Cybersecurity Risks: A Growing Concern in a Rapidly Digitalising Region

Key Takeaways

Increased Cyber Threats: The GCC states, particularly Saudi Arabia and the UAE, are primary targets for cyberattacks due to their rapid digitalisation and significant economic and geopolitical roles. The frequency and sophistication of these attacks is rising, with state-sponsored groups and hacktivists being major perpetrators.
Economic and Infrastructure Vulnerabilities: The region's growing reliance on digital processes and the implementation of smart city infrastructure have expanded the attack surface, making critical national infrastructure such as energy, water supply, and healthcare facilities particularly vulnerable. The cost of cyber breaches in the Middle East is nearly double the global average, highlighting the financial impact of these threats.
Need for Enhanced Cyber Resilience: While significant strides have been made in cybersecurity measures, there is an opportunity to further align regulatory development and enforcement with technological advancements. A coordinated and comprehensive response, including robust cybersecurity frameworks, increased awareness of the risks and vulnerabilities, and cross-border cooperation, is essential to protect the region's assets and maintain its appeal to international businesses.

Digital Growth Brings Rising Cyber Risks

The MENA region is undergoing a period of tremendous growth and transformation – economically, technologically, and geopolitically. However, with this growth comes increased risk – including increased exposure to cyber threats.

The GCC states are the primary targets for cyberattacks due to the convergence of rapid digitalisation, economic diversification efforts, and their more active and visible role in global affairs. Member states – particularly Saudi Arabia and the UAE – are increasingly viewed as high-value targets for malign cyber actors seeking to influence, disrupt, or secure financial gain. Both the Kingdom and the UAE have made progress in bolstering cybersecurity; however, the pace of regulatory development and enforcement is not keeping pace with the speed of technology innovation and adoption. A more coordinated and comprehensive response is needed to ensure that cyber threats do not undermine the region’s ambitious economic and digital transformation goals.

Cyber Warfare and Crime: The Threat Landscape in MENA

The frequency and volume of global cyberattacks have surged over the last decade, and the Middle East is no exception. Cyberattacks across MENA doubled year-on-year in the third quarter (Q3) of 2023 and tripled in Q1 2024. A large portion of these is directly attributable to responses to the 7 October 2023 Hamas attack on Israel and the ensuing conflict. In the wake of these events, a range of actors, from state to state-sponsored groups to amateur hacktivist organisations have leveraged cyberattacks in pursuit of their objectives.

Cyber warfare has played a critical role in the battles between Israel and Hamas, Hezbollah, the Houthis and Iran, with state or state-sponsored groups seeking to disrupt operations, access sensitive data, damage critical infrastructure, and spread disinformation on social media.

Hacktivists, which are typically motivated by political, religious, or ideological views, are a relatively new but increasingly prevalent phenomenon in MENA. Groups have been active against both Israel and Palestine, as well as the countries that support them. For example, the Organisation of Islamic Cooperation was targeted in October 2023 by the Pakistani and Bangladeshi groups “Team HEROX” and “Mysterious Team Bangladesh” for perceived inaction against Israel. Meanwhile, pro-Palestinian hacktivist group “Anonymous Collective” targeted a Saudi Arabian electricity provider in May 2024 in response to Saudi policy to arrest individuals for expressing anti-Israeli sentiment. Dubai’s official website was also hit by a Distributed Denial of Service (DDOS) attack by the Afghani “Team 1916” in response to the UAE’s normalised ties with Israel.

However, actors are increasingly motivated by more tangible gains. The region has become an attractive environment for cybercriminals targeting the growing wealth of newly established private and government-sponsored entities spearheading digital and economic transformation. Cyber vulnerabilities have increased in parallel to the adoption of, and reliance on, digital processes and mechanisms, in tandem with low levels of cyber awareness. This is proving costly. According to a 2024 IBM study, the Middle East ranks second globally after the US in terms of the total cost of cyber breaches. It estimated that the average cost of a breach in the region last year was nearly double the global average, at $8.75 million.

The Top GCC Cyber Targets

The UAE and Saudi Arabia are the region’s primary cyber targets given their position as the two largest and most economically influential countries. It is difficult to accurately quantify the number and extent of attacks due to the covert nature that some take, and the fact that victims – be they individuals, corporates, or state entities – often wish to avoid publicly admitting their vulnerabilities; however, available data show some concerning trends:

Ransomware attacks increased by 32% in the UAE in 2024. Phishing, DDoS and scams rose by up to 18% in that year.
An unprecedented number of DDoS attacks took place in Saudi Arabia in 2024 –
278,324 – resulting in high-frequency service disruptions across multiple sectors.
Most frequently targeted are government institutions followed by manufacturing, telecommunications, and IT firms.
Critical national infrastructure (CNI), including energy, water supply, defence, and healthcare facilities, is most at risk of an attack. Attacks on telecoms and IT are used to leapfrog into CNI or government systems, or to access vast swathes of user data for use in downstream attacks.

