Cyberattacks increasingly target people, rather than infrastructure, with more than half (55%) of CSOs and CISOs citing human error and lack of security awareness as one of the biggest IT security risks.
Proofpoint, a leading cybersecurity and compliance company, has released its latest research highlighting how people-centric cyberattacks are impacting organisations in the UAE. The research revealed that a majority (82%) of CSOs and CISOs surveyed reported at least one cyberattack on their organisation in 2019, while over half (51%) reported multiple incidents.
The full report is available here.
Account compromise was the leading method of cyberattack in the UAE in 2019, impacting 28% of companies surveyed, followed by credential phishing (20%) and insider threats (17%). Almost one third of respondents (29%) believe account compromise will continue to be the UAE’s biggest cyberthreat over the next three years, followed by Distributed Denial of Service (DDoS) attacks (28%) and phishing (19%).
Cyberattacks can have far-reaching and devastating financial and reputational impact for businesses. The research found that financial loss (29%) and data breaches (28%) were the biggest consequences for UAE organisations in 2019, followed by a decreased customer base (23%).
While organisations in the UAE are aware of the risks, many are not fully prepared. In fact, only 21% of respondents strongly agreed their organisation was prepared for a cyberattack, with 43% somewhat agreeing. In terms of where the biggest risks lie, 59% of respondents cited outdated or insufficient cybersecurity solutions and technology, while more than half (55%) believe that human error and lack of security awareness was a risk factor for their organisation.
Though end-users are the front line of defence against cyberattacks, there is a need for better security knowledge and awareness training. Common security errors made by employees according to CSOs and CISOs in the UAE include poor password hygiene (29%), mishandling sensitive information (25%), falling for phishing attacks (24%) and clicking on malicious links (20%). Interestingly, 19% cited criminal insider threats as a growing concern for businesses.
“A people-centric strategy is a must for organisations in the UAE, as cybercriminals increasingly target people rather than infrastructure, with the aim of stealing credentials, siphoning sensitive data and fraudulently transferring funds,” said Emile Abou Saleh, Regional Director, Middle East and Africa at Proofpoint. “With our research revealing that 39% of UAE CSOs and CISOs believe their employees make their business vulnerable to cyberattacks, education and security awareness is a mission critical priority and could make the difference between an attempted cyberattack and a successful one. Along with technical solutions and controls, a comprehensive training programme should sit at the heart of an organisation’s cyberdefence.”
Despite facing a fast-evolving threat landscape, three-quarters (75%) of respondents admitted to training their employees on cybersecurity best practices as little as twice a year or less. Meanwhile, only 23% of organisations in the UAE train their employees more than three times a year.
Organisations in the UAE are optimistic that cybersecurity will become more of a business priority moving forward, with 50% reviewing their cybersecurity strategy twice a year or more and 69% expecting their cybersecurity budget to rise by 11% or more over the next two years.