31 Mar 5 cybersecurity trends for the Middle East in 2023
January is always a good time to look forwards to the year ahead. Dan Norman, Regional Director, EMEA for the ISF, predicts what we can expect to see for cybersecurity in 2023.
Twenty twenty two was a significantly turbulent year. The geopolitical backdrop was explosive, with a European war happening for the first time in many years. International relationships broke down and global trade was disrupted. With the west tentative about putting boots on the ground in Ukraine, many governments took the democratic route by implementing sanctions and trade embargoes on industries like oil and gas, finance, manufacturing and weaponry. This arguably more surreptitious technique forced nation states and nation-state-backed actors to be more conceited in how they can influence the war itself, causing a broad range of disruptive cyberattacks.
Cyber criminals also doubled-down their efforts, with 2022 being a record year for ransomware and other forms of malware-related attacks. The threat landscape diversified significantly, with drones, 5G and artificial intelligence providing new delivery mechanisms for attacks globally. This technological advancement will likely continue to cause havoc globally for the next few years. In terms of cyberattacks, the Middle East is in an interesting and potentially vulnerable position. Oil-rich and digitising rapidly across a variety of industries, this region will be one of the key targets for nation state attackers, criminals, and cyber activists alike. Government policies in Saudi Arabia like Ambition 2030 and in Qatar post-World Cup, will usher in a new era of early-stage technological innovation across a range of industries such as retail, hospitality, manufacturing and beyond. IT, IoT and OT infrastructure and environments will also continue to blend architecturally, making 2023 a risky year for organisations in the region. One thing that is guaranteed is that the region will experience more cyberattacks. Therefore, management of this key risk is crucial to hitting the ambitious digital targets set by the regions themselves. Here are five cyber security trends that are set to accelerate for the Middle East in 2023 and beyond.
1) Senior management and boards in the Middle East will pay more attention to cybersecurity, increasing budgets and expectations of the workforce.
Throughout 2022 cybersecurity was the number one risk of most risk registers across the region and this has focused attention on effective cyber risk management significantly. Moreover, regulations have ramped up throughout the UAE (Cyber Security Strategy Framework), Bahrain (National Cybersecurity strategy), Qatar (Cybersecurity Framework) and Saudi Arabia (Essential Cyber Security Controls), enforcing penalties similar to the GDPR in Europe for non-compliance. Typical objectives of these regulations are to safeguard critical national infrastructure, identify and manage cyber risks according to leading industry frameworks, foster collaboration between organisations and industry bodies, and to strengthen critical assets across non-CNI organisations. Some large organisations in the region have even doubled their cybersecurity budget for 2023 to invest in effective cyber risk management frameworks, tooling and best practice methodologies, as well as technologies to identify, protect, detect and respond quicker to impending cyber threats.
2) The cybersecurity talent gap will become a real issue for HR
In the US and throughout Europe, the cybersecurity skills shortage has been a real issue for a few years now. With the covid pandemic changing traditional ways of working, securing a strong security workforce has become even more of a challenge. Couple this with the rapid digitisation and development in the Middle Eastern region in a range of industries, makes finding the right candidates a serious challenge. To build a sustainable security workforce, organisations should adapt to market demands by seeking candidates with diverse competencies and skill sets and provide competitive benefits and structured career development. For some organizations in the Middle East these changes are already underway but for the majority, the approach is still new and untried. Workforce planning, the adoption of competency frameworks, along with a well-structured workforce management programme, also known as talent management, are fundamental to the future success of attraction and retention strategies.
3) ‘Resilience’ will become a fundamental business driver for cybersecurity
Historically, security strategies have covered a broad spectrum of areas, but investment has predominantly focused intensely on building controls to protect the business from actually experiencing an attack, e.g. security incident event management systems, firewalls, phishing simulations, etc. However, cyberattacks have continued to grow in sophistication and scale, prompting organisations to take a different approach – one that focuses on key risk areas and focuses attention in a targeted manner. Many organisations are now accepting that cyberattacks simply will happen, and thus are focusing significant effort on incident response, crisis management, business continuity and disaster recovery, with the aim of reducing downtime of core systems, managing the regulatory and reputational impact as quickly as possible and aiming to ‘bounce-back’ as best they can. For example, running a range of cyber exercises to test and measure the ability of different individuals and groups within an enterprise will become even more popular as the ‘respond’ and ‘recover’ element of cybersecurity become more important.
4) The cyber insurance bubble will burst
Throughout the last 3-5 years, cyber insurance became increasingly popular and in some cases demanded by organisations to do business. Insurance policy development has been a significant challenge, as defining and scoping policy coverage is incredibly complex and contentious. Over the last few weeks many insurers have stipulated that they will not cover ‘systemic cyber risk, or the type of major, catastrophic disruption caused by state-backed cyber warfare. ‘Whilst ‘acts of war’ have been excluded from cyber insurance coverage for a while now, this highlights that the cyber insurance wave has come crashing down. Many organisations will have to find alternatives to cyber insurance to manage the risk posed by cyberattacks. For example, organisations should focus on: effectively monitoring and identifying threats; understand weak points and take concerted action; proactively mature and measure the cybersecurity programme; measure and report cyberrisk more accurately and in alignment to industry best practices.
5) OT and IT security requirements will soon merge.
Industrial control systems (ICS) and It environments have been on a collision course since IT devices made their way into corporate estates. Their convergence has created a number of efficiencies across manufacturing, oil and gas, and many other industries, but has also ushered in a range of new threats, which are set to exacerbate and accelerate across the Middle East. This convergence will lead to a broader attack surface that does not necessarily benefit from effective network segmentation or protective controls – at least on the ICS side. The fundamental task for information security teams is to protect ICS by reducing the risk of a security incident(whether malicious, accidental or negligent) whilst upholding safety, reliability and performance. Yet, introducing IT or information security controls into an environment for which they were not designed can be counterproductive if the controls are not implemented effectively. As more organisations move towards this convergence, and if attacks happen, production will be significantly interrupted, which will have considerable cost implications or, in the worst case, could contravene safety requirements with potentially catastrophic consequences, including loss of life (although for the most part ICS environments are explicitly designed to fail safe).
Daniel Norman uses his extensive work at the Information Security Forum regularly to produce trends and projections.