Wael Abbas Radhi
Partner at Kreston Bahrain
Cybercrime in the Middle East
January 3, 2025
Cybercrime in the Middle East is a growing threat, yet despite the financial impact of data breaches, local firms still struggle to develop an effective strategy to combat it. Wael Abbas Radhi, Partner at Kreston Bahrain, explores why.
Financial impact of cybercrime in the Middle East
According to IBM’s annual Cost of a Data Breach Report, the average cost of a data breach for businesses in the Middle East reached SAR 32.80 million in 2024. This represents an increase of nearly 10% this year, from SAR 29.90 million in 2023. According to the organisations analysed, the top three factors that amplified breach costs for local businesses were security skills shortages, non-compliance with regulations and security system complexity.
Industries most affected by cyberattacks
The 2024 report highlighted that the energy sector participants experienced the costliest breaches across industries, reaching SAR 36.90 million on average per breach. The region’s financial industry ranked second, with an average cost of SAR 35.81 million per breach, while the industrial sector came in third place at SAR 34.52 million.
According to Wael Abbas Radhi, Partner at Kreston Bahrain, cybercrime in the Middle East is a growing concern for clients, with multiple reports from clients (or their staff) falling for phishing and ransomware attacks. ‘Various ransomware attacks have been successful against clients,’ he said. ‘Mostly, data theft and encryption then a ransom is requested to release the decryption keys in order for the clients to gain back their data or get access to their data.’
Efforts to strengthen cybersecurity
To enhance cybersecurity, local companies are investing heavily in cutting-edge technologies like AI and machine learning. For instance, the Saudi giant Saudi Aramco is deploying AI to secure critical infrastructure. The venture arm of the company invested USD 9 million in SpiderSilk, a UAE-based startup offering AI-powered cybersecurity services. But as Radhi has pointed out, it is people that pose the biggest threat.
‘There has been a lot of investment in improving infrastructure security,’ he said. ‘Unfortunately, infrastructure cannot be the ultimate solution. Having up to date IT policies certainly helps curb the chances of any attacks being successful. However, “insider” threats are the ultimate problem, which means that the focus should be on the people and raising awareness.’
Governments in the Middle East are taking the cybercrime threat very seriously and are implementing legislative initiatives to bolster cybersecurity. On September 14, 2023, Saudi Arabia’s first data protection law came into effect. Companies operating in the Middle East must assess the impact of the new legislation on their data processing practices and ensure compliance with the new requirements.
In Jordan, the Cybercrime law No. 17 of 2023 came into force on September 13, 2023, replacing the Cybercrime law of 2015. The new law introduces enhanced measures to combat cybercrime.
Radhi advise clients to engage outside experts to ensure cyber defences are as robust as possible. ‘Engaging a consultant or a security expert would be best to map out the systems in place and identify any gaps in security,’ he said. ‘As well as executing mock attacks to help raise awareness.’
Addressing the cybercrime workforce shortage
One of the problems that the Middle East faces as a region is that there is a serious skills shortage of qualified people who can offer quality consultancy work. When analysing the costs for local organisations, the IBM report found that the shortage of security skills contributes to the average increase in data breach costs by SAR 1.62 million. This highlights the pressing need for businesses to bridge the gap. Kreston Bahrain has cultivated a skilled team of consultants that can offer a range of services to the clients, such as: risk assessments, best practices, employee training, compliance guidance, threat intelligence solutions and regular audits.
But consultants can only do so much. There needs to be greater awareness and education on cyber security from the management down within firms and unfortunately, Radhi is finding that clients are not educated at all. ‘Local firms are not investing enough in prevention strategies and technologies’ he said. ‘As dangerous and as costly as cybercrime is, these issues are still not taken seriously by most clients. The main reason for this is quite simply, money. Many firms simply do not allocate enough of a budget to tackle this problem effectively, which means they are always reacting to a problem, rather than being proactive.’
But as the IBM report shows, it is a false economy for local businesses not to prioritise cybercrime. As Middle Eastern businesses become increasingly digitised, the problem is only going to get worse and the cost to businesses is only going to increase. The Middle East already ranks as the second highest region for data breach attacks in the world – it may find it has the dubious honour of being first in the IBM report in 2025.
For more information on cyber security at Kreston Global, click here.