Cybersecurity for RAK SMEs: Experts on Real Threats
Cybersecurity for RAK SMEs: Experts on Real Threats
The email arrived at 2:17 AM on a Tuesday. It appeared to come from the firm's regular supplier in Dubai, requesting updated payment details for an overdue invoice. The accounts clerk, working late to clear a backlog, changed the bank details and processed a wire transfer of AED 187,000. By Wednesday morning, the real supplier called asking why the invoice was still unpaid. The money was gone, routed through three jurisdictions, and recovery was virtually impossible.
This is not a hypothetical scenario. It is a composite of incidents that have affected real businesses in Ras Al Khaimah over the past eighteen months. The owners affected are not negligent or technologically naive. They are busy entrepreneurs running legitimate SMEs who believed cybersecurity was a problem for banks and multinational corporations, not for a twenty-person construction consultancy or a family-owned trading company in Al Nakheel.
They were wrong. And the cost of that wrongness—financial, operational, and reputational—is rising.
This article draws on the expertise of Ras Al Khaimah business leaders who understand cybersecurity from different angles: a compliance veteran who has investigated financial crime at the highest institutional level, a technology founder building AI-driven security solutions, a construction CEO who protects client data as fiercely as he protects building quality, and a profit growth specialist who treats security as a commercial imperative. Their combined experience offers a practical, affordable, and realistic approach to cybersecurity for RAK SMEs.
The Threat Landscape for RAK SMEs
Cybersecurity discussions often drift toward sophisticated nation-state attacks, advanced persistent threats, and zero-day exploits. For RAK SMEs, this focus is misleading. The threats actually encountered are simpler, more common, and more damaging precisely because they are underestimated.
Business Email Compromise
The scenario described in the opening is business email compromise (BEC), and it is the single most costly cybercrime category globally. BEC attacks do not require technical sophistication. They require patience, social engineering, and access to email systems—which is often trivially obtained through password reuse, phishing, or poorly secured accounts.
"In my nineteen years at HSBC, I investigated every major financial crime typology: fraud, sanctions, money laundering, terrorist financing, bribery, corruption, and tax evasion," explained Jamie Killilea, Co-Founder and Head of Global Compliance at CGI Consultancy, in a detailed WHO is WHO in RAK interview. "Business email compromise is not the most technically impressive. But it is the most consistently profitable for criminals because it exploits trust and urgency—two things that are abundant in SME operations."
Ransomware
Ransomware attacks encrypt a company's data and demand payment for the decryption key. SMEs are attractive targets because they typically lack dedicated IT security staff, maintain inadequate backups, and are more likely to pay quickly to resume operations.
Insider Threats
Not all threats come from outside. Disgruntled employees, careless contractors, and departing staff with continued access to systems can cause significant damage. For RAK SMEs with high staff turnover—particularly in hospitality, retail, and construction—this is a persistent risk.
Supply Chain Attacks
When a business's suppliers are compromised, the attack can propagate downstream. A hacked accounting firm, a compromised logistics provider, or a breached software vendor can expose dozens of connected SMEs to data theft or financial loss.
Regulatory Consequences
The UAE has significantly strengthened its cybersecurity and data protection frameworks. The National Cybersecurity Council, the UAE Personal Data Protection Law, and sector-specific requirements from the UAE Central Bank and the Dubai Financial Services Authority create compliance obligations that SMEs cannot ignore. Non-compliance exposes businesses to fines, licence suspension, and reputational damage that can be fatal in a trust-dependent market.
Leader Insights: How RAK's Top Executives Think About Security
Jamie Killilea — Co-Founder & Head of Global Compliance, CGI Consultancy
Jamie Killilea's perspective on cybersecurity is shaped by two decades inside one of the world's largest banks, where he directed financial intelligence units, built risk-based AML frameworks, and served as audit liaison for regulatory examinations. When he co-founded CGI Consultancy in Dubai's IFZA Free Zone, he brought institutional-grade security thinking to the SME market.
"Most businesses don't fail because of strategy. They fail in execution," Jamie noted, echoing a theme that runs through his advisory work. "The same is true of cybersecurity. The policies look excellent. The execution is where the gaps appear."
