As critical systems become more digital and interconnected, they are also becoming more vulnerable to cyberattacks, operational disruption and other forms of hybrid warfare. In the UAE, attacks on digital infrastructure tripled from 200,000 to 600,000 since the start of the war, including ransomware and data breaches to targeted data leaks and website defacement.1 This has expanded both the range of threats and the number of assets that now require protection. Industrial control systems can now be targeted through cyberattacks, telecommunications networks can be exploited to manipulate information flows, supply chains can be disrupted through coordinated economic or digital pressure. Such events rarely occur in isolation; they intersect and amplify one another.
This is precisely why the attack surface can no longer be understood in purely physical terms. It now extends beyond site perimeters to include software dependencies, third-party vendors, operational technology environments and data ecosystems. The objective of modern disruption is often to destabilise – to erode confidence, expose coordination gaps, and exploit systemic interdependencies.
The strategic challenge for leaders is therefore not simply how to digitise faster, but how to retain sufficient control, visibility and decision-making authority over the systems that sustain essential services. Earlier this year, business leaders we surveyed in the region as part of PwC’s 29th Global CEO Survey2 indicated that they were reassessing their technology dependencies. 32% of CEOs were planning to reduce reliance on technology providers based in countries they consider less trustworthy – pointing to a strategic shift towards trusted suppliers, local or regional alternatives to strengthen data sovereignty.
In this context, resilience depends not just on digital capability, but on knowing where dependency is concentrated, where continuity could be compromised and where mitigation is needed before disruption occurs.
Key action: Identify critical technology dependencies across essential operations, assess concentration risk, and define mitigation plans for any exposure that could threaten service continuity.