Written by John Hathaway, Regional Vice President, iMEA at BeyondTrust
In 2020, enterprises across the Arab Gulf region adopted a justifiable set of priorities. First, protect employees from the pandemic. Second, deliver business continuity. Both were achieved by a necessarily hasty migration to the cloud. Unfortunately, this led to ill-defined digital perimeters, and a slew of new, rogue personal devices. The corporate network that was previously well understood was replaced with a mysterious hybrid fog.
The results spoke for themselves. The Head of Cybersecurity for the UAE government reported a 250% increase in cyberattacks in 2020, citing digital adoption in the wake of pandemic-related lockdowns. And Saudi Arabia defended itself against 7 million cyberattacks in the first two months of 2021, with national media citing attacks on remote access protocols (used by work-from-home employees to access corporate environments) as the most common.
And so, we arrive at our main challenge for 2022: cybersecurity is more important than ever and yet skills gaps remain, resources are tight, and strategies have yet to mature. Even as Saudi Arabia ranks second and the UAE fifth in the ITU’s Global Cybersecurity Index for 2020, work remains to be done. So let us examine what challenges may lie in wait for organizations in the coming year.
Yes, that is outer space, as in the extraterrestrial domain. Who hasn’t looked up at the night sky and dreamed of venturing into the great beyond? And it is that sense of whimsy that attackers will use to hook their victims in 2022. Now that the UAE’s Mars mission has gripped the imagination and trends of space-made movies and star-bound tourism are “taking off”, expect to see “opportunities” to send your DNA or personal effects — perhaps even yourself — off-world.
All you would have to do for these once-in-a-lifetime opportunities is pay a small fee or forward personal details. Those with stars in their eyes may be tempted to bite.
That Skills Gap Again
While the region’s shortage of qualified security professionals is nothing new, associated factors will exacerbate it in 2022. For shortages to get worse all that needs to happen is that demand outpaces supply. And next year, that is what we are likely to see across the region.
We will need more talent to manage the expanding attack surface brought about by remote workers using their personal devices to join enterprise networks. Hybrid clouds mean more corporate data will find itself travelling through infrastructure that is not owned or controlled by the IT team that is responsible for its safety. And digital transformation initiatives will introduce new technologies and applications that need to be accounted for in the security posture.
And yet, still not enough young people are choosing to be trained as security professionals.
As more and more consumer devices have become cellular-capable, new use cases have become available to companies that previously faced the daunting cost of proprietary hardware and connectivity for their mobile solutions. The launch of 5G in the region promises even more use cases, as the technology solves lingering latency issues.
But the connectivity boon allows a merging of cloud, IoT, and potentially sensitive back-office data. And all components of 5G may not be entirely secure, given the range of hardware involved.
Ransomware: The Revenge
The dreaded digital rascal shows no signs of tiring. Like an indestructible movie villain, it keeps coming back for the sequel. According to data published by Statista, 38% of UAE organizations and 17% of those in Saudi Arabia were victims of ransomware in the 12 months prior to February 2021. Elsewhere in the world, record-breaking payouts have made it into the headlines this year.
The practice is evolving. Where before it was a pay-to-unlock model, now cybercriminals have begun “kidnapping” sensitive data – exfiltrating it and threatening to release it to the public. We already know that ransomware attackers spend a lot of time researching targets before a campaign. In 2022, we can expect more personalized attacks that hit IoT infrastructure or company contractors.
Supply-Chain Attacks Will Evolve
Supply chain attacks — such as the one famously used against Miami-based network infrastructure company Kaseya this year — show signs of maturing. While acknowledging that they are a relatively uncommon approach, a recent report by Abu Dhabi’s Digital14 identifies supply-chain attacks as one of the top threats faced by UAE organizations.
In 2022, we should watch out for an expansion in scope and sophistication, with third-party solutions and well-known development practices being leveraged by attackers.
Cybersecurity Insurance in Jeopardy
As if stakeholders did not have enough to contend with, their fallback risk position may simply vanish. Insurance providers may look at the bottom line and decide that — given the monumental costs of recovery and the failure of modern threat postures to allow for the evolving capabilities of bad actors — there is no sound business case for their cybersecurity products. Some insurers have already drastically increased premiums while others refuse to ensure high-risk clients, and some have abandoned the cyber-insurance market altogether.
Without more organizations taking out policies, or better cyber-hygiene across the board, it is difficult to envisage a future for cybersecurity insurance.
More White Noise Means Greater Opportunities for Stealth
Because of the rise of VPN technology used to deliver remote-working facilities, threat hunters now have considerably more data to sift through when looking for suspect processes. Because this makes intrusion detection more difficult, next year’s malicious parties will enjoy more time between entering an environment and being discovered.
It’s Not All Bad
It goes without saying that while all the challenges listed here apply to all organizations in the region, not all will experience damage or loss. Some will have security policies in place that build a comprehensive asset register, a cogent risk assessment, and a mature and consistent workflow to circumvent the bad actor. But their less-prepared peers should not expect a happy new year.