Why Google Cloud believes Insider Risk is emerging as a critical security focus in the Middle East - Intelligent CISO

Why Google Cloud believes Insider Risk is emerging as a critical security focus in the Middle East Sindhu Kashyap | 14 May, 2025 In this Q&A, John Hultquist, Chief Analyst at Google Threat Intelligence Group, reflects on the evolving threat landscape, the role of generative AI in cybercrime, and the need for regional collaboration to strengthen cybersecurity resilience in the Middle East. As one of the world’s foremost voices in cyber threat intelligence, John Hultquist has spent over two decades tracking the world’s most sophisticated threat actors—from state-sponsored espionage groups to transnational criminal networks. As the Chief Analyst at Google Threat Intelligence Group, Hultquist has a front-row seat to the rapid shifts seen in the cybersecurity sector across global regions, including the Middle East. In this conversation, he provides a detailed examination of how the region’s security posture is evolving, the practical applications of attackers leveraging generative AI to scale their operations, and why enhanced intelligence sharing and insider risk management are becoming increasingly critical. Hultquist also sheds light on Google’s recent partnership with the UAE government and its implications for building cyber resilience in an era of growing complexity and digital transformation. How would you describe the current cybersecurity posture in the region? Organisations across the region have made tremendous progress over the last few years. There was a time when cybersecurity was treated as an afterthought. Globally, it wasn’t given the level of investment or attention needed, but that has now changed. We’re seeing dedicated security programmes being built, budgets being allocated, and leadership genuinely engaging with the topic—not just delegating it to the IT department. If you walk around events like GISEC, it’s evident. There is a maturity developing in how organisations think about risk—moving away from simply buying individual tools and controls towards creating cohesive security strategies tailored to their business models. They’re looking at frameworks, managed detection and response, risk scoring, and other more proactive measures. It’s not perfect yet, but the trajectory is very positive. John Hultquist, Chief Analyst, Google Threat Intelligence Group Where do you see the most significant gaps remain? The gaps today are less about technology and more about integration and strategy. Many organisations have invested in good tools, but they’re not always being used to their full potential because the surrounding processes or skills are lacking. For example, threat intelligence is often collected but not contextualised or acted upon in a way that supports real-time decision-making. There is also a growing need for better cyber hygiene and awareness at all levels of an organisation—from leadership to frontline employees. Many breaches still occur due to social engineering or phishing, which could be prevented with stronger internal education and response playbooks. Ultimately, there is a need for greater regional collaboration, as cybersecurity is a shared responsibility. Knowledge sharing across borders and sectors can help us all become more resilient. Are cybercriminals using generative AI? For three years now, cybercriminals have been using generative AI. We’ve tracked multiple threat actors who are actively leveraging generative AI to refine their social engineering techniques. They’re using it to craft more convincing phishing emails, create fake profiles, generate synthetic documents, and even mimic legitimate conversations using chat-based interfaces. What’s changed isn’t necessarily the type of attack—it’s the scale and efficiency. Before, it took time and effort to craft a targeted message or impersonate someone. Now, with AI tools, they can generate dozens or even hundreds of tailored attacks with minimal human input. That’s a game-changer in terms of attack volume and precision. There is also a psychological aspect—AI-generated content can be more persuasive, localised, and more believable. That makes it harder for even trained users to spot red flags. The barrier to entry for running complex cyber campaigns has significantly lowered, and this should concern everyone in the industry. What makes this particularly dangerous? The danger lies in the ability to rapidly scale highly targeted attacks. Generative AI enables attackers to craft customised messages in multiple languages, adjust tone and format based on the victim, and even generate fake voice or video content. It’s no longer about poorly worded phishing emails—it’s sophisticated, contextual messaging that looks like it came from your boss, your vendor, or even a government agency. It also provides adversaries with additional tools to manipulate trust—through deepfakes, fake documentation, or AI-generated narratives that can be utilised in disinformation campaigns. While many of these tactics were theoretically possible before, AI makes them faster, cheaper, and more convincing. It amplifies every phase of the attack lifecycle. Could you explain the partnership between the UAE and Google Cloud? We recently announced a strategic partnership to establish a Cybersecurity Centre of Excellence in the United Arab Emirates (UAE). This centre is designed to act as a regional knowledge and capability hub—bringing together expertise, intelligence sharing, and advanced research capabilities under one roof. To truly strengthen cybersecurity in the region, we need to ensure a two-way flow of knowledge. On the one hand, we must develop a deep understanding of local threats and regional threat actors—what techniques are being used, which industries are being targeted, and how attacks are evolving in this region. On the other, we need to bring in insights from around the world—because attackers don’t limit themselves to national borders. The Centre will also play a crucial role in developing local talent. By providing training, threat analysis capabilities, and direct collaboration with global experts, we aim to raise the bar for cybersecurity resilience not only in the UAE but also across the GCC and broader Middle East. Why is something like this needed now? The threat landscape is too dynamic and complex for any single organisation—or even country—to tackle alone. What’s happening globally has a direct impact here. Threat actors are becoming more organised, more commercially driven, and more reliant on automation. In this context, regional cyber capacity must evolve accordingly. The Centre of Excellence helps fill a critical gap by fostering collaboration between government, private sector, and academia. It’s also about enabling better decisions—whether that’s investment planning, response strategies, or policy development—by grounding them in accurate, real-time intelligence. What key threats are you watching in 2025? One is the ongoing evolution of social engineering—especially as it becomes more sophisticated through the use of AI. These attacks are still the most straightforward way into most organisations, and we’re seeing even highly secure companies fall victim to them. Another big one, particularly relevant to this region, is the risk posed by North Korean IT workers. We’ve had multiple cases where organisations have unknowingly hired remote developers who were linked to North Korean state-backed groups. These individuals gain access to sensitive systems, introduce malware, or act as insiders to steal data or funds. In one recent incident in the region, millions were stolen by a North Korean group using precisely this model. It’s a serious insider threat problem and one that requires stronger vetting, especially for remote hires and third-party contractors. What should security leaders in the region focus on now? Focus on being proactive. Too many organisations still operate reactively—responding to incidents as they occur. The reality is that by the time you detect a breach, the damage may already be done. Security leaders should invest in threat intelligence, detection and response, and above all, in building a strong cybersecurity culture internally. People remain the weakest link, and no amount of technology will compensate for a poorly trained workforce. Secondly, collaborate and share information with peers, with regulators, and with partners. The more we understand about what’s happening across sectors, the better we can prepare. And finally, take a risk-based approach—don’t try to secure everything equally. Focus your efforts on the systems, data, and people that matter most.