Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa.

United Arab Emirates Faces Intensified Cyber-Risk

The UAE leads the Middle East in digital-transformation efforts, but slow patching and legacy technology continue to thwart its security posture.

5 Min Read
Abu Dhabi skyline
Source: Kevpix via Alamy Stock Photo

The United Arab Emirates' focus on becoming a global hub for business and innovation is driving digital transformation in the Middle East, with the governments of both individual emirates and the UAE as a whole pushing the adoption of digital technologies and services.

The UAE Digital Government Strategy 2025, based on the OECD Digital Government Policy Framework, calls for an inclusive, digital-by-design framework that is resilient and open by default, and consists of 64 different digital initiatives organized into six pillars. The Unified Digital Platform (UDP) — one part of the overall framework — brings together government services under a common platform to eliminate paperwork and streamline bureaucracy. And the Smart Dubai 2021 Strategy calls for smart, resilient cities, an interconnected society, easy-to-use autonomous transportation, and a lean, connected government.

Yet the digital transformation initiatives have attracted the attention of increasingly sophisticated cyberattackers and have stretched local resources. The existing cyber workforce struggles to keep up with basic security efforts — such as patching — and organizations can't recruit enough cybersecurity-skilled professionals, says Irina Zinovkina, the head of the information security research group at Positive Technologies.

"The UAE faces emergence of complex attacks, development of attacker techniques, [and] difficult-to-detect malware. Last, but not least, is that there is [an] issue with lack of personnel," Zinovkina says. "To keep up with digital transformation, organizations need to identify and assess the information assets that require protection, as well as determine the events that could occur as a result of a cyberattack."

The UAE is already seeing signs of a changing threat landscape, with more than 50,000 attacks targeting the nation's public sector every day. Government agencies are not alone: In the past two years, the vast majority (87%) of UAE-based businesses have faced a cybersecurity incident, according to cybersecurity firm Kaspersky.

A Growing Attack Surface in the UAE

In a report on the threat landscape in the UAE, Abu Dhabi–based cybersecurity services firm CPX found more than 155,000 vulnerable assets while scanning the nation's Internet space. It founds that over the past five years in the UAE, 40% of the most critical vulnerabilities remain unpatched.

"Alarmingly, many of the vulnerabilities exploited are historical, indicating a gap in patch management practices," says Hadi Anwar, Head of CPX. "Timely and effective patch management is crucial and can significantly reduce the risk posed by these vulnerabilities."

The UAE's shortage of cybersecurity professionals has made timely software patching unrealistic in many cases. In fact, technical professionals tend to be in short supply overall, with the country acknowledging that it is only 10% of the way to its goal of increasing the "workforce in the federal government trained in modern technologies," according to the UAE Digital Government Strategy 2025.

"Attack surfaces in the UAE are consistently expanding with the increasing adoption of technologies like cloud computing, operational technology (OT), and artificial intelligence (AI), providing threat actors with increased opportunities for illegal system infiltration," Anwar says. "Cybersecurity transcends local, regional, and global boundaries, necessitating a unified response."

UAE's Progress Attracts Cybercriminals

The digital transformation efforts have attracted the attention of cybercriminals.

In an analysis of more than 91 million messages is nearly 250 Telegram forums and channels, cybersecurity firm Positive Technologies found that the United Arab Emirates is the most-mentioned country in the Gulf Cooperation Council (GCC), with 46% of messages mentioning the UAE, while Saudi Arabia ranked second, with 23% of messages referring to that country.

With cybercriminals increasingly using AI technologies such as large language models (LLMs), their attacks are becoming more sophisticated, with fewer easy-to-spot campaigns, says Positive Technologies' Zinovkina.

"All new technologies bring risks, especially to the security landscape," she says. "[For] the UAE, digital transformation in the country may face such challenges as integration complexities and data security concerns."

Another concern: While digital transformation may increase the attack surface area, it also increases the impact of a successful attack on the country's infrastructure.

The UAE has always been very business forward, and while increasing digitization helps make the country a more friendly digital economy, it also can increase the potential for disruption in the event of a successful attack, says Jon Amato, a senior director analyst at Gartner and chair of the Gartner Security and Risk Conference for the Middle East.

"Look at the classic example of the DDoS attacks on Estonia — they had a huge digital transformation initiative, and years ago [in 2007], Russia was basically able to cripple them for months at a time," he says. "Digital transformation is definitely a part of that equation — it doesn't increase the likelihood of such a thing happening, but it definitely increases the impact if it does."

More Cloud-Native Security

UAE organizations need to make sure that as services move to the cloud, cybersecurity follows, says Rich Davis, director of solution strategy for cloud-security firm Netskope.

Organizations in the Middle East still have legacy hardware appliances that make the move to a cloud-native digital transformation more challenging and difficult to secure.

Government agencies and private sector firms should adopt security-as-a service (SaaS) and infrastructure-as-a-service (IaaS) tools, and an overall zero-trust model, Davis says.

"This security transformation moves security services out of a central location to be in line with the new services organizations are deploying to aid their digital transformation," he says. "The primary shift we have observed is a philosophy shift away from the traditional perimeter security model, to one that assumes data and applications are everywhere and that employees are accessing them from anywhere."

The shortage of cybersecurity professionals is also limiting the nation's ability to manage the security of its cloud services and digital assets, a problem that is not limited to the Middle East, says Gartner's Amato.

"Where do you find the people who are skilled enough to plan for this stuff? How do you operate it?" he says. "Finding people is always going to be the biggest problem that we see for security in the United Arab Emirates, and in just about any other place in the world."

About the Author(s)

Robert Lemos, Contributing Writer

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights