rewrite this content and keep HTML tags as is: Businesses remain weak link in Gulf cyber defences

• Rapid pace of AI adoption presents risks
• Staff training and education vital
• State policy and regulation is strong

Gulf businesses risk becoming the weakest link in the region’s cyber defences as artificial intelligence increases the scale and sophistication of attacks, experts have warned.

James Shires, a cybersecurity and AI expert specialising in the Middle East and North Africa, said artificial intelligence was lowering barriers to entry for cyber criminals.

The trend is particularly relevant in the Gulf, where the pace of digital adoption and a concentration of high-value targets across public bodies, finance and critical infrastructure have expanded the attack surface.

Shires said many organisations were still adjusting to the new threat environment. “The main cyber risk is an educational one,” he told AGBI. “A rapid digital transformation must be accompanied by training and education both for specific roles and organisation-wide staff to manage risks effectively.”

He said the UAE and Saudi Arabia had become better prepared through investments in cyber capabilities, but many businesses were not keeping pace.

“The UAE and KSA are far more operationally resilient than they were even a few years ago, let alone comparing them to the pre-cybersecurity investment environment around 15 years ago,” he said.

“Both states have trained a highly competent cadre of cybersecurity professionals, drawing on citizens and foreign experts, and deployed them in institutions with significant state authority. However, individual businesses do not always have a sufficient cybersecurity posture, even in critical infrastructure sectors.”

Research by KPMG suggests many businesses were trying to scale AI on top of fragmented data, inconsistent processes and unclear ownership structures.

The consultancy said more than 95 per cent of AI use cases globally fail to deliver measurable value, often because organisations attempt to deploy AI before establishing the governance and data foundations needed to support them.

Trevor Niblock, partner for digital trust at KPMG Middle East, said: “In that environment, AI tends to accelerate confusion rather than performance.”

The challenge extends beyond business productivity and into infosecurity. “Many of those controls were built for a pre-AI threat model and can’t keep pace with how threats now move across collaboration channels simultaneously,” he told AGBI.

KPMG cited research by cybersecurity and compliance firm Proofpoint showing that four in 10 organisations in the UAE had already experienced or suspected an AI-related security incident.

One of the biggest concerns is the growth of AI-enabled social engineering and identity-based attacks, where criminals manipulate victims into revealing information or transferring money.

“AI has fundamentally shifted the economics of social engineering,” Niblock said.

Tasks that once required extensive research and preparation can now be automated and executed in minutes, allowing attackers to target larger numbers of victims with increasingly convincing messages.

AI-generated content can mimic trusted contacts, executives, government officials and even family members, making fraudulent communications appear legitimate.

The technology is also contributing to the growth of authorised push-payment fraud, romance scams and impersonation fraud.

“A single compromised identity can quickly become a pathway across multiple systems, platforms and business processes,” Niblock said.

Despite the risks, he said the Gulf’s rapid adoption of AI should be viewed as a sign of ambition rather than a weakness.

Further reading:

Further reading:

“The more accurate framing is that rapid adoption creates complexity, and complexity increases risk unless security maturity evolves at the same pace,” he said.

“The UAE Cybersecurity Council, Saudi Arabia’s National Cybersecurity Authority and broader frameworks like the UAE’s National AI Strategy reflect a level of institutional commitment that many mature markets are still working toward.”

Shires, whose company Virtual Routes focuses on cybersecurity and AI research, said AI was raising new questions around risk, data sharing and access controls rather than exposing major gaps in existing Gulf cyber regulation.

“Cybersecurity policy and regulation are well-positioned to cope with the AI threat landscape,” he said. “The challenge AI poses is a business decision, not a regulatory one.”