The perpetrators range from state actors and state-sponsored groups to more amateur, but no less effective, hacktivist organisations.

State-sponsored Advanced Persistent Threat (APT) groups pose the most significant challenge. APT groups have significant financial and infrastructure resources, and therefore greater capability. Their attacks are designed to be difficult to detect so they appear far less common than they are. APT groups often work closely together, sometimes under centralised direction of a parent state organisation, such as the Iranian Ministry of Intelligence and Security. One such example is “APT34 (Helix Kitten/Oil Rig)”, which has been heavily active in espionage activities against Gulf targets since 7 October 2023.

In contrast, hacktivists operate with fewer resources but greater visibility. Their aim is to draw attention to ideological causes; thus, they make little attempt to conceal their attacks and broadcast their successes widely. They typically deploy relatively simple applications of brute force, such as DDOS attacks, that seek to cause short-term disruption. The more advanced groups that steal data are likely to leak or sell that data online, which can then be used to enable more malicious attacks from other cyber actors.

Strengthening GCC Cyber Resilience

The national Vision blueprints of Saudi Arabia, the UAE, and other GCC member states include attracting significant volumes of foreign direct investment and encouraging international businesses to establish operations and partnerships in the region. Across the Middle East, the focus on digitalisation and the implementation of Internet of Things devices across industry and smart city infrastructure are creating serious cyber vulnerabilities, including an expanded attack surface that gives actors new and additional vectors for access, whatever their motive. States must have robust cybersecurity measures in place to protect the data of citizens and sensitive government information, as well as CNI. CNI needs to be adequately protected from attacks that could trigger non-tolerable events given the region’s vulnerability to climate change and water insecurity, and its reliance on food imports. Furthermore, a strong cybersecurity landscape is essential to reassuring the international private sector of the safety of hosting data and housing physical operations in the region.

To this end, notable advances have been made in the regulatory environment in both Saudi Arabia and the UAE. The two countries are actively and quickly working to embrace digitalisation and new technologies. They have introduced comprehensive national cybersecurity strategies, frameworks, and regulations, including the establishment of cybersecurity bodies and the enactment of laws. For example, the UAE in February 2025 approved its National Cybersecurity Strategy to establish a cohesive and effective governance framework; ensure a secure and resilient digital environment; and enable innovations to be adopted safely and quickly.

Saudi Arabia has also implemented several pieces of legislation on cyber and data security, one of which is its first Personal Data Protection Law which began to be enforced in September 2024 under the Saudi Authority for Data and Artificial Intelligence (SDAIA). More recently, the Kingdom updated its Essential Cybersecurity Controls (ECC); however, a new requirement stipulating that all cybersecurity positions be held by Saudi nationals, as well as continued ambiguity over compliance obligations, will present challenges for implementation. Local talent will need to be up-skilled quickly to be able to meet the ever-changing and wide-ranging threats, and enforcement may be inconsistent while it remains unclear which entities are obliged to conform.

The advent of artificial intelligence (AI) poses additional challenges. AI technology is developing at pace and it is a core pillar in Saudi Arabia’s Vision 2030 objectives. Thus far, the Kingdom has implemented AI Ethics Principles to guide AI use; however, this regulatory framework is not legally binding. Developing AI-specific regulations that have the force of law behind them will be critical to ensuring the Kingdom’s cybersecurity, not least as malign actors increase the sophistication of their attacks using AI tools

A Defining Challenge for GCC Policymakers

Despite these regulatory developments, the GCC faces the challenge of ensuring cybersecurity measures keep pace with rapid digital transformation and evolving threats. With greater transparency, collaboration, and investment in cyber resilience, the GCC can position itself not only as a digital powerhouse but as a leader in global cybersecurity best practices. Key recommendations are:

Increasing awareness about the risks and methodologies of cyber actors will reduce the opportunities for accidental or uninformed enablement of attacks. Additionally, encouraging a culture of accurate incident reporting would not only enable cybersecurity professionals and authorities to respond appropriately, but would help them to develop a clearer and more comprehensive picture of vulnerabilities, threats, actors, and motivations.
Cross border cooperation, sharing information, and establishing best practice, including through region-wide protocols, would simplify the security landscape for international businesses operating throughout the region. Work is underway on this, with Saudi Arabia hosting in December 2024 the inaugural meeting of the Arab Cybersecurity Ministers Council, which works to enhance regional cooperation on cyber issues.
Continuing work already underway in integrating protection measures into both the public and private sectors, through legal mandates, will strengthen cyber resilience.

The GCC faces significant, and rising, cybersecurity challenges due to its rapid digital transformation, high economic value, and geopolitical importance. Its attractiveness to malign cyber actors will only increase as its political influence and financial strength grow. GCC members are working to implement measures to mitigate against cyber threats; accelerating these efforts to keep pace with the speed of digital transformation will be essential to protecting these countries’ assets – and maintaining their appeal to international businesses.