Jamie's Cybersecurity Recommendations for RAK SMEs
Implement multi-factor authentication everywhere. This is Jamie's highest-priority recommendation, and it costs nothing beyond the time to configure. "Every single business email account, banking portal, cloud service, and administrative system should require multi-factor authentication. Passwords alone are not sufficient. Full stop."
Segment financial approval processes. The AED 187,000 loss in the opening scenario could have been prevented with a simple verification protocol: call the supplier on a known number to confirm payment detail changes before processing. Jamie advises RAK SMEs to require dual authorisation for wire transfers above a defined threshold, with verbal verification for any change to payment instructions.
Conduct regular phishing simulations. Jamie recommends quarterly phishing tests that send realistic but harmless phishing emails to staff. The results reveal who needs additional training and whether security awareness is improving or deteriorating over time. "Awareness training that happens once a year is theatre. It must be continuous, tested, and reinforced."
Maintain a formal incident response plan. Most RAK SMEs have no documented plan for what to do when a cyber incident occurs. Jamie advises creating a simple one-page plan that identifies who to call, what to disconnect, what evidence to preserve, and how to communicate with stakeholders. "The first 24 hours after a breach determine whether the damage is manageable or catastrophic. Panic is expensive. Preparation is cheap."
Berdia Qamarauli — Founder & CEO, Centigen AI
Berdia Qamarauli builds intelligent AI systems for business automation, which means his own infrastructure must be exceptionally secure. In his WHO is WHO in RAK interview, he discussed the security architecture that underpins Centigen AI's agentic automation platform.
"Built on advanced technologies such as Retrieval-Augmented Generation, vector databases, and secure API integrations, Centigen AI delivers scalable, secure, and high-performing agentic solutions," Berdia explained. "The secure API integrations are not optional. They are foundational. Every agent we deploy handles sensitive business data, and our clients rightly expect bank-grade security."
Berdia's Cybersecurity Recommendations for RAK SMEs
Audit your API integrations. Most modern SMEs use dozens of cloud services connected by APIs: accounting software, CRM systems, payment processors, marketing platforms, and communication tools. Berdia recommends conducting an annual API audit to identify which services have access to what data, whether those permissions are still necessary, and whether any integrations use outdated authentication methods.
Encrypt data at rest and in transit. This should be standard for any cloud service used by a business, but Berdia finds it is not always the case. "Ask your software vendors explicitly: is my data encrypted when stored? Is it encrypted when transmitted? If they cannot answer clearly, consider that a red flag."
Implement AI-driven anomaly detection. For businesses with sufficient transaction volume, AI-powered security tools can monitor login patterns, data access behaviour, and financial transaction flows to flag anomalies that might indicate compromise. "You do not need enterprise budgets for this anymore," Berdia noted. "Several SME-friendly platforms offer AI anomaly detection at reasonable cost."
Back up to immutable storage. Berdia's strongest recommendation is also the most technically specific. "Your backups should be stored in immutable format—meaning they cannot be altered or deleted by anyone, including administrators, for a defined retention period. This is ransomware protection. If an attacker compromises your systems, they cannot encrypt your backups because your backups are physically unchangeable."
Karim Daher — Founder & CEO, Prime Project Partners
Karim Daher protects property owners' interests during construction projects, which means he handles sensitive financial data, contractual documents, and personal information for clients who are often overseas and entirely dependent on his firm's integrity.
"We act as our clients' eyes and hands on the ground," Karim explained in his WHO is WHO in RAK interview. "That requires not just construction expertise but absolute trust in how we handle their information. A data breach that exposes client financial details or project documentation would destroy that trust permanently."
Karim's Cybersecurity Recommendations for RAK SMEs
Control physical access to devices. Karim notes that many RAK SMEs focus on network security while neglecting physical security. Laptops left unlocked in offices, phones with saved passwords lost in taxis, and unattended devices at co-working spaces are common breach vectors. "A simple policy—devices lock after five minutes of inactivity, and no sensitive work on shared computers—prevents a surprising number of incidents."
