The Middle East is among the favorite regions of cyber attackers. It has raised the need for cybersecurity in the Middle East. According to the global forecast by ResearchAndMarkets.com, the cybersecurity market size in the Middle East is expected to grow from $15.6 billion in 2020 to $29.9 billion by 2025, at a compound annual growth rate (CAGR) of 13.80%.
According to a study, around 38% of organizations have implemented a mixed working methodology (online and offline). These organizations have incorporated cloud-based and virtual technology into the functioning of their businesses.
Join our weekly newsletter and get the latest cybersecurity updates delivered directly to your inbox
Statistics on Cyber Threats in the Middle East
The thriving economy of the Middle East coupled with the rapid digitization has drawn the attention of cybercriminals globally. Here are some statistics showing the extent of damage cyber attacks is causing in the region:
- According to a study by Ponemon Institute and IBM Security, data breaches result in an average loss of $6.53 million per organization in the Middle East, which is significantly higher than the global average loss of $3.86 million.
- An article by The National News reported that over 2.57 million phishing attacks were detected from April to June across the Middle East in 2020.
- As per an article by The Gulf News, the UAE is the second-most targeted country for cybercrime. The cost of attacks in the country is estimated to be $1.4 billion annually.
- According to a report by CNBC, the UAE witnessed a 250% increase in cyber attacks in 2020 marked by more frequent ransomware and phishing incidents.
Notable Types of Cyber Attacks in the Middle East
According to a study conducted by the Ponemon Institute in 2020, $6.53 million is the average loss suffered per company in the Middle East due to a data breach incident. This is significantly more than the global average incident loss of $3.86 million. Based on the data from Saudi Arabia and UAE based companies, the reported financial impact caused by data breaches has increased by 9.4% over the past year.
In the middle-east, threat actors are targeting industries with the possession of the most sensitive customer data for maximum financial gains. Healthcare companies incurred the highest per-record cost due to a data breach, followed by the financial and technology sectors.
Most data breaches are executed by obtaining and using a legitimate user’s credentials to commit fraud or theft. According to a study, 59% of data breaches were conducted by malicious actors, 24% were due to system glitches and 17% were caused by human error.
According to the Times of Oman, over 2.57 million phishing attacks were detected in 2020 across the entire Middle East region, including Egypt, the UAE, Qatar, Saudi Arabia, Kuwait, Oman, and Bahrain. With the COVID-19-related subject lines increasing the likelihood of malicious email openings, the Middle East was hit by a wave of phishing attacks in Q2 of 2020.
Executive impersonation is especially widespread in the Middle East, across both emails and social media accounts. Cybercriminals impersonate a company executive to trick lower-level employees into giving up sensitive documents or funds. Cybercriminals can spoof social media accounts or create impersonating websites and mobile applications to convince end users of the legitimacy of the content.
In October 2020, cybercriminals successfully stole the login credentials of numerous Arabic-language Netflix users. The national news reported that threat actors created a fake website disguised as a Netflix customer support page. The stolen credentials could have been sold or used to send fraudulent emails to extract payment card information to extort additional funds or restore their accounts.
Ransomware is a kind of targeted cyber attack that has become quite a widespread problem in the Middle East. These attacks seek to extort sensitive data or large sums of money from the victims. The year started with two very well-publicized hacking incidents that took place in January 2020.
At first, the Twitter account of KUNA, a state-run news agency in Kuwait, was hacked and a false tweet stating that US forces planned to move out of the Arifjan base within three days was sent out. This tweet was absolutely untrue as the Arifjan base serves as Kuwait’s main US army base and houses thousands of troops.
Then the Oman Observer broke the news that Oman United Insurance Co SAOG, the largest insurance company in Oman, revealed that its data center was hit by a ransomware attack, resulting in the suspension of operations for a day. The company also reported that the attackers had acquired customer data from December 2019 to January 2020. However, it did not reveal any fallout or financial losses caused by the breach.
According to a report published by ENISA, the Middle East witnessed the rise and success of some flourishing ransomware gangs like Maze, Sodinokibi, Egregor, and Netwalker. For this reason, targeted ransomware attacks have become one of the most severe cybersecurity concerns for Middle Eastern companies.
Privacy Laws to Ensure Cybersecurity in the Middle East
The General Data Protection Regulation (GDPR)
GDPR came into force on May 25th, 2018. This regulation was incorporated as a global standard for data protection, which marked the evolution of the landscape for personal data protection. The fines implied by GDPR can reach up to 4% of the global turnover or €20 million, whichever is more.
Law No. 13 of 2016 in Qatar
Qatar implemented a regulation under the “Personal Data Privacy Protection Law” to ensure the protection and security of personal data. This provision came into force after the Ministry of Transport and Communications was given the task of enforcing the law. The organizations that receive personal data must adhere to fairness, transparency, and respect for human dignity. According to this law, the financial penalty for non-compliance with the regulation can be up to a maximum of QAR 5,000,000.
Law No. 30 of 2018 in Bahrain
Bahrain enforced the PDPL (Personal Data Protection Law) on August 1st, 2019. It was modeled after the European Union. The penalty for offenders can be up to a sentence of 1 year.
Egypt’s Personal Data Protection Law No.151 of 2020
Egypt incorporated PDPL in July of 2020. This law was meant to address the issue of privacy and data protection. This law specifies the collection of personal data for legitimate purposes only. It also specified rules for organizations to acquire licenses to handle sensitive and personal data. In the case of any illegal activity found, the criminals can be penalized with a maximum of EGP 5 million or imprisonment for a maximum of 6 months.
UAE-DIFC Law No. 5 of 2020
The UAE incorporated the DIFC Data Protection Law on July 1st, 2020, and enforced it on October 1st, 2020. This law was applicable to every country that was a signatory to the DIFC. This law was influenced by the EU’s General Data Protection Regulation. This law is meant to safeguard personal data, and non-compliance could lead to fines.
Cybersecurity in the Middle East
Based on the numerous statistics in the blog, it can be concluded that most of the attacks in the Middle East are carried out by social engineering tactics, exploiting email domains, and injecting malware. Organizations in Middle Eastern countries must prioritize cybersecurity. They need to employ tools and services that could empower their employees and make them more vigilant to prevent cyber attacks.