Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia Pacific
United Arab Emirates Faces Intensified Cyber-Risk
The UAE leads the Middle East in digital-transformation efforts, but slow patching and legacy technology continue to thwart its security posture.
March 21, 2024
The United Arab Emirates' focus on becoming a global hub for business and innovation is driving digital transformation in the Middle East, with the governments of both individual emirates and the UAE as a whole pushing the adoption of digital technologies and services.
The UAE Digital Government Strategy 2025, based on the OECD Digital Government Policy Framework, calls for an inclusive, digital-by-design framework that is resilient and open by default, and consists of 64 different digital initiatives organized into six pillars. The Unified Digital Platform (UDP) — one part of the overall framework — brings together government services under a common platform to eliminate paperwork and streamline bureaucracy. And the Smart Dubai 2021 Strategy calls for smart, resilient cities, an interconnected society, easy-to-use autonomous transportation, and a lean, connected government.
Yet the digital transformation initiatives have attracted the attention of increasingly sophisticated cyberattackers and have stretched local resources. The existing cyber workforce struggles to keep up with basic security efforts — such as patching — and organizations can't recruit enough cybersecurity-skilled professionals, says Irina Zinovkina, the head of the information security research group at Positive Technologies.
"The UAE faces emergence of complex attacks, development of attacker techniques, [and] difficult-to-detect malware. Last, but not least, is that there is [an] issue with lack of personnel," Zinovkina says. "To keep up with digital transformation, organizations need to identify and assess the information assets that require protection, as well as determine the events that could occur as a result of a cyberattack."
The UAE is already seeing signs of a changing threat landscape, with more than 50,000 attacks targeting the nation's public sector every day. Government agencies are not alone: In the past two years, the vast majority (87%) of UAE-based businesses have faced a cybersecurity incident, according to cybersecurity firm Kaspersky.
A Growing Attack Surface in the UAE
In a report on the threat landscape in the UAE, Abu Dhabi–based cybersecurity services firm CPX found more than 155,000 vulnerable assets while scanning the nation's Internet space. It founds that over the past five years in the UAE, 40% of the most critical vulnerabilities remain unpatched.
"Alarmingly, many of the vulnerabilities exploited are historical, indicating a gap in patch management practices," says Hadi Anwar, Head of CPX. "Timely and effective patch management is crucial and can significantly reduce the risk posed by these vulnerabilities."
The UAE's shortage of cybersecurity professionals has made timely software patching unrealistic in many cases. In fact, technical professionals tend to be in short supply overall, with the country acknowledging that it is only 10% of the way to its goal of increasing the "workforce in the federal government trained in modern technologies," according to the UAE Digital Government Strategy 2025.
"Attack surfaces in the UAE are consistently expanding with the increasing adoption of technologies like cloud computing, operational technology (OT), and artificial intelligence (AI), providing threat actors with increased opportunities for illegal system infiltration," Anwar says. "Cybersecurity transcends local, regional, and global boundaries, necessitating a unified response."
UAE's Progress Attracts Cybercriminals
The digital transformation efforts have attracted the attention of cybercriminals.
In an analysis of more than 91 million messages is nearly 250 Telegram forums and channels, cybersecurity firm Positive Technologies found that the United Arab Emirates is the most-mentioned country in the Gulf Cooperation Council (GCC), with 46% of messages mentioning the UAE, while Saudi Arabia ranked second, with 23% of messages referring to that country.
With cybercriminals increasingly using AI technologies such as large language models (LLMs), their attacks are becoming more sophisticated, with fewer easy-to-spot campaigns, says Positive Technologies' Zinovkina.
"All new technologies bring risks, especially to the security landscape," she says. "[For] the UAE, digital transformation in the country may face such challenges as integration complexities and data security concerns."
Another concern: While digital transformation may increase the attack surface area, it also increases the impact of a successful attack on the country's infrastructure.
The UAE has always been very business forward, and while increasing digitization helps make the country a more friendly digital economy, it also can increase the potential for disruption in the event of a successful attack, says Jon Amato, a senior director analyst at Gartner and chair of the Gartner Security and Risk Conference for the Middle East.
"Look at the classic example of the DDoS attacks on Estonia — they had a huge digital transformation initiative, and years ago [in 2007], Russia was basically able to cripple them for months at a time," he says. "Digital transformation is definitely a part of that equation — it doesn't increase the likelihood of such a thing happening, but it definitely increases the impact if it does."
More Cloud-Native Security
UAE organizations need to make sure that as services move to the cloud, cybersecurity follows, says Rich Davis, director of solution strategy for cloud-security firm Netskope.
Organizations in the Middle East still have legacy hardware appliances that make the move to a cloud-native digital transformation more challenging and difficult to secure.
Government agencies and private sector firms should adopt security-as-a service (SaaS) and infrastructure-as-a-service (IaaS) tools, and an overall zero-trust model, Davis says.
"This security transformation moves security services out of a central location to be in line with the new services organizations are deploying to aid their digital transformation," he says. "The primary shift we have observed is a philosophy shift away from the traditional perimeter security model, to one that assumes data and applications are everywhere and that employees are accessing them from anywhere."
The shortage of cybersecurity professionals is also limiting the nation's ability to manage the security of its cloud services and digital assets, a problem that is not limited to the Middle East, says Gartner's Amato.
"Where do you find the people who are skilled enough to plan for this stuff? How do you operate it?" he says. "Finding people is always going to be the biggest problem that we see for security in the United Arab Emirates, and in just about any other place in the world."
Read more about:
DR Global Middle East & AfricaAbout the Author
You May Also Like
Transform Your Security Operations And Move Beyond Legacy SIEM
Nov 6, 2024Unleashing AI to Assess Cyber Security Risk
Nov 12, 2024Securing Tomorrow, Today: How to Navigate Zero Trust
Nov 13, 2024The State of Attack Surface Management (ASM), Featuring Forrester
Nov 15, 2024Applying the Principle of Least Privilege to the Cloud
Nov 18, 2024