Verify vendor security practices before engagement. Before engaging any contractor, supplier, or professional service provider that will handle your data, Karim recommends asking basic security questions: Do they encrypt client data? Do they train staff on phishing? Do they have cyber insurance? "In construction, we vet contractors for competence and reliability. We should vet digital service providers for security with the same rigour."
Document security in client contracts. For service businesses, Karim advises including data protection and security obligations in client contracts. This protects the business legally and signals professionalism to clients who are increasingly security-conscious. "Overseas investors especially want to see that you take their data seriously. Documented security commitments in contracts demonstrate that."
Mike Hoff — Founder & CEO, MHC Consulting FZ LLC
Mike Hoff approaches cybersecurity through a commercial lens: what does it cost, what does it prevent, and what is the return on investment? As a profit growth specialist who has worked with thousands of businesses globally, he treats security spending as a business decision like any other.
"A recent survey showed that 33 percent of businesses are still not profitable following recent events," Mike noted in his WHO is WHO in RAK interview. "A single cybersecurity incident can push a marginally profitable business into permanent loss. The question is not whether you can afford security. It is whether you can afford the absence of security."
Mike's Cybersecurity Recommendations for RAK SMEs
Calculate your incident cost. Mike advises every business owner to estimate the financial impact of a realistic cyber incident: business interruption, data recovery, regulatory fines, customer notification, reputation damage, and lost revenue. "Once you have that number, security spending decisions become rational rather than emotional. For most SMEs, the cost of basic prevention is a tiny fraction of the cost of even a moderate incident."
Prioritise the highest-impact controls first. Mike recommends a tiered approach. Tier one: multi-factor authentication and verified backups. Tier two: endpoint protection and email filtering. Tier three: advanced monitoring and incident response retainers. "Do not attempt everything at once. Secure the basics thoroughly before moving to advanced tools."
Include cybersecurity in your business coaching. Mike integrates security awareness into his Profit Acceleration System because he has seen too many businesses destroyed by preventable incidents. "Business owners who focus exclusively on revenue growth while neglecting operational risk are building on sand. Security is not separate from growth. It enables sustainable growth."
A Practical Cybersecurity Framework for RAK SMEs
Drawing together the recommendations from these four leaders, here is a practical framework that RAK SMEs can implement within 30 days without enterprise budgets or dedicated IT staff.
Week 1: Authentication and Access
- Enable multi-factor authentication on every business account that supports it
- Audit user accounts and remove access for departed employees and unnecessary administrators
- Implement a password manager for all business credentials
- Create a device lock policy (auto-lock after five minutes of inactivity)
Week 2: Email and Communication
- Enable email filtering and phishing protection on your domain
- Establish a verbal verification protocol for payment instruction changes
- Conduct a brief phishing awareness session for all staff
- Create a reporting channel for suspicious emails
Week 3: Backup and Data Protection
- Verify that backups are running successfully and can be restored
- Evaluate immutable backup storage options
- Encrypt sensitive files stored locally
- Review cloud service permissions and remove unnecessary integrations
Week 4: Documentation and Culture
- Create a one-page incident response plan
- Include security obligations in supplier and client contracts
- Schedule quarterly phishing simulations
- Establish a brief monthly security check-in as a recurring calendar item
The Cost of Complacency
Ras Al Khaimah's business community is tight-knit. Reputation travels fast. A single publicised cybersecurity failure can damage not just the affected business but confidence in the emirate's broader commercial ecosystem. Conversely, SMEs that demonstrate security maturity gain competitive advantage—particularly when dealing with international clients, institutional partners, and regulated suppliers who increasingly require evidence of data protection practices.
The four leaders profiled here share a common conviction: cybersecurity is not a technical problem to be delegated to an IT provider. It is a business discipline that requires leadership attention, cultural commitment, and continuous improvement. The tools are accessible. The frameworks are proven. The only missing ingredient for many RAK SMEs is the decision to start.
Watch the Full Interviews
The insights in this article are drawn from in-depth video interviews with Ras Al Khaimah business leaders who have confronted cybersecurity, compliance, and operational risk at the highest levels. To hear their complete perspectives, watch their full interviews on WHO is WHO in RAK.