In a region that is experiencing an unprecedented increase in cyber security threats, the United Arab Emirates (UAE) is taking actions that are already paying off.
The increase in threats is described in the State of the market report 2021 and the State of the market report 2022 – annual reports published by Help AG. These studies focus exclusively on digital security in the Middle East, highlighting the top threats and the sectors most impacted, and providing advice on where companies should invest their resources.
The entire Middle East region has been experiencing an unprecedented rise in cyber security threats, partly because of the rise in the number of people working remotely. People are dispersed, yet more connected than ever. The most successful form of cyber attack has always been social engineering, in which a hacker exploits human error to gain access. With a distributed workforce, it is much easier for hackers to find, and take advantage of, careless behaviour.
According to Help AG, the UAE experienced a 183% rise in distributed denial of service (DDoS) attacks from 2019 to 2020 – and a further increase of 37% in 2021, with multi-vector attacks becoming particularly problematic. In 2021, 58% of DDoS attacks in the UAE were multi-vector, up from 45% in 2020.
Ransomware, a relatively easy form of attack with a potentially high monetary payoff, has also been on the rise in the UAE. A new approach has seen hackers accessing easily available ransomware-as-a-service to launch triple extortion attacks, combining file encryption, data theft and DDoS. File encryption renders precious data unusable, data theft threatens to expose private data, and DDoS shuts down services.
Before the pandemic, the UAE and other Gulf Cooperation Council states had already been investing in improving their security postures. But more recently, in the light of increased levels of threat, they stepped up their efforts – and showed a clear leaning towards a new way of investing in security.
Stephan Berner, CEO of Help AG, told Computer Weekly that the most significant trend his company observed in security investment patterns in 2021 was towards a service-centric model. “To cope with the modern threat landscape, businesses are shifting away from a technology-focused to a service-based cyber security approach,” he said. “Rather than onboarding technologies that they would have to manage, customers are opting to outsource security operations to an expert that will allow them to contract on an SLA [service-level agreement]-based offering.”
New partnerships fit national cyber security strategy
Last month, the UAE Cybersecurity Council signed preliminary agreements with several organisations to help the country achieve its aggressive goals in countering cyber attacks. Three notable partnerships are with Huawei, Amazon Web Services (AWS) and Deloitte.
The council also signed an agreement with UAE-based Cyber Protection X (CPX) to help governmental and semi-governmental agencies improve their cyber security capabilities. These signings took place around the time of the Gulf Information Security Expo and Conference (GISEC) in Dubai in March.
The UAE Cybersecurity Council was established in November 2020, tasked with the mission to develop a cyber security strategy and build a secure cyber infrastructure in the UAE. The council is chaired by Mohamed Hamad Al Kuwaiti, head of cyber security for the UAE government. Under Al Kuwaiti, not only does the council help create laws and regulations, but it also ensures a rapid response capability to fight cyber crime.
Even before the council was set up, the UAE had started taking measures to encourage professionals and students to pursue careers in cyber security. It developed a national awards programme to support academic research, startups, and companies that implement protection measures. A stated goal of the National Cybersecurity Strategy in 2019 was to develop more than 40,000 local cyber security professionals.
So far, the country’s efforts have paid off, as evidenced by its significant rise in the International Telecommunication Union (ITU) rankings on cyber security. In the Global cybersecurity index 2020, the UAE achieved fifth place, up from 33rd in 2019, sharing the fifth-place ranking with Russia and Malaysia. Neighbouring Saudi Arabia shared the second-place ranking with the UK.
The UAE’s improved ranking is a clear sign that the UAE Cybersecurity Council has been doing the right things over the past two years – and it has done so during a pandemic and a sharp rise in security threats.
Getting help from experts
Going forward, the UAE Cybersecurity Council fully embraces the idea of getting help from outside experts, as was evidenced by the recent partnerships with Huawei, AWS and Deloitte. These partnerships follow the UAE’s overall strategy to grow local expertise in technology with the help of established foreign players.
One of the stated goals of its memorandum of understanding with Huawei is to foster an open and transparent environment between the UAE government, Huawei and other technology providers. The plan is to establish an independent think-tank and centre of excellence in cyber security to promote innovation and research. At the same time, this arrangement is expected to create new opportunities to develop local talent in digital security.
In its partnership with AWS, the UAE hopes to achieve faster adoption of cloud services by public agencies and regulated industries, such as financial services and healthcare. A steering committee will be established to share best practices in cloud security, another example of how the UAE might grow in-country expertise.
The memorandum of understanding signed with Deloitte includes establishing cyber training, among other measures. Al Kuwaiti said he hopes this partnership will “create and build local cyber security capabilities”.
These partnerships are consistent with the Help AG’s recommendations to governments and organisations in the Middle East. “The power of strategic partnerships cannot be overstated, particularly when it comes to the vital task of securing businesses,” Berner told Computer Weekly. “Partnering with the right security service provider will cut costs, increase efficiency, and allow organisations to focus on their core business.”