Written by Emile Abou Saleh, senior regional director, Middle East, Turkey, and Africa, Proofpoint

Protecting organizational data and credentials has never been more critical. Threat actors today realize that it’s more effective (and cheaper) to steal credentials and log in, than trying to hack through technical controls. Once they have siphoned access details from just one employee, they move laterally, stealing even more credentials, compromising servers and endpoints, and downloading sensitive organizational data. And most of these attacks start by targeting unsuspecting employees via email.

Cybercriminals understand that your people hold access to your crown jewels (your data), and that the majority can be relatively easily tricked into taking an action which could put the security of your organization in jeapordy.

Employees across all job levels and functions can put organizations at risk in numerous ways, from using weak passwords and sharing credentials to clicking on malicious links and downloading unauthorized applications. Unfortunately, many employees in the Middle East are demonstrating risky behaviours that could lead to a successful cyberattack.

According to Proofpoint data, the Middle East’s working professionals are putting their employers at risk through their cybersecurity negligence. There is a real lack of ownership when it comes to cyber security: with only 17 percent of employees in the UAE and 14 percent in KSA believing that they share the responsibility for cybersecurity in their organization.

Worryingly, today’s hybrid work environment has intensified the risky behaviours that facilitate successful cyberattacks. From using USB drives and downloading attachments and files from unknown sources to clicking on malicious URL links – Middle East organizations are at risk from many forms of insider threats. More than half (51 percent) of UAE employees and 44 percent of KSA-based employees have connected to home or public Wi-Fi networks without knowing if they are secure.

Driving behaviour change
So what can organizations do to reduce people-centric risk and drive behaviour change? As traditional working models evolve, the old ways of protecting data no longer work. Organizations will need to work together with their employees to up their game and adapt data loss prevention and insider risk solutions to protect endpoints, cloud apps, email, and the web. Data loss for organizations is more than an IT problem and employees must understand they play a critical role in preventing data breaches.

Cyber threat education for users is a part of the answer. A more sustainable and effective solution, albeit a more challenging one to implement, is building a security culture, that goes beyond compliance and training, and motivates and empowers users to keep their organizations safe.

Cybersecurity culture is defined as “the beliefs, values, and attitudes that drive employee behaviors to protect and defend the organization from cyberattacks.” It is a strong factor in the development of positive security behaviors. When employees feel responsible for helping prevent incidents it improves an organization’s overall security posture. When employees buy into the belief that security is everyone’s responsibility, it leads to higher vigilance, appropriate behavior, and prevention of data theft. Overall, it helps reduce people-centric risk.

With a strong cybersecurity culture, users learn to build sustainable habits that extend protection to their personal lives – which is even more vital in the hybrid work environment. After all, cyber threats and online scams do not end at work. Proofpoint data shows that 31 percent of working adults in the UAE and 29 percent in KSA had their social media accounts hacked in the past year. More than one in five also admit they suffered financial loss due to fraud, while 21 percent of UAE and 19 percent of KSA respondents had their online credentials stolen in the past year.

Along with the sense of ownership for an organization’s cyber security, all users need to be empowered with the right knowledge and tools to identify threats and feel responsible for doing their part to prevent attacks from disrupting or damaging the organization. When faced with threats after-hours, on personal devices, or when they least expect them, users then know how to thwart malicious cyber actors.

The good news is that organizations in the Middle East are taking the right steps to raise employee cybersecurity awareness. However, an effective and comprehensive cybersecurity awareness training program that adapts to the ever-evolving threat landscape is fundamental, as employees are increasingly accessing organizational data from multiple platforms, devices, and locations.