By Emile Abou Saleh, Senior Regional Director at Middle East, Turkey and Africa at Proofpoint

Cyber threats have become more targeted, sophisticated, and frequent than ever before. With the proliferation of new technologies in Saudi Arabia – including cloud architecture and smart cities – it has become critical to safeguard this digital infrastructure to strengthen national security.

The recently concluded Black Hat MEA 2024 in Riyadh highlighted the value of collaboration in cybersecurity. Encouragingly, Saudi Arabia has deployed measures to build resilience, including threat detection and incident response mechanisms to address potential threats. However, security leaders have to contend with a threat landscape that is ever-evolving.

Proofpoint’s 2024 Voice of the CISO report, a global survey of 1,600 CISOs, including those based in KSA, showed that 67% of CISOs in Saudi felt at risk of experiencing a material cyber-attack in the in 2024, compared to 55% in 2023 and 27% in 2022. A third (33%) felt their organization was unprepared to cope with a targeted cyber-attack, compared to 49% in 2023 and 28% in 2022.

The biggest cybersecurity threats perceived by CISOs were business email compromise (BEC) (50%), cloud account compromise (Microsoft 365 or G Suite or other) (42%) and insider threat (negligent, accidental, or criminal) (37%).

The question is this – how can Saudi government entities and the private-sector address these cyber risks?

Rise of AI deployment in Saudi and rising cyber risks

Saudi Arabia is pegged to become a leading AI hub by 2030 and an innovation and economic driver for the region. The Saudi Data and AI Authority (SDAIA) has played a pivotal role in driving AI deployment by implementing strategic initiatives to foster the growth of AI technologies. These initiatives are expected to accelerate Saudi’s economic diversification over the next decade.

Globally too, Artificial Intelligence (AI) is expected to continue to grow exponentially over the next few years. According to research by PwC, AI could contribute up to $15.7 trillion to the global economy in 2030. Middle East countries are expected to be among the biggest beneficiaries, with anticipated gains to the tune of roughly US$320 billion.

Amidst the optimism, there are fears of growing cybersecurity challenges. Proofpoint’s research shows that Generative AI tops Saudi CISOs security concerns. In 2024, 47% of CISOs surveyed believe that generative AI poses a security risk to their organization. The top three systems CISOs view as introducing risk to their organizations are: ChatGPT/other GenAI (55%), perimeter network device (55%) and Microsoft 365 (37%).

Securing the people perimeter

There is no denying that human error remains one of the biggest cyber risks facing organizations. This year, there was an uptick in the number of CISOs who viewed human error as their organization’s biggest cyber vulnerability – 84% of Saudi CISOs in this year’s survey vs. 48% in 2023.

Many users lack adequate knowledge about cybersecurity best practices. Ignorance about phishing scams, the significance of secure passwords or the dangers of downloading suspicious attachments can inadvertently open the door to cyberthreats. 

Even with sufficient knowledge, human error remains a significant risk factor. Careless actions like leaving devices unlocked or unattended, using unsecured public Wi-Fi, or failing to update software regularly can create vulnerabilities that cybercriminals exploit. 

Despite this, a majority of CISOs in Saudi believe that employees understand their role in protecting the organization. This confidence is higher than in previous years—40% in 2023 and 43% in 2022. This may be attributed to the 96% of CISOs surveyed looking to deploy AI-powered capabilities to help protect against human error and advanced human-centered cyber threats.

Building a resilient future

Many Saudi businesses have made sizable investments in cybersecurity readiness and capabilities to defend against potential threats and mitigate risk. These efforts encapsulate the measures, strategies, policies and practices that are intended to protect information systems, networks and data. 

However, when it comes to the human factor, security and risk managers often default to discussion of security awareness training as the primary or sometimes only mitigating control. But risk needs to be seen through the lens of the people who create it and when they create it. 

As technology advances and plays a more mainstream role in steering Saudi’s digital ambitions, the interplay between humans and digital systems will continue to evolve. It is important to remember that no system can be entirely foolproof. That is why management of the human element in cyber risk will be crucial to create a more resilient workforce that can break the attack chain – and secure Saudi Arabia’s digital future.