High-Risk Trends: 83% of UAE Employees Pose Threats to Organizational Security

Proofpoint’s tenth annual State of the Phish report sheds light on concerning cybersecurity trends in the UAE. Despite a global decline in successful phishing attacks, the UAE experienced an upward trend, with 92% of surveyed organizations reporting at least one successful attack in 2023, up from 86% the previous year. The consequences of these attacks have seen a significant spike, including a 44% increase in financial penalties and a staggering 300% surge in reports of reputational damage.

Contrary to the belief that security awareness training alone can prevent risky behaviors, the report challenges this notion. It reveals that 83% of employees in the UAE willingly put their organizations at risk, engaging in actions such as password sharing and clicking on links from unknown senders. The motivations behind these risky actions vary, with convenience, time-saving, and a sense of urgency cited as primary reasons.

A notable finding is the disconnect between security professionals and employees regarding responsibility for security. While 90% of security professionals believe that most employees are aware of their responsibility, 38% of employees either weren’t sure or claimed not to be responsible. Despite the high awareness of risks—97% of employees knowingly taking risky actions—there are disparities in what security professionals and employees consider effective in encouraging real behavior change. Security professionals advocate for more training (90%) and tighter controls (92%), whereas 94% of employees prioritize simplified and user-friendly controls.

Multifactor authentication (MFA) is highlighted as providing a false sense of security, with over one million attacks leveraging the MFA-bypass framework EvilProxy every month. Yet, 94% of security professionals in the UAE believe MFA provides complete protection against account takeover.

Business email compromise (BEC) attacks, fueled by generative AI, are on the rise, with 85% of organizations in the UAE targeted in 2023, up from 66% in 2022. Cyber extortion, particularly ransomware, remains a lucrative form of attack, with 77% of organizations in the UAE experiencing successful ransomware infections.

Telephone-oriented attack delivery (TOAD) continues to flourish, with Proofpoint detecting 10 million TOAD attacks per month on average. Despite the prominence and sophistication of these threats, the report indicates that many organizations are inadequately prepared or trained to deal with them. Only 13% of organizations educate users on recognizing and preventing TOAD attacks, and 21% educate users on generative AI safety.

The conclusion of the report emphasizes the urgent imperative for organizations in the UAE to bolster their cybersecurity defenses. Key recommendations include the enhancement of cybersecurity strategies, streamlining controls, and giving precedence to user-friendly security measures. While fostering a security culture is deemed crucial, the report underscores that the central challenge lies not merely in raising awareness but in instigating tangible behavior change among employees.

Recognizing the dynamic nature of cyber threats, the report highlights the need for proactive measures that go beyond traditional security practices. Simplicity and user-friendly controls are emphasized as essential components of an effective defense strategy. The report suggests that organizations must align their cybersecurity frameworks with the evolving threat landscape, incorporating measures that are not only robust but also easily understandable and executable by employees.

Furthermore, the emphasis on behavior change underscores the need for comprehensive and ongoing security awareness training. It calls for a shift from a mere awareness-centric approach to one that actively encourages and cultivates responsible cybersecurity behavior among employees. This approach acknowledges that, despite being aware of potential risks, employees may still engage in risky actions. Therefore, a holistic strategy that addresses the root causes and motivations behind such actions is vital.

In essence, the report’s conclusion serves as a rallying call for organizations to fortify their cybersecurity posture, adapt to emerging threats, and foster a culture where employees not only comprehend the importance of security but actively exhibit behavior that safeguards against evolving cyber risks. The overarching message is clear: the path to robust cybersecurity involves not just knowledge dissemination but a fundamental shift in the way individuals perceive and enact security practices within the organizational cont