Don’t click that! Middle East enterprises wrestle with user laxity

The threat landscape constantly evolves, but enterprises live a security story that rarely changes shape – protect the perimeter, mitigate the risk, ensure speedy recovery. And at the heart of it is the persistent weak link of end-user behaviour.

“We are witnessing a shift in the behaviours of threat actors as they are increasingly targeting people rather than infrastructure,” said Emile Abou Saleh, Regional Director, Middle East and Africa for Proofpoint, which recently published its 2019 Human Factor Report. The study’s headline figure is that 99% of all targeted attacks worldwide rely on user naivety, specifically an errant click on the wrong link.

Users click on links they should not. The key to understanding how to deal with user carelessness is to understand user behavior, security experts say. The questions then become: Can we stop them doing that? And if not, how do we prevent, or brace for, disaster?

Proofpoint’s research identified geographical variations in the times of day at which people most often click on links, with those in the Middle East appearing to favour midday, after lunch and late evening.

Among other malicious actors and entities,  Cybergang TA505, which garnered recent infamy for exploiting the human factor in retail and financial services enterprises around the world, has targeted organisations in the United Arab Emirates, Saleh said.

Exploiting language barriers

Nicolai Solling, CTO at Help AG, a systems integrator specialising in cybersecurity, considers the Middle East at particular risk from the human factor, saying the effect is “perhaps more pronounced in [the region] than in other geographies”.”

The reason is the Middle East’s vivid cultural diversity,” he said. “The UAE alone is home to people of more than 200 nationalities. This gives attackers the opportunity to craft attacks that exploit something as simple as language skills, or more nuanced cultural traits, through social engineering attacks.”

Solling lamented the rise of email, or phishing, attacks, warning that the success rates of such attacks appeared to go up when language barriers prevented recipients from telling legitimate emails from malicious ones.

Some data, though, suggest the Middle East may be less prone to human-factor breaches. At the recent Security and Risk Management Summit in Dubai, Gartner analyst Jon Amato cited a 2018 IBM survey that showed human-error-driven data breaches made up only 18% of reported incidents in the region, compared to as high as 35% in Italy and 30% in South Africa. But there’s a catch: “Human-caused breaches cost more to remedy in the Middle East – around $203 per compromised record,” Amato said.

In fact, the IBM report referred to by Amato showed the Middle East as facing a greater expense per compromised record for all breaches, regardless of cause (criminal or malicious attack; system glitch; or human error). It also showed that criminal actors were the cause of most breaches.

Middle East is ripe for incursion

The Middle East is home to a diverse workforce and a higher-than-average per-capita proliferation of devices, especially in the Arab Gulf region, where rapid 5G rollouts reflect high subscription and smartphone penetration rates. All six GCC states have 5G projects in full swing, with nine other MENA markets to follow suit, according to GSMA Intelligence’s MENA Mobile Economy report for 2018.

ICT decision makers in the Middle East will therefore likely face a deepening crisis if they do not address the proportion of breaches caused by human behavior. While technology can, at best, act only as a mitigating element for user error, solutions do exist that help counter the errant click.

Amato suggested turning to user entity behaviour analytics (UEBA) tools, which build profiles of users’ interactions with systems, flagging divergences that indicate an attack is in progress. “Multi-factor authentication can help as well, especially [in instances where a user] may have been socially engineered into providing account credentials,” he advised.

Proofpoint’s Saleh advocated the identification and quarantining of inbound email threats targeting employees and outbound threats targeting customers, suggesting “a robust email-fraud defence as low-volume business email compromise scams often have no payload at all and are thus difficult to detect”.

Be wary of user privileges

Additionally, regional organisations had the habit of granting too many privileges to users that did not need them to fulfil their job function, noted Help AG’s Solling.  By adopting solutions that automate privilege management, users are not only granted the appropriate privileges; they are granted those credentials only at the instant they require them. 

Ultimately, security experts agree that problems with human behavior are best tackled by the most human of solutions — training. In the Middle East, however, designing training programmes to mitigate the human-error element in cyberbreaches is not as straightforward as it is other regions, where any one country has a distinct national language.

“End-user security awareness training will help anywhere [in the world], but local-language application of that training will be crucial in the Middle East, especially given the vast diversity of languages and cultures that we see in enterprises here,” Gartner’s Amato said.

Mind the language

Creating regionally relevant content, to ensure training captures key concepts clearly, will help, advises ProofPoint’s Saleh. “This is possible by going beyond mere translation and… taking into consideration the diverse cultural background of the workforce, especially in countries such as the United Arab Emirates,” he said. Such approaches are of particular importance in phishing simulations where training needs to reflect real-world lures that resonate with regional and local daily routines.

Training may be a sounder investment than ever, considering its cost decline as the increase in attacks drives a growth industry with an over-abundance of trainers. Since human perception and vigilance are among the most effective tools against digital incursions, well-trained employees presented an obvious cost-benefit ratio, notes Solling, who cautions that CIO and CISOs put some thought into how they would measure the outcome of training programmes before implementing them.

Maintain constant vigilance

“Policies need to be set, and convenient frameworks need to be created,” Solling  said, advocating regular drills to ensure messages and overall cybersecurity strategy is effective; these include social engineering testing, red-teaming exercises, vulnerability analysis and penetration testing.

All cybersecurity initiatives need to adapt to the continuing evolving threat landscape,  and this is especially true for user-awareness programmes. 

“As threat actors become more sophisticated, training programmes need to be updated to illustrate the new threat outlook,” said Saleh.