The number of data-related incidents is tremendous, and it continues to increase. According to recent research, the total cost of data breaches for organizations in the Middle East hit an all-time high in 2023, reaching $8 million (SAR 29.9 million). One of the most affected countries in the region is the UAE.
It’s important to mention that one of the most serious information security risks is related to data breaches and data leaks. According to InfoBlox, 66% of UAE organizations reported data breaches in the past year, most likely resulting from phishing, ransomware, or other advanced threats. Most respondents fear data leaks and cloud attacks and do not believe they have a firm handle on the insider threat. The respondents mentioned that during the following 12 months, their organizations will be most concerned about data leakage (48%). Such worries are absolutely reasonable. We at SearchInform specialize in protecting organizations against insider-related risks globally. According to our Global Survey, 91% of companies worldwide have faced data leaks. Data leaks are among the most common and dangerous information security risks. The consequences of data leaks are very negative and include:
- Financial losses
- Reputational losses
- Business process interruption
- Leakage of private or corporate data, threatening clients, users, and employees.
For instance, recently, AI Ashram Contracting, one of the leading construction companies in the UAE, fell victim to the BlackCat ransomware group. The major data breach was discovered on September 20, 2023. It’s believed that the incident resulted in the loss of 257 GB of sensitive corporate data, including:
- ISO audit records
- Procurement records
- Suppliers Subcon library
- Legal files
- IT asset inventory & exchange account.
According to recent findings, more than 72% of organizations in the UAE have suffered data loss due to internal actions. This trend is dangerous, as insider-related risks are, in essence, even more dangerous than external ones. First of all, insiders have more opportunities to commit malicious actions right from the beginning. What’s more, it’s much easier for an external intruder to initiate an attack with the help of an insider (as the insider is already within the corporate perimeter and thus has some access and more capabilities to initiate negative actions). However, even if external intruders aren’t involved in an incident, insiders themselves can cause much harm.
Ensuring an appropriate level of cybersecurity protection is vital, with one of the most crucial aspects being protection against insider-related threats. This raises the question: What can organizations do to enhance their protection?
One of the fundamental measures gaining momentum worldwide is the adoption of legislation aimed at data protection. Regulators establish rules for data processing and related procedures, offer advice on handling security tasks efficiently, and impose fines on organizations that fail to comply with regulations or prevent major data-related incidents. The adoption of such acts is an inevitable necessity. Fortunately, UAE regulators take these risks seriously and have developed and adopted specific legislation, such as the Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) and the UAE Information Assurance (IA) Regulation, developed by the Telecommunications and Digital Government Regulatory Authority, along with sector-specific legislation like the Consumer Protection Regulation issued by the Central Bank of the U.A.E.
One of the most critical aspects of ensuring advanced protection is enhancing employees’ competencies in information security issues. Approximately 66% of information security incidents result from unintended violations by employees. According to Kaspersky’s research, 39% of respondents in the UAE are unaware of what data about them is publicly available on the Internet. Furthermore, less than half of respondents (44%) who knew that their personal data was available online did not take any action in response.
Many attackers exploit human factors when performing cyberattacks, including inattentiveness, curiosity, and a lack of information security-related competencies. One of the most common attack methods is phishing, which remains widespread and efficient. Business Email Compromise (BEC) attacks, a specific type of phishing, doubled in 2022, according to Computerweekly. These attacks are costly, with phishing and BEC attacks resulting in significant financial losses. The global BEC market is expected to grow significantly by 2027, according to Research and Markets.
To counter such threats, it is essential to enhance employees’ computer literacy and educate them about phishing attacks, their various forms, and how to defend against them. Specific protective software can also help mitigate this threat. For instance, advanced Data Loss Prevention (DLP) solutions can identify phishing emails, which is a crucial step in preventing major cyberattacks.
Another key measure is ensuring an appropriate level of corporate protection, which includes implementing advanced protective tools and hiring Information Security (IS) officers. Recommended protective solutions include eDiscovery class solutions for detecting illicit data keeping, DLP systems for monitoring data transmissions and preventing data leaks, employee activity monitoring tools, and e-forensics tools to identify the culprits in case of data breaches.
Managed Security Services Providers (MSSPs) offer complex protection against cyberattacks, alleviating two major ongoing problems: high costs associated with advanced protective solutions and the shortage of information security officers. MSSPs bring several benefits, including market best practices, cost savings, access to unique expertise and specialized tools, more time to focus on core business activities, and compliance with regulatory requirements. Contracting an MSSP can be an excellent option to ensure advanced protection, save resources, safeguard corporate and personal data, and comply with stringent regulations, such as the UAE’s Cybersecurity Law, which mandates digital asset protection and incident reporting. As a result, the UAE’s MSS market is expected to experience robust growth with a CAGR of 13.64% through 2028.
Discussion about this post