Employee cybersecurity negligence puts Middle East organizations at risk in hybrid work environments

Over a third of UAE and KSA employees (38% and 36% respectively) admit they would take documents with them to their next

A survey by global cybersecurity company Proofpoint has revealed that working professionals in the Middle East are putting their employers at risk through their cybersecurity negligence, fueled by the adoption of hybrid work. Many employees are responsible for creating data loss challenges for their organization, with 38% in the UAE and 36% in KSA admitting that they would take documents they created with them when they started a new job. Furthermore, only 17 percent of employees in the UAE and 14 percent in KSA felt that they share the responsibility for cybersecurity in their organization.

The survey also revealed that many employees in the Middle East demonstrate risky behaviors that could facilitate successful cyberattacks. More than half (51%) of employees in the UAE admit to connecting to home or public Wi-Fi networks without knowing if they are secure, while 44% of KSA-based employees are also negligent about connecting to insecure networks. Other notable risky behaviors found by the survey include using USB drives, downloading attachments and files from unknown sources, and clicking on malicious URL links.

Furthermore, many Middle East employees are seemingly unaware that their actions might in fact classify as insider threat incidents. When asked what data they would take with them to a new job when they leave their current role, in addition to taking documents they created, other assets and information they would take with them to a new job included work devices (34%), contact details for colleagues (33%), contact details for customers (25%) and planning materials (20%). In KSA, employees admit they would take the following with them when they start a new job: work devices (30%), contact details for colleagues (26%), contact details for customers (27%) and planning materials (19%).

Adenike Cosgrove, vice president, cybersecurity strategy, EMEA at Proofpoint, added, “employees must understand that they play a critical role in preventing data breaches and that this isn’t just an IT problem. As traditional working models evolve, the old ways of protecting data no longer work. Organizations will need to work together with their employees to up their game and adapt data loss prevention and insider risk solutions to protect endpoints, cloud apps, email, and the web.”

Proofpoint’s research also found that email-based threats, such as Business Email Compromise (BEC), ransomware, credential phishing, compromised cloud accounts, and social media hijacking attacks, were all being employed by cybercriminals targeting employees to steal credentials, siphon sensitive data, and fraudulently transfer funds.

Despite their risky behavior, more than half of employees in both countries showed a level of caution with email communications: 53% of employees in the UAE and KSA said that they check the email address of a sender before opening an attachment or clicking a link. Encouragingly, 65% of UAE and 58% of KSA employees also said that their organization delivered cybersecurity awareness training to mitigate such attacks. On the downside, the survey reveals that many employees still believed that the IT team was responsible for cybersecurity.

On a personal level, surveyed employees are not immune to online scams and threats: the study shows that 31% of working adults in the UAE and 29% in KSA had their social media accounts hacked in the past year. In addition, more than one in five also admit they had suffered financial loss due to fraud, while 21% of UAE and 19% of KSA respondents confessed to stolen online credentials in the past year.

Emile Abou Saleh, senior regional leader, Middle East, Turkey and Africa, Proofpoint, said: “People-centric cyberattacks pose the biggest risk to organizations and working adults in the UAE and KSA. The good news is that organizations in the Middle East are taking the right steps to raise employee cybersecurity awareness. However, an effective and comprehensive cybersecurity awareness training program that adapts to the ever-evolving threat landscape is fundamental, as employees are increasingly accessing organizational data from multiple platforms, devices, and locations. Protecting data has never been more critical.”