Ivan Milenkovic, Vice President, Cyber Risk Technology, EMEA at Qualys, sat down with CNME Editor Mark Forker, to tackle some of the most pressing issues of the day amidst the backdrop of the ongoing conflict engulfing the Middle East region. A whole plethora of new cyberattacks have emerged, how can enterprises combat them through AI, and what are the key practices they need to adopt to ensure business continuity.
What are the best practices and measures that businesses need to put into place to protect their users now working remotely again, and what are some of the lessons that we learned from 2020 that business leaders need to adopt and apply to the current situation across the region?
When organisations abruptly shifted to remote work during the 2020 lockdowns, the immediate response was a chaotic scramble for operational survival. The primary lesson learned from that crisis was that relying on legacy Virtual Private Networks (VPNs) and an implicit-trust model is a fundamentally flawed strategy. It expanded the attack surface exponentially, granting unmanaged devices broad access to corporate networks.
Today, as regional tensions in the Middle East force a return to distributed work environments, we must apply a more empirical, data-driven measurement mindset to de-risk the business.
The current threat landscape is highly opportunistic. Scammers are actively exploiting the ambient anxiety of stranded travellers by setting up sophisticated fake airline support accounts on social media platforms like X.
Operating under official branding, these bots intercept customer grievances to harvest Personally Identifiable Information (PII) and booking references. This data is not just used for ticket fraud; it is weaponised to execute targeted SIM swap attacks.
The Dubai Police have issued explicit warnings regarding fraudsters impersonating crisis management officials to socially engineer victims into handing over UAE Pass credentials and One-Time Passwords (OTPs). Once a SIM is swapped, attackers intercept SMS codes to bypass basic multi-factor authentication, gaining unauthorized access to mobile banking and sensitive corporate applications.
To structurally protect remote users in 2026, businesses must fundamentally abandon perimeter-based thinking and adopt a Zero Trust Network Access (ZTNA) architecture.
This means enforcing granular, least-privilege access where every user and device is continuously verified on a per-session basis, rather than trusting them simply because they successfully logged in once. Furthermore, organisations must align with the Central Bank of the UAE’s (CBUAE) mandate to phase out highly vulnerable SMS and email-based OTPs by March 2026. The quantifiable Return on Control (RoC) for migrating your workforce to phishing-resistant authentication (such as FIDO2 passkeys and device-bound biometrics) is one of the most effective risk-elimination measures available.
By prioritising identity-first security and continuous verification, businesses can systematically reduce their exposure footprint and ensure that remote work continuity does not compromise corporate assets.
With a wave of cyberattacks across the Middle East region now highly likely, what method of attack do you envisage cybercriminals deploying? Will it be AI-powered phishing emails for a ransomware attack, brand impersonation, or identity theft, perhaps a mix of all of them, or will it be something radically different?
The UAE is currently operating in an environment where national infrastructure absorbs between 90,000 and 200,000 breach attempts daily, with a significant proportion driven by state-sponsored threat actors.
We will absolutely see a convergence of traditional tactics (i.e. brand impersonation and identity theft) supercharged by artificial intelligence. Attackers are leveraging Generative AI to craft hyper-personalised, contextually accurate phishing lures in flawless local dialects, significantly increasing the probability of credential compromise and subsequent ransomware deployment.
However, if we are looking to measure and prepare for the “radically different” vector that defines the 2026 threat landscape, we must focus our attention on the compromise of Agentic AI.
Enterprises across the region are rapidly adopting autonomous AI “copilots” and agents to streamline workflows, manage customer service, and assist in software development.
Unlike passive chatbots, these agents possess the autonomy to execute code and interact with internal databases. The severe risk here is that these AI agents often inherit the underlying poor data hygiene of the corporate network – for example such as over-permissioned SharePoint folders, legacy access control lists, and unclassified sensitive documents.
Consequently, the traditional model of phishing, which relies on the psychological manipulation of a human operator, is being rapidly superseded by an attack vector known as “prompt paths”.
Instead of tricking an employee, attackers engineer malicious inputs designed to mislead or manipulate the logic of an autonomous AI agent. For example, an attacker might embed hidden instructions in a public webpage or a document that an enterprise AI is scheduled to ingest. Once processed, the agent can be tricked into inadvertently surfacing proprietary data, escalating privileges, or executing unauthorised actions on behalf of the attacker.
To de-risk this radically different threat, organisations can no longer treat AI merely as a software tool. Security teams must now treat AI agents as “first-class identities”. This requires assigning them strict identity access management (IAM) roles, continuously auditing their behaviours, scoring their risk, and implementing mandatory “human-in-the-loop” failsafes before an autonomous system is permitted to execute any high-stakes operational or financial action.
How much of a role is AI playing in fuelling these security threats, and again, what are the key recommendations you’d give enterprises who want to protect their assets and are desperate to ensure they have business continuity?
Artificial Intelligence serves as a profound, dual-use force multiplier in the modern cyber conflict. From an offensive standpoint, AI compresses the attack lifecycle exponentially.
It automates vulnerability discovery, scales sophisticated social engineering campaigns, and enables the rapid generation of polymorphic malware. In essence, AI has democratised advanced cybercrime, allowing opportunistic threat actors to execute machine-speed attacks that previously required the resources of a nation-state.
Because the adversary is scaling through automation, enterprises can no longer operate under the assumption that they can build a perimeter secure enough to prevent all possible threats.
To ensure business continuity, leadership must shift from a mindset of absolute prevention to one of empirical risk quantification and structural resilience. You must focus your capital and operational resources on mitigating the most plausible losses that directly impact your core business objectives.
First, organisations must formally operationalise IT Business Continuity Management (BCM) by aligning with frameworks such as ISO 22301.
This begins with a rigorous Business Impact Analysis (BIA) to mathematically quantify the cost of downtime and identify which assets are truly mission-critical.
You must establish precise Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) based on application tiering – ensuring that Tier 0 systems (like core banking or central ERPs) have active-active redundancy and can recover in under an hour.
Second, to defend against AI-driven ransomware that actively seeks to destroy operational backups, enterprises must enforce the 3-2-1-1-0 backup strategy. This means maintaining three copies of your data across two different media types, with one copy offsite, one copy completely offline or immutable (air-gapped), and zero errors tolerated during automated verification testing.
Finally, translate your cyber posture into financial terms, specifically Value at Risk (VaR). When you can clearly articulate your exposure and demonstrate measurable, tested recovery capabilities to your board, you transform security from a cost centre into a business enabler.
This data-driven transparency is also the most effective way to utilise cyber insurance, not as a compliance checkbox, but as a strategic financial lever to transfer the residual risk you cannot economically eliminate. Resilience in 2026 is about ensuring that when a breach inevitably occurs, the operational impact is contained, predictable, and rapidly reversed.
