landscape, both locally and internationally. Both these factors are bound to drive organisations to invest more in cybersecurity. A third catalyst is this demand on CISOs to do more with less. I can see this leading to more shrewd and targeted cyber investments as organisations consolidate their security suite and seek to shrink their vendor pools.
In other areas, if we are fortunate, the market for cybersecurity talent will continue to grow, governments and private-sector businesses will collaborate more often and international cybersecurity organisations will unite experts to fortify the region’s cyber defences and make us all safer.
What’s the secret to staying cyber secure in this particular region?
The key is universal and, in fact, is no secret. Middle East organisations must adopt multi-faceted, proactive approaches to cybersecurity. Understand your risks as they pertain to your region, your industry and your regulatory landscape. Invest in up-to-date cybersecurity technologies that address the challenges of today rather than those of yesteryear.
Globally, cyberthreats are evolving and growing in number. The technologies that fight them are out there and are also improving. When deployed effectively, these technologies create layers of protection against BEC campaigns, phishing, vishing and smishing. They protect against identity theft, fraudulent sessions, lateral movement and payload drops. They protect against the infiltration of malicious entities and the compromise or exfiltration of data. Technology allows the SOC to continually adapt to the threat landscape.
What trends are you seeing in terms of customer demand and how has this evolved over the last few years?
The primary trend that stands out for me is the increasing emphasis on the consolidation of cybersecurity technologies. Cybersecurity teams, vendor management teams and procurement teams are collaborating on this shift, which is driven by the realisation that a patchwork of point solutions is not sufficient to meet present-day challenges. Legacy tools become unwieldy and their results degrade to white noise, alert fatigue and burnout among security professionals. Consolidation reduces complexity and so eliminates these headaches, streamlines operations and improves overall security posture while reducing costs and boosting morale in the SOC.
How has increased adoption of the cloud impacted cyber-risk for organisations?
The cloud and remote work have contributed to heightened cyber-risk. The Middle East saw massive shifts to these models from mid-2020 onwards. Cybersecurity solutions now include those that are cloud-aware in a way that legacy tools were not. Cloud-native environments are the norm so cybersecurity must now be scalable and flexible. Tools must allow analysts to peer into every corner of the modern business’ operations, which are more dynamic and distributed. Microsoft, Google, Oracle and other hyperscale providers are establishing clouds across MEA, in countries like the UAE, Qatar, Bahrain and South Africa. The businesses that are the customers of those tech giants can no longer rely on the ‘castle/moat’ approach to security. Firewalls and perimeters have different roles to play in infrastructures that are routinely exposed to the Internet. We must safeguard data and resources with due regard to that exposure, adopting cloud-native security measures to mitigate cyber-risk.
What are some of the misconceptions about cybersecurity in the region?
The Middle East’s misconceptions closely resemble those of the rest of the world: cybersecurity is purely an IT issue; we are not a high-profile target; the technology alone will protect us from all threats; insider threats can’t happen here; incident-response plans are for multi-nationals.
The truth is: cybersecurity is a multi-disciplinary team sport; any scale of business can be the victim of a crippling incident; technology is not the beginning and end of the posture story; there are such things as malicious and non-malicious insider threats and they can happen to anyone; and everybody should have an incident-response plan because anybody can be a victim.
A region-specific example might be that cybercriminals only target the oil and gas sector – also untrue. No one is safe; nothing is invulnerable.
How has the ransomware pandemic shaped the cybersecurity landscape in the region and what are your top tips for how businesses should tackle this moving forward?
The ransomware pandemic has left an indelible mark on the cybersecurity landscape in the Middle East, mirroring its global impact. I would refer you back to the US$8 million cost of the average breach in Saudi Arabia and the UAE. Much of this cost is ransomware payments. According to one estimate, the activity of ransomware groups in the Middle East increased by 77% in the first quarter of 2023 compared to the same period in 2022.
Heightened awareness now underscores the gravity of the threat and has prompted organisations to bolster their defences. Regulators have responded by tightening data protection and cybersecurity regulations and imposing penalties for data breaches.
We have already discussed how the quick march to the cloud expanded the attack surface by introducing new vulnerabilities. To compensate, regional organisations must adopt proactive measures. Start with robust backup and recovery protocols. Ensure employees are thoroughly trained to identify phishing attempts. Make sure you are current on software updates and patches. Adopt multi-layered security defences that give you complete and continuous visibility of all your assets. Carry out risk-based assessments on vulnerabilities. Review compliance management and formulate a risk-based roadmap for prioritisation and remediation of gaps. And collaborate across tech and non-tech business functions to author a comprehensive incident-response plan.