Diego Arrabal, VP EEMEA at Check Point Software Technologies, discusses how the threat landscape shifts during geopolitical tensions and highlights practical steps enterprises should prioritise to reduce risk and maintain operational continuity.
In the Middle East, instability rarely stays contained and often has a global impact. It shows up in flight schedules, supply chains, customer confidence and the tempo of decision-making. Cyber risk tends to move the same way, not as a separate “IT issue,” but as a force multiplier that can quickly turn a normal business day into incident mode.
What changes during moments of geopolitical escalation is not just the threat itself. It is the volume of disruption attempts, the speed of opportunistic attacks and the very real chance of spillover affecting organisations that were never the intended target.
The past few days have made another point hard to ignore: digital continuity is closely tied to physical infrastructure. Reports of disruption affecting cloud and data centre services following incidents in the region show how quickly physical events can cascade into the digital platforms businesses rely on every day.
Even if most businesses never face something that extreme, the lesson is clear: resilience planning is no longer a purely technical conversation.
The cyber “weather” shifts in ways leaders can recognise
When regional tensions rise, the broader cyber environment often shifts in predictable ways.
One: Noise turns into disruption
Visibility becomes important to attackers whenever tensions escalate. Websites get hammered. Login pages get tested. DDoS and bot traffic spike. In many cases the goal is not stealth, but friction, slowing operations, distracting teams and creating uncertainty.
Two: Identity becomes the fastest route to impact
Most serious incidents still begin with something very human: a reused password, a believable email, a rushed click, an admin account that never got cleaned up. During periods of intense news cycles, people move faster and attackers often plan for that.
Three: The edge becomes the weak point, especially “facilities tech” that lives on the network
This is where many organisations still have a blind spot. Cameras, building management systems and other internet-connected devices often sit quietly on networks for years. Attackers do not see them as “facilities technology.” They see them as reachable infrastructure.
Recent research has highlighted intensified attempts to identify and access internet-connected cameras across parts of the Middle East. These devices are widely used across corporate facilities, logistics hubs and industrial environments, yet when exposed to the internet or running outdated firmware, they can become part of an organisation’s broader attack surface.
That is not shared to create alarm, but to prompt a practical question every CISO and security leader should be able to answer: if a connected device is compromised, what could it reach next and how quickly would anyone notice it?
What enterprises in the GCC should tighten now
When threat levels rise, there’s always a temptation to do a hundred small things. The organisations that handle pressure best tend to focus on a few fundamentals and execute them well.
Reduce exposure, ruthlessly
The easiest opportunities for attackers are systems that were never meant to be publicly reachable in the first place.
Security teams should review what is internet-facing, including remote access portals, administrative interfaces, older web applications and connected devices, and restrict access wherever possible. Patching exposed systems and shutting down unused services remains one of the most effective ways to reduce risk.
Treat identity like critical infrastructure
Security controls lose their value if the wrong person can log in.
Priorities should include enforcing phishing-resistant multi-factor authentication across critical systems, limiting the number of privileged accounts and monitoring for high-risk authentication events such as password spraying attempts, unusual login locations, or unexpected privilege changes.
Segment IoT and surveillance technology properly
This is where the camera targeting research lands as a real-world reminder, not a headline. Check Point Research’s practical defensive guidance is clear: remove public exposure, change default credentials, patch firmware, isolate devices on dedicated segments and monitor for abnormal behaviour.
In simple terms, cameras should not be able to “see” the rest of your environment. If they can, you’ve created an unnecessary bridge between the physical and digital sides of the organisation.
Build readiness that stays calm under pressure
An incident rarely unfolds as a single event. It is usually a sequence: confusion, noise, incorrect assumptions and slow decisions. Preparation helps prevent that spiral.
The most practical steps include ensuring backups are tested regularly, defining recovery priorities in advance, and maintaining a clear escalation path so containment actions do not wait for organisational alignment.
The leadership takeaway
Many organisations still talk about cyber resilience as a technical maturity score. In reality, especially during periods of regional stress, it is much closer to operational stability.
If leadership teams can answer these questions clearly, they’re already ahead of the panic curve:
- What systems are exposed today that do not need to be?
- Which identities have the ability to change critical infrastructure?
- Could a compromised edge device reach the rest of the network?
- If disruption occurs unexpectedly, what systems get restored first and who decides?
That is the level this conversation needs to sit at. Not fear. Not noise. Practical control and the ability to keep operating even when the environment around us becomes unpredictable.