Danny Jenkins, Co-Founder and CEO of ThreatLocker, has written an op-ed on the stark warning issued by the UAE Cyber Security Council, which he believes should make every boardroom in the country sit up and take notice.
The recent warning from the UAE Cyber Security Council that more than 60% of financial attacks begin with stolen login credentials should concern every boardroom in the country.
Credential theft is one of the most reliable ways into government platforms and enterprise networks. Once a cybercriminal has valid credentials, they’re able to simply log in, like a thief walking through the front door.
The rise of AI-driven credential theft
Artificial intelligence (AI) has made credential theft easier than ever for cybercriminals by allowing them to make better replicas of legitimate company websites and emails, and to automate those campaigns at scale.
Criminals can use AI to generate tailored and targeted messages in flawless English or Arabic, mimicking the tone of senior executives, and they can spin up convincing fake login portals in minutes.
What once required time and skill can now be done almost instantly.
In more advanced cases, cyber criminals are even able to use voice-cloning technology (also known as voice phishing or “vishing”) to impersonate IT teams or senior leaders.
Once inside a system, AI helps attackers move fast. They can locate valuable data and extract that sensitive information before anyone even realises something is wrong.
Identifying the weakest link
Employees are a company’s most exploited entry point. Attackers understand human psychology and are happy to exploit it with fabricated urgency and authority. Human error will always exist, so your security framework should be built around compensating for it.
Correcting vulnerabilities where a single employee’s compromised password opens the door to critical systems is vital. When access hinges on a single set of credentials, the organisation is effectively betting its security on the almost impossible probability that every employee gets it right every time.
Multi-factor authentication isn’t a silver bullet
Assuming your credentials are safe because you use multi-factor authentication (MFA) is a critical error. Criminals have learned to bypass MFA, and organisations must quickly adapt to this new reality.
Like with many attacks, it starts with convincing phishing emails. The user clicks a link and lands on a login page that looks exactly like Microsoft 365, Salesforce, or another trusted platform. They enter their username and password. What they don’t realise is that the attacker is sitting in the middle, passing the credentials and MFA code straight through to the real service.
Even if the session token only lasts a few minutes, that’s all it takes to steal data. Businesses need to acknowledge that MFA alone has clear weaknesses. Organisations should incorporate device ad network verification into authentication. A password and a one-time code are not enough if the device itself isn’t verified through a secure network.
This is why the conversation in 2026 must include implementing Zero Trust cybersecurity. Even if a credential theft occurs, Zero Trust limits the damage.
Practical steps for organisations
Zero Trust flips the model from allow-by-default to deny-by-default. In practice, that means applications, scripts, and tools simply don’t run unless explicitly approved. Just enforcing this one control can stop a huge chunk of malware and credential abuse.
Next, it’s critical to enforce least-privilege access across every system. Employees should only have access to the data they actually need to do their job. That way, if an account is compromised, attackers aren’t handed the keys to the kingdom. They can’t roam freely across all company systems.
Businesses should also implement controls that only allow employees access to the websites they need, blocking dangerous sites by default. Systems can be established that prevent employees from navigating to a phony login page, even if they click a phishing link. While similar controls may have been intrusive to employees in the past, modern controls make implementation much more straightforward without significant disruption to workflows.
Most importantly, businesses need to go beyond MFA. Instead, businesses should deploy tools that add device verification to their user authentication. That means a user should need a password, a one-time code, and the request must come from a verified device.
Even if an attacker steals a password and a code, without the actual laptop or phone, they’re locked out. It makes account compromise far more difficult.
Looking ahead: 2026 priorities for UAE organisations
For financial institutions in the UAE, 2026 has to be the year of identity discipline and staying one step ahead of attackers. By implementing Zero Trust solutions like web access control and device-level authentication, organisations can reduce risk and eliminate the danger from inevitable human error.
