With the <a href="https://www.thenationalnews.com/future/technology/2024/05/01/how-microsofts-billion-dollar-bet-on-g42-spotlights-the-uaes-ai-ascension/" target="_blank">Middle East's emergence as a growing technology centre</a>, it may be at a point where it is susceptible to a dreaded situation – a cyber attack. And coupled with its leading role in the global energy sector, any episode that would rattle the region's tech infrastructure may have far-reaching consequences, taking root within <a href="https://www.thenationalnews.com/business/economy/2024/07/23/dubais-economy-grows-32-in-first-quarter-on-non-oil-sector-boost/" target="_blank">its growing economies</a>. “Technology is universally integrated into many day-to-day processes, therefore, a cyber attack would be just as damaging to the Middle East as it would be to anywhere else in the world,” Maher Yamout, a lead security researcher at Kaspersky, told <i>The National</i>. “All economies rely heavily on computers and technology in general. The growing fusion of the digital and physical world is an international development that is not slowing down at any rate. As a result, similarities in the potential damage among major economies are a given.” The spotlight on the Middle East has grown in recent years as governments in the region ramp up their efforts to prepare their societies for the economy of the future, one underpinned by digital technology. The push, led by the UAE and Saudi Arabia, has attracted attention and investments from companies such as Oracle, Google and Amazon, and highlights increasing investor confidence in the region. In just about every industry, the Middle East is attempting to integrate the latest innovation to promote inclusiveness and reach the widest possible chunk of its population, especially now with services at the tip of one's fingers. However, that also opens up opportunities for the digital underworld, which focuses on potentially lucrative demographics and economies. “The region has shifted its approach towards knowledge-based sectors … this digital transformation – and the concurrent economic growth and prosperity – increases its attractiveness for hostile actors who are motivated by financial gain or political reasons, and also the number of vulnerabilities available to them,” Haider Pasha, chief security officer at Palo Alto Networks, told <i>The National</i>. Compared to other regions, cyber incidents in the public domain of the Middle East have been relatively low, said Simon Bell, a cyber practice leader at New York-based consultancy Marsh McLennan. Also, due to the far lower penetration of cyber insurance, the recovery for business is “likely to be more challenging and slower”, he told <i>The National</i>. But that does not mean the threat is insignificant. According to the latest IBM <i>Cost of Data Breach</i> report, the average cost of a cyber breach in the Middle East was slightly more than $8 million in 2023, a record for the region and the second highest globally behind only the US. “The region has been experiencing a significant increase in phishing attacks and smishing attacks, which is a strong indication that such attacks are proving to be lucrative for cyber adversaries,” Pepijn de Jong, a senior vice president and head of cyber advisory services at Marsh McLennan, told <i>The National</i>. Phishing and smishing – two types of spoofing attacks – are growing in the Middle East, New York-based Marsh McLennan said. Other popular weapons of choice for cyber criminals are malware, <a href="https://www.thenationalnews.com/future/technology/2024/07/31/microsoft-outage-azure-ddos-attack/" target="_blank">denial-of-service attacks</a> and identity-based attacks, according to <a href="https://www.thenationalnews.com/news/2024/07/20/fallout-from-mass-it-outage-continues-as-crowdstrike-faces-double-trouble/" target="_blank">US cyber security company CrowdStrike</a>. In addition, the percentage of organisations globally that have reported costs of $1 million or more for their worst breach in the past three years rose to 36 per cent, from 27 per cent in 2023, according to PwC's 2024 <i>Global Digital Trust Insights</i> report. The corresponding number for those in the Middle East this year is 29 per cent. That means the damage from cyber attacks in the region could be far greater than the global average, said James Maude, field chief technology officer of US cybersecurity company BeyondTrust. “As the Middle East experiences a significant increase in digital transformation projects and technology investments, the risk of significant damage from a cyber attack will continue to grow,” he told <i>The National</i>. Malware detections in the UAE rose by about 12 per cent from January to May 2024, a broader trend affecting many countries in Europe, the Middle East and Africa, Swiss cyber security company Acronis said in a July report. Bahrain had the highest detection rate, followed by Egypt. The two countries and South Korea the three biggest targets during the first quarter of the year, it said. Moreover, while the Middle East is rapidly modernising and embracing