Cybercriminals in the UAE are upping their game

There was a feeling among security professionals that last year represented something of a return to ‘normal’.

As the pandemic panic continued to subside and organisations grew increasingly comfortable with hybrid setups, confidence in security posture followed suit. Unfortunately, cybercriminals are comfortable with this normality, too. And with a larger attack surface to aim at, they have honed their skills, finding both familiar and new ways to breach defenses and expose data.

Proofpoint’s State of the Phish Report 2023 found that email-based attacks continue to dominate the threat landscape, with eight in 10 (86 per cent) of organisations in the UAE experiencing at least one successful attack, 44 per cent reporting direct financial losses as a result.

While there is little security teams can do to stop cybercriminals targeting their organisations, that people remain a significant contributor to the success of such attacks should be a cause for concern. Proofpoint research reveals that 59 per cent of CISOs in the UAE view human error as their organisation’s biggest cyber vulnerability. Despite a long-held understanding of the fact that most attacks target users before systems, there is still a long way to go.

Tackling immovable understanding

The past few years have further cemented CISO’s understanding of the risk of remote and hybrid environments, with many making it a priority to secure these setups since their widespread adoption in 2020.

As well as innovative controls and new technologies, end-user training formed a cornerstone of this defence strategy. In the UAE, 64 per cent of organisations with a security awareness program were found to train their entire workforce. However, only 40 per cent conduct phishing simulations. As a result, employees lack a basic understanding of common cyber threats and are ill- equipped to detect and deter these threats.

As the threat landscape grows ever more sophisticated and people-focused, this issue needs to be addressed fast. With time already dedicated to education by over half the organisations in the UAE, improving understanding is a matter of re-strategising rather than building a case to implement a programme from scratch.

As for that strategy, in-context training is a must. Users need to understand how they are likely to experience today’s sophisticated modern threats in the wild and what to do when it happens. Simulations based on real-world lures are an effective way to do this.

With budgets getting tighter, security teams may feel like they can’t do it all. But skimping on cybersecurity is never an option. So, as the threat landscape grows ever more perilous, a rethink is needed to ensure our cyber defenses are fit for the task.

A snapshot of the threat landscape

At first glance, there is little on today’s threat landscape to surprise a seasoned cybersecurity professional. But while phishing, business email compromise (BEC), ransomware and the like remain popular pastimes among cybercriminals, many have further amped up their attacks to inflict maximum damage.

Over two thirds (64 per cent) of organisations in the UAE experienced ransomware last year, with 70 per cent suffering a successful infection. Worse still, of the 61 per cent that paid a ransom, only half regained access to their data at the first attempt.

Insider threats are going nowhere anytime soon either, and Covid-19 still has a big part to play. Remote and hybrid working increased the risk of negligence and helped malicious actors to conceal their actions. And now, the post-pandemic ‘Great Resignation’ has made it much easier for people to walk out the door with your data.

Last year, 72 per cent of organisations in the UAE experienced data loss due to an insider’s action, with 49 per cent of job leavers admitting to taking data with them.

All the while, threat actors are scaling up more complex email threats. Last year saw hundreds of thousands of telephone-oriented attack delivery (TOAD) and multi-factor authentication (MFA) bypass phishing messages sent each day, threatening nearly all organisations surveyed.

With MFA still trusted by many to secure highly sensitive accounts and networks, any method to navigate this protection gives cybercriminals a potentially devastating new advantage.

All of which adds up to a familiar story: Threat actors with the time and tenacity to find new ways around defenses and cybersecurity teams feeling trapped in an unwinnable arms race.

Winning the cyber arms race

As we improve defenses to cope with evolving threats, cybercriminals find new and devastating ways to circumnavigate them. This is nothing new. But while keeping pace with the threat landscape is a must, there is more to cyberdefence than plugging gaps as they arise.

Whatever the adversary, understanding and education should always be the baseline of an effective cybersecurity strategy. The more your users know about the attacks they face, how they will encounter them and their role in keeping them at bay, the better placed they are to protect your organisation and its data.

Start by identifying who is most at risk, whether due to poor cyber skills or high exposure to cyber threats, and target your resources where they are needed most. Then go beyond this with an in-context, regularly conducted, companywide security awareness training programme.

The result is a strong workplace security culture that motivates your people to build sustainable security habits and implement them every day – and a much safer organisation, whatever threat actors find to throw at it.

The writer is Regional Director, Middle East and Africa at Proofpoint.

• Business