Mideast, Turkey Cyber Threats Spike, Prompting Defense Changes

Organizations in Saudi Arabia, the United Arab Emirates, and Turkey suffered more than 10 attacks in the past year on average — and the vast majority of business and IT professionals expect the coming year to be worse — driving efforts by cybersecurity experts in those countries to simplify and modernize their cyber defenses and IT infrastructure.

Overall, less than half of organizations (46%) feel well-prepared to defend against future cyberattacks, according to a survey of nearly 1,000 security professionals in those three regions published by Internet-services provider Cloudflare. With geopolitical conflict on the rise and cybercriminals increasingly focused on the Middle East region and Turkey, Bashar Bashaireh, regional vice president at Cloudflare, said in a statement.

"Organizations across the Middle East and Türkiye are managing an increasingly complex cybersecurity landscape," he said. "With incidents on the rise in both volume and frequency, this balancing act becomes even more challenging, leaving leaders with a sense of diminishing control over their organizations’ technological and security frameworks."

Cyberattacks have become commonplace in the region, but each nation's threat profile is slightly different. While the vast majority of companies in the UAE, for example, have suffered cyberattacks in the past two years, approximately a quarter of those incidents were caused by insiders. Both Saudi Arabia and the UAE have seen an increase in attacks over the past year, with DDoS attacks alone leveled by hacktivists jumping 70%. And in another wrinkle, a group of cybercriminals recently targeted Turkish users with Android malware aimed at stealing accounts.

The three countries have all embarked on major investments in modernization, pursuing major initiatives such as Abu Dhabi's Economic Vision 2030 and Saudi Arabia's Vision 2030, but the countries also need to strengthen their cybersecurity efforts to protect their investments, Chris Murphy, managing director at FTI Consulting, wrote in a November 2023 analysis of Middle East firms' cybersecurity readiness.

"Threat actors will not pause their activities while these strategic plans unfold, and without the necessary security and preparedness measures in place, cyber risks will threaten the vitality of key sectors and the overall economic growth of the region," he wrote.

Simplifying & Modernizing Cyber Defense

The majority of organizations in the Middle East and Turkey plan to increase cybersecurity's share of their IT budgets. The top priority for businesses across the region is to consolidate and simplify their cybersecurity infrastructure, with half of all organizations ranking the effort as a top-three initiative, followed by almost half (47%) prioritizing the modernization of their applications, according to Cloudflare's report.

"Despite their plans, many feel they are still not ready for what lies ahead, and there is a 'confidence gap' in key areas for a large number of respondents," Cloudflare stated.

Those include the security of applications and data in the public cloud, a lack of oversight into their supply chain, and a lack of visibility and control over the devices that access their networks, according to Cloudflare's report.

The good news is that some nations have made strong progress in securing their systems, to the point that the Kingdom of Saudi Arabia is ranked second, after the United States, in the International Telecommunication Union's Global Cybersecurity Index.

Most Pessimistic Industries: Media, Telecom & Gaming

According to Cloudflare, cyberattackers in the past year targeted financial services, IT firms, and companies providing business and professional services most often, and were more likely to target larger organizations. Yet the sectors most worried about future cyberattacks are the media and telecom sector followed by the gaming sector, with 97% and 92% of respondents, respectively, predicting a cybersecurity incident in the next 12 months.

Perhaps unsurprisingly, the telecom and media sectors are among the least staffed as well, with 39% of information-security roles remaining unfilled, according to a recent report by cybersecurity firm Kaspersky.

"The growth rate of the domestic IT market in some developing regions is changing so rapidly, the labor market cannot manage to educate and train the appropriate specialists with the necessary skills and expertise in such tight deadlines," Vladimir Dashchenko, a security evangelist with Kaspersky's ICS CERT, wrote in a statement.

Companies in each region have struggled to meet government-backed cybersecurity frameworks, with 62% of companies in Turkey meeting the requirements of the EU cybersecurity framework, 69% of Saudi firms meeting the Saudi Arabian Monetary Authority (SAMA) framework, and many UAE organizations falling short in complying with the National Electronic Security Authority (NESA) framework.

Despite that, executives' commitment to cybersecurity remains lukewarm, Cloudflare stated in the report

"Interestingly, despite the increasing volume of attacks, many cite a lack of buy-in from leadership as a key challenge," the firm stated. "Perhaps this is a case of cybersecurity fatigue, but whatever the cause, senior leaders cannot afford to ignore the challenges facing their organizations."