digital technology, cyber security measures may not always keep pace, leaving critical infrastructure exposed. “This makes the potential impact of a cyber attack in the Middle East far-reaching, affecting not just the local economies but also having serious global consequences,” Sertan Selcuk, vice president at Florida-based cyber security company Opswat, told <i>The National</i>. That consequence would be felt in the industry that has long been the mainstay of the Middle East – energy. The effects of a cyber attack would not be limited to the Middle East, as the disruption it may cause would most certainly affect energy supply chains, with end consumers bearing the brunt of it. With the region home to some of the world's largest oil and gas producers, any cyber attack can be “particularly damaging due to the region's crucial role in the global energy market”, Mr Selcuk said. “Any disruption here could cause significant ripple effects globally, leading to energy shortages and price hikes.” The Middle East accounted for about a third of the world's oil production in 2023, exporting about 15 million barrels per day, data from Statista shows. “The energy sector is one of the most important and sensitive sectors that must protected from cyber attacks due to the devastating impact this sector might have on Middle Eastern economies,” Mr de Jong said. Cyber attacks around the world are a critical issue today. Taking into consideration the way digital transformation changes the way companies operate, suspect actors on the web also increase the volume and sophistication of their attacks. The number of attacks against the energy industry and critical national infrastructure is “rising dramatically, in quantity, magnitude and impact”, a February report from the World Governments Summit and consultancy EY said. There have been no notable cyber incidents in Middle East energy but in the US and Canada, attacks have risen by about 71 per cent from 2021 to 2022, the report showed. Complicating matters is geopolitical tension in parts of the Middle East: With its escalation, any high-profile or state-owned businesses will be at increased risk of cyber attacks from hacktivists, Mr Maude said. Analysts have listed energy, finance, stock exchanges and health care as the industries that are most at risk. “A breach of these entities could lead to substantial financial losses, erode trust … and destabilise the economy,” Saran Paramasivam, a regional director at Indian software company Zoho, told <i>The National</i>. Given that breaches affecting multiple environments incur the highest costs and longest resolution times, “substantial investments in security measures are imperative to mitigate both financial losses and operational disruption”, Mr Paramasivam added. Organisations and investors in the region are taking note: The Middle East's cyber security market is projected to surpass $24 billion by 2028, from an estimated $14.8 billion in 2023, growing at a compound annual rate of more than 10 per cent, according to research company Markets and Markets. And in as much as the region could be susceptible to an attack, it can also be viewed as “ripe for reinvention” as the top three cyber investment priorities for the Middle East are modernisation of infrastructure, optimisation of current technology and an “improved risk posture”, according to PwC. Aside from the dollars, the Middle East is also actively advancing its cyber security landscape by protecting its critical infrastructure, developing regulations, addressing skill shortage and improving incident responses, Mr Pasha said. “The region is also investing in advanced technologies and talent development, and working towards better data protection and regulatory frameworks,” he said. The security of critical infrastructure should be a priority: A 2022 Kaspersky report identified the Middle East as one of the top five global regions with the highest incidence of malware aimed at industrial control systems, making it an easy target for cyber criminals. It does not matter if the technology used is old or new – stay outdated and fall prey to tried and tested techniques, or be updated and still be victimised by bad actors who are steps ahead, argues Mr Selcuk. Systems that operate on outdated legacy platforms presents “significant challenges when updates, patch management and log collections require access through USBs, vendor laptops or other peripheral media”, Mr Selcuk said. Enterprises also need to ensure a top-to-bottom approach – from the server level and its authorised users, down to the personal devices of its end users – as cyber attackers can comb through a network to find any opening they will be able to exploit. “Cloud environments are also susceptible to misconfigurations, leading to improper access controls or accidental data exposure. Insider threats, such as privileged user abuse or data theft, cannot be overlooked,” Mr Paramasivam said. “Finally, mobile devices, with their increasing role in both personal and professional life, introduce vulnerabilities through unsecured devices and malicious applications.”