Across the Middle East, the COVID-19 pandemic is causing Middle East organizations to rapidly enable remote working for their knowledge workers. As these trends toward remote work or mixed environments become the “New Normal,” there are major cybersecurity implications. Employees are often the weakest link in cybersecurity. What happens now that they are working at home?
By Dr. Moataz Bin Ali, Vice President, Trend Micro Middle East & North Africa
While many Middle East employees have become more aware about the importance of cybersecurity, they are often lacking on the practical deployment – and CISOs need to develop personalized strategies.
Head in the Clouds – How big of a cloud security nightmare are you?
As part of Trend Micro’s Head in the Clouds survey, we interviewed 13,200 remote workers across 27 countries, including 502 remote working knowledge workers in the United Arab Emirates (UAE) and 501 in Saudi Arabia about their attitudes towards corporate cybersecurity and IT policies.
First, the good news: Among two of the largest markets in the Middle East, more than four fifths of remote workers in Saudi Arabia (86%) and the UAE (82%) say they are more conscious of their organisation’s cybersecurity policies since lockdown began in March. Among respondents, 88% in both the UAE and Saudi Arabia say that they take the instructions from their IT teams seriously.
However, many remote workers in the Middle East are continuing to break their organizations’ cybersecurity policies due to limited understanding or resource constraints.
One of the biggest but also most frequent mistakes that employees are making is accessing non-work applications on a corporate device – whether personal email, social media, or entertainment streaming.
The majority of employees admit to using non-work apps on a corporate device – including 58% in the UAE and 59% in Saudi Arabia. Respondents gave numerous reasons – including giving a work-related reason, trying out the latest apps, and thinking that it’s acceptable because the IT team hasn’t yelled at them yet.
Nearly half of respondents – including 42% in the UAE and 42% in Saudi Arabia – have said they uploaded corporate data to non-work apps. While some of these uploads may seem fairly routine, such as transferring files through a third-party service or using a third party chat platform, the security risks can be immense.
Just as much of a concern are the employees who are using their work laptops for personal browsing (40% in the UAE, 37% in Saudi Arabia). While the top results – search engines, personal email, and news – may seem fairly harmless, employees may not fully understand the risks that they are posing to corporate data,
Furthermore, about one-third of employees in the region also say that they access corporate data from a personal device (36% in the UAE, 34% in Saudi Arabia). In our always-on work culture, employees may face burdens to reply quickly from whichever device that they are using. But these devices may not be fully secure in terms of separate passwords, virtual private networks (VPNs), or two-factor authentication.
COVID-19 Threats Present New Challenges
As the COVID-19 coronavirus continues to spread, the topic is being used in many malicious campaigns — including email spam, business email compromise (BEC), malware, ransomware, and malicious domains. Fraud activity is still on the rise as communities remain in and are starting to emerge from quarantine.
In the countries that comprise the Gulf Cooperation Council (GCC), during H1 2020, Trend Micro recorded 163,774 COVID-related threats: 36,312 email spam attacks; 127,415 URL attacks, and 47 malware threats detected. The UAE led the GCC with 138,584 COVID-19 attacks, including 13,229 email spam attacks, 125,330 URL attacks, and 7 malware threats detected. Similarly, Saudi Arabia was not far behind with 8,509 attacks in H1 2020– including 7,970 email spam attacks, 514 URL attacks, and 25 malware threats detected.
As employees across the GCC and the Middle East continue to adapt to new methods of working, they should also be wary of cybercriminals using popular online tools, sharing software, and file attachments in their scams. Unverified mobile apps tracking COVID-19 can also present major risks.
Tailoring Cybersecurity Programs to Meet the Middle East’s Needs
When it comes to cybersecurity, not everyone has the same habits and attitudes towards risk. As a result, we’ve worked with leading cyber-psychologists to identify four typical key character types. Rather than take a one-size-fits-all approach, Middle East organizations should tailor their cybersecurity training and risk management to these character types.
- Fearful – Anxious about doing something wrong or exposing themselves or their organization to risk, highly accountable for their own behaviour, not always aware of what cyber risks are out there or how to manage them, may deploy risk avoidance strategies at the cost of productivity.
- Conscientious – Well-versed in understanding cybersecurity risks, always takes proactive steps to avoid or manage risk, highly accountable for their own behaviour, and mindful of their role in protecting the organization.
- Ignorant – Distinct lack of cybersecurity awareness, absence of accountability for their own behaviour, careless and regularly takes risks, and does not understand the significance of their actions as they relate to cybersecurity.
- Daredevil – Careless and lacks any sort of diligence around cybersecurity, has no regard or accountability for their own behaviour, reckless and has a perceived superiority that the rules do not apply to them, and believes that infosecurity responsibility lies elsewhere within their organization.
What are the practical steps that Middle East organizations can take in their cybersecurity readiness?
In addition to delivering a more personalized approach to cybersecurity training sessions, we are also recommending that organizations take a multilayered protection approach to protect all fronts. Middle East organizations need to prevent users from accessing malicious domains that could deliver malware.
For example, Trend Micro’s connected threat defense enables organizations to deploy security solutions at all touchpoints in an IT system – endpoints, hybrid cloud and networks. Trend Micro solutions can detect and block malware, malicious domains, and spear phishing emails; find unknown malware using machine learning; thwart spam and email attacks; and use AI to identify email attacks.
Ultimately, remote working only works if there is a high degree of trust between managers and their teams.
As lockdown measures continue to loosen across the Middle East, organizations and their employees will have to re-earn trust if they are to continue benefiting from the work from home environment.
About the Author
As Vice President for Trend Micro Middle East and North Africa (MENA), Dr. Moataz Binali is responsible for spearheading the company’s strategy across the region, and advancing its position as a leader in cybersecurity that is passionate to make the world safe for exchanging digital information. A significant part of Dr. Binali’s role is to oversee Trend Micro’s efforts in enhancing the cybersecurity posture amongst governments and enterprises, contributing to the digital economy of MENA. Prior to joining Trend Micro, he held pivotal roles on regional level in global technology organizations such as SAP, IBM, and Microsoft.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.