By Emile Abou Saleh, Regional Director, Middle East, Turkey and Africa at Proofpoint

Saudi Arabia’s digital economy is on an accelerated growth path. Saudi Arabia’s Ministry of Communications and Information Technology announced a “cloud first policy” in 2019 that paves the way for public and private sector companies to transition to the cloud to drive business performance.

The goal is to connect the Kingdom to a thriving digital economy by promoting innovation, sustainability, growth, and business partnerships. More than $9 billion worth of investments were announced this year to strengthen digital transformation efforts across the Kingdom, and it is estimated that the digital economy in Saudi Arabia will be worth more than $50 billion in the future.

Cyber resilience and data protection will be key to fulfilling this agenda. Unfortunately, cyber preparedness levels in the region are still low and employees remain a big vulnerability for organizations. Proofpoint’s 2023 Voice of the CIO Report found that most CISOs in the region have returned to the elevated concerns they experienced early in the pandemic. Out of the Saudi CISOs surveyed, 68% feel at risk of experiencing a material cyberattack in the next 12 months, compared to just 48% last year. Further, 61% believe their organization is unprepared to cope with a targeted cyberattack, compared to 50% last year.

People risk continues to grow as an area of concern, with an increase in the number of Saudi CISOs who view human error as their organization’s biggest cyber vulnerability. This year 48% of those surveyed cited human error as one of the biggest areas of risk, compared to 38% in 2022. At the same time, 40% of Saudi CISOs believe that employees understand their role in protecting the organization, compared to 43% in 2022 and 62% in 2021; this illustrates a struggle to build a strong security culture.

There are several reasons for this. In a post-pandemic world, the rise of remote work has made mitigating people risks even more challenging. Employees are working further outside of their organization’s traditional security perimeters, accessing corporate networks using personal devices, and moving from place to place.

This environment is creating new vulnerable entry points and risks, making it easier for data to fall into the wrong hands due to carelessness. In addition, pandemic-related job mobility resulted in workers changing or leaving jobs at higher rates than before, making it difficult for organizations to protect data, and resulting in data loss due to insider action. According to Proofpoint’s 2023 Voice of the CIO Report, 63% of security leaders reported having to deal with a material loss of sensitive data in the past 12 months, and of those, a massive 82% agreed that employees leaving the organization contributed to the loss.

We are also seeing supply chain attacks on the rise through mail fraud and third-party software. In these attacks, cybercriminals compromise vendors or service providers in order to attack their customers and partners. Initial supplier compromise is often by phishing or malware. Once inside a supplier system, attackers can impersonate email accounts to initiate phishing, invoicing fraud or other types of attack against customers.

Once attackers have breached customer systems, they can steal confidential data, install ransomware or use access to trigger a further wave of phishing or email fraud attacks. Poor or non-existent cyber security training for employees creates weak points for threat actors to infiltrate organizational infrastructure.

A proactive approach to safeguard people from falling victim to people-centric cyber attacks is vital, as well as monitoring collaboration tools for warning signs to stop fraud before it occurs. Organizations must recognize that people are their biggest asset, and keeping them safe means keeping data secure.

By building a people-centric approach to compliance and security and strengthening data protection against external sources of risk, organizations can accelerate response to risky behaviour. This includes training users to identify and report suspicious impostor email, as well as imparting the knowledge and skills needed to protect the organization from human-activated threats. For example, warning users when a message is sent from an external sender or a newly registered domain can help them make more informed decisions on uncertain email.

Monitoring all relevant tools and platforms in real time to detect compliance or policy violations is also essential. Lastly, having layered defences, including a dedicated insider threat management solution and strong security awareness training, will ensure Saudi organizations are well protected against threats that focus on people as the main perimeter.