The Gulf must pair its digitalisation goals with cybersecurity

Jakub Porzycki via Reuters Connect

The Gulf states have been a victim of numerous cyberattacks over the past five years, including ransomware attacks and undetected advanced persistent threats to computer networks.

Critical sectors such as oil and gas, manufacturing, government information systems, construction and healthcare have all been targeted.

In August 2021, for example, the AvosLocker ransomware group attacked Dubai’s NHS Moorfields Hospital. The group claimed to have stolen 60gb of patient and proprietary data, including identity cards, passports, insurance forms and travel documents.

A month earlier than that Saudi Aramco had confirmed a cyberattack where the attacker stole company files and demanded a $50 million ransom.

• UAE businesses to boost investment in cyber insurance
• Mubadala secures $500m stake in US broadband firm
• UAE and Saudi Arabia race to develop defence industries

According to aeCERT, the UAE’s computer emergency response team, there were 123,181 cyberattacks in the country in December 2020. Malware accounted for 62 percent of attacks, exploits (in which code or a program maliciously take advantage of IT vulnerabilities) for 31 percent, and phishing for 7 percent.

The Saudi government has also reported an alarming increase in cyberattacks during the Hajj season – more than two million in one month alone in 2022, according to the deputy minister of Hajj and Umrah.

In the years to come, as the GCC states accelerate their digital transformation initiatives, it is imperative that governments and businesses protect their digital assets.

This is no longer an option, but a critical component for success. Emerging technologies such as artificial intelligence, digital infrastructure, renewable energy and smart cities create opportunities but also represent targets.

To that end, Saudi Arabia, the UAE and Bahrain have respectively established the National Cybersecurity Authority, National E-Security Authority and National Cyber Security Center to oversee cybersecurity efforts. 

Additionally, the countries have established computer emergency response teams and introduced personal data protection laws (PDPL) to protect their citizens’ privacy and govern the flow of data internally and across borders.

These laws can impose heavy penalties for non-compliance — under Saudi Arabia’s PDPL, malefactors can face fines of up to SAR 10 million ($2.6 million) and imprisonment. 

Such efforts do not come cheap. At Frost & Sullivan, we estimate spending in the Middle East cybersecurity sector will grow from $7.4 billion in 2022 to $31 billion by 2030.

Saudi Arabia is the largest market in the region with over 60 percent market share, followed by UAE. Both the countries stand at the forefront, spearheading the charge in terms of their cybersecurity regulation, technological advancement, workforce development and strengthened cyber strategies. 

These efforts have paid off. In the International Telecommunications Union Global Cybersecurity Index 2020 rankings, Saudi Arabia ranked second and UAE fifth out of 194 countries worldwide.

However in the GCC private sector companies are increasingly concerned about business disruption and reputational damage due to the ongoing threat of cyberattacks.

They are collaborating closely with equipment manufacturers, security services providers, system integrators and consulting companies to enhance their cybersecurity and mitigate cyber risks. 

There is still a long way to go to establishing a safe and secure environment for existing and future digitalisation initiatives and to ensure complete resilience.

It requires a comprehensive national cybersecurity programme that builds national capabilities, defines a national talent strategy and establishes close ties between the government and the cybersecurity sector. Cybersecurity funding must be prioritised and resources allocated.

Collaboration between the GCC states and also the private sector is also crucial. The authorities must share threat intelligence data, conduct joint cybersecurity drills and simulations and standardise protocols.

Parminder Kaur is director of security practice at consulting firm Frost & Sullivan