Why is the Middle East losing so much money to cybercrime?
September 3, 2024Cybercrime costs governments and businesses trillions of dollars every year. But it costs some more than others.
In 2023, cybercrime in the Middle East cost just over $8 million (€7.2 million) per incident, according to research funded by IBM that looked into data breaches in 16 countries. That puts Saudi Arabia and the United Arab Emirates — where the IBM study focussed — second in the world when it comes to this kind of financial damage.
Additionally the costs of cybercrime in the UAE and Saudi Arabia have been going up for years now. In 2018, the same annual study reported that the average cost of a cyberattack there was only $5.31 million.
Why is this happening?
It's important to see the increase in the context of the countries' growing e-commerce sector and ever-increasing internet penetration, which means more locals are online than ever. But according to the relevant ministries in Saudi Arabia and the UAE, they should be well protected.
The International Telecommunications Union, or ITU, a specialized United Nations agency, regularly publishes a ranking of global cybersecurity capacity and in the most recent rankings from 2020, Saudi Arabia and UAE are right at the top.
However, experts point out, the rankings are based on information the ITU gets from the countries themselves and although cybersecurity is increasingly seen as important in the region, there could well be gaps between what the Gulf states' policies say and how they actually work.
"The UAE, Saudi Arabia and Qatar are doing extremely well in terms of digitalizing their public services and they also have thriving sector of small and medium enterprises," says Joyce Hakmeh, deputy director of the International Security program at UK-based think tank, Chatham House, and an expert on cyber policy. "But as is often the case — and this is not just in the Gulf, but pretty much everywhere in the world — this digital transformation is happening so fast, that it can be at the expense of having the right cybersecurity measures in place."
"The Middle East is a hotbed for data breaches, primarily due to rapid digitization outpacing cybersecurity infrastructure," confirmed Mohammed Soliman, director of the Strategic Technologies and Cyber Security Program at the Washington-based Middle East Institute.
There's also the issue of centralized government control that's been focused on influence operations rather than, for example, infrastructure, Bassant Hassib, a professor of political science at the European University in Egypt, wrote in a 2022 paper for the journal, Middle East Policy. "Bureaucratic obstacles impede national cybersecurity organizations," Hassib noted, listing factors like unclear or overlapping responsibilities, uneven implementation of rules and a lack of detail and guidance as equally problematic.
Cybercrime: Mostly about the money
State-sponsored hackers who practice espionage and steal national secrets regularly make international headlines. And in the Middle East, politically motivated cyberattacks tend to follow the course of traditional regional rivalries, the MEI's Soliman told DW.
As such, they have become a favored weapon in proxy conflicts and when countries don't want any direct military engagement, he noted.
"Iranian cyber groups, for example, have been involved in politically motivated cyberattacks such as aggressive espionage operations against a diverse array of public and private sector victims in the Gulf states."
However while Israel, Iran and Turkey all have offensive cyber capabilities connected to their own militaries, the wealthy Gulf states tend not to — at least, not anything they talk about too openly. For this, they still rely mostly on connections with Israel and the US. In fact, analysts see this need as driving diplomacy between the Gulf states and Israel.
However the vast majority of cyberattacks around the world are still financially motived, US company Verizon says in its 2024 Data Breach Investigations Report. And this is also true for the Middle East. According to Verizon, in the Middle East, Europe and North Africa, 94% of cyberattacks are financially motived, with only 6% apparently political.
Blackmailing the world's wealthiest
One of the most popular methods for financially extorting organizations is with ransomware, a type of damaging software, or malware, that encrypts or locks data until a ransom is paid.
What is known as ransomware-as-a-service is also increasingly available, Hakmeh adds. This is ransomware that would-be cybercriminals can buy "off the shelf" on the dark web, she explains, which makes it easier to deploy.
Saudi Arabia and the UAE are home to some of the richest organizations in the world. That includes their sovereign wealth funds and oil and gas companies. As a report by British cybersecurity firm, Sophos, confirms, companies most likely to be targeted by ransomware are those with the highest revenues.
Following a 2024 survey of 5,000 professionals in the sector, mostly in Europe, Sophos found that just under half of organizations with revenues below $10 million were targeted by ransomware attacks. But that went up to 67% when they made more than $5 billion a year.
Richer companies were also more likely to pay the full ransom, Sophos' anonymized survey found. Slightly more than half the companies targeted by ransomware paid. But organizations with more than $5 billion in revenues usually paid the full amount demanded, while others were able to negotiate a lower price.
Other research suggests that the percentage of UAE companies that decide to pay up might be even higher, with one cybersecurity company's survey concluding around 84% of them agreed to pay their blackmailers.
Cybercrime happens everywhere, Hakmeh says. But what puts the Gulf states right at the top of the list of expensive incidents can be explained by, "a combination of high value targets, a rapid increase in digitalization and not enough cybersecurity measures, plus the increased sophistication of the threat actors," she concluded.
Edited by: Andreas Illmer