Digital transformation in the Middle East: Securing the thriving digital economy

The Middle East is thriving as digital transformation sees financial firms harnessing technology to cut costs and increase efficiency. It was happening before the pandemic, but digital transformation has been accelerating since, with firms of all sizes adopting 5G and cloud at a rapid pace to enable new ways of working.  

Digital transformation in the Middle East is being fuelled by a number of government initiatives. For example, Saudi Arabia’s Vision 2030 outlines how the digital economy will drive ecommerce, boost public services and support a thriving non-oil-based private sector economy.  

There is still much opportunity for growth. According to Arthur D Little, the average contribution of the Middle Eastern digital economy is around 4%. It varies across countries: Saudi Arabia performs above average at 6.4%, while Oman (2.1%) significantly underperforms. But Arthur D Little says doubling of the digital economy in the Middle East is possible and can be unlocked with the correct policies. 

Covid-19 has been the perfect opportunity for Middle Eastern firms to learn to adapt to new technology and boost their capabilities, says Sleem Hasan, Founder and CEO of Privity FZ LLE, an independent venture-focused advisory firm. Hasan says technology is the only discipline that he has identified that has the ability to alter people’s ways of life whether they choose to embrace it or not. “Even religion can’t do that”, he adds.  

“Technology can disrupt and make obsolete: It is a great equaliser. It treats everyone the same,” he says. 

It’s clear digital transformation is creating opportunities for Middle Eastern firms, but this rapid change also increases cybersecurity risk. This is especially true for the financial sector, which is increasingly being targeted by cyber-criminals looking to steal valuable business data and extort cash. 

Cyber security awareness in the Middle East 

The damage that can be caused by a cyber-attack has already been seen across the globe. Late last year, the SolarWinds cyber-assault saw Russian nation state adversaries ravage through multiple companies’ systems via a supply chain breach.  

Attacks are increasingly utilising ransomware, with criminals encrypting business data and demanding a Bitcoin ransom in exchange for its release. No one is immune: In April 2020, the infamous Revil ransomware gang tried to extort cash from technology giant Apple.  

But despite these major cyber-attacks taking place across the globe, some firms in the Middle East lack cybersecurity awareness, which in turn increases risk. This is especially true in the United Arab Emirates (UAE), which is accustomed to low crime and high physical security. Yet this can result in some being lulled into a false sense of security, says Oli Johnson, Director at The 324 Consultancy. “Due to low crime rates, there is a general lack of cybersecurity awareness. Combined with the speed of digital transformation going on in the Middle East, it is creating more risk.” 

In 2019, the UAE launched a National Cybersecurity Strategy to try to address this growing problem, but it is still relatively new, says Johnson.  

Successful breaches can be extremely damaging to a firm’s reputation. As Hasan warns: “If someone gets hacked, the whole world will hear about it, thanks to the media. The larger you get and the more data you handle, the more you need to make sure it is not being compromised.” 

Human error is often the weak point through which would-be attackers can penetrate a firm. As Johnson points out: “Cyber defence starts with the human and if humans lack cybersecurity awareness, there will be issues.” 

Lori Baker Vice President, Legal and Director of Data Protection, DIFC, agrees: “Forget about traditional hacking into systems – human error and over-confidence can be the biggest downfalls.” 

Avenues of attack 

Methods of attack vary across the Middle East, but they often start in the most simple way, with phishing as a first point of entry. Last year, security vendor Kaspersky detected 2.57 million phishing attacks across the Middle Eastern region. Meanwhile, the UAE suffered more than 600,000 phishing attacks at the height of the Covid-19 stay-at-home measures, Kaspersky reported.  

Once adversaries have infiltrated an organisation using attacks like phishing, they will often look to perform corporate espionage, says Johnson. He says the financial industry is “one of the primary targets per sector”. 

Some financial firms fare better than others. Global organisations such as Standard Chartered and HSBC have security measures and controls in place across the world, says Johnson. “These organisations will be aware of the risks and there will be a global and local aspect.” 

However, he says, smaller or newer financial firms can find they have gaps in security. Johnson explains how cyber-criminals could target a small asset management company. “They may have a small number of employees in the low hundreds and might have less controls in place. An asset manager with a billion dollars of assets under management is a tempting target for cyber-criminals.” 

Yet at the same time, due to increasing resources available, start-ups sometimes fare better from a data protection standpoint, says Baker. For example, these firms have access to an innovation hub in the DIFC. “From the outset, a company has to go through a data protection notification process and say if they process personal data. If they say no, I am sent that information so we can check. That is the advantage we have; we can lay the ground work from the start.” 

Avoiding a breach 

It starts with awareness, and then there are several steps that Middle Eastern financial firms can take to avoid a breach. It is important that financial organisations understand the regulatory environment in the context of data breach reporting, Baker says.  

For example, while data protection laws are different in the Middle East to Europe, all businesses that deal with EU customer data must be compliant with the EU General Update to Data Protection Regulation (GDPR). 

It’s better to be safe than sorry, says Baker. “Since the dawn of the GDPR people say, ‘we don’t deal with European data’. But it’s a good idea to perform a really in-depth assessment – rule it out – and even if you find you aren’t caught, you may discover gaps. It can’t hurt to err on the side of caution.” 

With this in mind, Baker also advises firms to always follow best practice. “I tell companies that even if you don’t process a lot of information, ensure best practice anyway.” 

This includes cyber incident response tools to show what an attack looked like and how it played out. “What you don’t know can hurt you. Yes, there is a cost of compliance, but there are free tools available as well as access to regulators,” says Baker.  

Taking this into account, she suggests: “Why not have a meeting with the regulator? Have a chat with them and see what their expectations are and also implement good data protection and security practices. Build the principles into your business.” 

To be able to assess risk, it’s integral that financial firms have an independent assessment, such as penetration tests or, preferably, a targeted simulated attack (also known as a ‘red team exercise’), Johnson advises. “Understand the vulnerabilities. You need to understand your position, or you won’t know what your risks are. A ‘friendly’ attack will help to see in real-time the gaps in defences and that can be illuminating.” 

From there, says Johnson, it’s easier to build a profile. “If it’s starting at physical security – for example ‘shoulder surfing’ into the building and then getting onto a client floor and hacking into the corporate network – you can start building a picture of where those gaps are and act accordingly.” 

In order to facilitate this, Johnson advises financial firms to interview those responsible for cyber in the company and ascertain their view on the vulnerabilities, matching this to a simulated attack. “Then you can look at what can be done immediately to ‘stop the bleeding’, taking a risk based approach.”