Office network security in Dubai is now a board-level concern for DIFC banks, ADGM regulated funds, MOHAP-licensed healthcare clinics, and any business processing payment cards under PCI DSS. The good news: 80 percent of the breaches Azizi Technologies has investigated came from 1 of 5 well-known misconfigurations - all covered by this 12-item checklist. Work through it before your next audit, not after a breach.
How should you use this 12-item checklist?
Treat items 1-7 as the mandatory baseline for any Dubai office and items 8-12 as the scale-up layer for regulated or 25-plus-user businesses. Each item states what good looks like, the typical AED cost, and named products that pass. Score yourself pass / partial / fail on every line and you have the same gap report a paid review would produce.
1. Next-generation firewall with IPS / DPI enabled
A next-generation firewall (NGFW) is the minimum perimeter for any Dubai office network. Suitable options: FortiGate 60F to 200F series, Cisco Meraki MX67 to MX105, Palo Alto PA-440 to PA-820, SonicWall TZ or NSa series, Sophos XGS. Make sure IPS (intrusion prevention), DPI (deep packet inspection), application control and SSL/TLS inspection are all enabled - not just installed. Standard NGFW pricing in Dubai Request a quote hardware plus Request a quote annual licence.
Right-sizing matters more than brand. A FortiGate 40F (Request a quote with first-year UTM bundle) comfortably covers 5-15 users, the FortiGate 60F (Request a quote bundled) is the sweet spot for 15-40 users, and only offices past 50 users or with heavy SSL inspection need the 100F class. UTM renewals run Request a quote on this band - an NGFW with a lapsed licence is just an expensive router.
2. VLAN segmentation between staff, guests, IoT and servers
One flat network is the most common Dubai office mistake. Proper segmentation: staff VLAN (10), guest VLAN (20, isolated from internal), IoT VLAN (30, no internet to internal), server VLAN (40, locked down), management VLAN (99, admin-only). A compromised guest device or printer should NEVER be able to reach the file server. Inter-VLAN traffic should be firewall-controlled, not just routed.
- Guest VLAN must run client isolation - visitors cannot see each other's devices
- Guest traffic gets internet only: zero routes to staff, server or printer VLANs
- Bandwidth-cap guests at 10-20 Mbps per client so visitors cannot starve VoIP
- A captive portal with a rotating code beats one laminated password from 2023
- Treat IoT like guests: printers, CCTV and smart TVs never initiate connections to servers
3. WPA3 on all WiFi SSIDs (or WPA2 enterprise minimum)
WPA2 personal (shared password) is acceptable for guest SSIDs but unacceptable for staff. Use WPA3 with SAE (Simultaneous Authentication of Equals) or WPA2 Enterprise with 802.1X authentication tying each user to their AD / Azure AD identity. Removes shared password rotation pain and gives audit trail per user - when someone leaves, you disable their account instead of rotating a password across 40 staff.
4. Patching cadence with CVE tracking
Every Dubai office should run a documented patching cadence: critical CVEs within 7 days of disclosure, high CVEs within 30 days, medium within 90 days. This applies to firewall firmware (FortiGate, Meraki, Palo Alto), switch firmware, AP firmware, server OS, and endpoint OS. Azizi Technologies AMC clients get monthly firmware-and-CVE review reports automatically.
The single biggest Dubai breach pattern in 2024-25
Three of the five Dubai office breaches Azizi Technologies remediated in the last 18 months started with unpatched FortiGate firmware exploiting known CVEs that had patches available for 90+ days. Patching schedules matter more than expensive tools.
5. MFA on every admin and remote-access account
Multi-factor authentication on every Microsoft 365 / Google Workspace admin, every firewall admin, every VPN account, every cloud console. Use authenticator apps (Microsoft Authenticator, Google Authenticator) or FIDO2 hardware keys (YubiKey, Google Titan) - SMS-based MFA is now considered weak. Standard cost: free for most platforms, Request a quote per YubiKey.
6. Encrypted backups with 3-2-1 rule
Three copies of data (production plus two backups), on two different media types (e.g. on-site NAS plus cloud), with one off-site. Encrypted in transit and at rest (AES-256). Test restores monthly. Most Dubai offices that paid ransomware in 2024-25 paid because their backups were either offline-only, unencrypted, or untested - failure modes that the 3-2-1 rule prevents.
Keep one backup copy in-region
For data-residency-sensitive workloads, point the cloud copy of your 3-2-1 backup at Azure UAE North (Dubai) or AWS Middle East (Bahrain). You keep the off-site copy auditors want while staying in a region compliance can sign off.
7. Endpoint protection with EDR (not just antivirus)
Endpoint detection and response (EDR) goes beyond signature-based antivirus - it watches process behaviour, lateral movement, and exfiltration attempts. Suitable EDR tools: CrowdStrike Falcon, SentinelOne, Microsoft Defender for Business, Sophos Intercept X. Standard Dubai office cost Request a quote per endpoint per month.
8. VPN with zero-trust or per-app access
Legacy 'connect to corporate VPN, get full network access' is end-of-life. Use zero-trust network access (ZTNA): per-application access decisions, identity-aware, device-aware. Vendors: Cloudflare Zero Trust, Zscaler, Netskope, Palo Alto Prisma Access. For smaller offices, FortiGate ZTNA and Cisco Duo Network Gateway are good entry points.
9. DNS filtering for web threats
DNS filtering blocks malicious domains before any connection happens. Options: Cisco Umbrella (formerly OpenDNS Umbrella), Cloudflare Gateway, Quad9, DNSFilter. Costs Request a quote per month. Catches 80-90 percent of phishing and malware infrastructure without endpoint changes.
10. Email security beyond Microsoft / Google defaults
Microsoft 365 and Google Workspace built-in email security catches obvious spam but misses targeted phishing. Add a dedicated layer: Mimecast, Proofpoint, Abnormal Security, or Microsoft Defender for Office 365 (P2 plan). Especially important for any office handling invoice approval, payroll, or wire transfers - business email compromise (BEC) is the top reported financial loss in Dubai.
11. Logging and 90-day retention
Centralised logging across firewall, switches, APs, servers, endpoints. 90-day minimum retention for forensic capability. Tools range from SIEM (Splunk, Sentinel, Wazuh) to cloud-native (Cloudflare Logpush, AWS CloudWatch). For DIFC and ADGM regulated firms, log retention is mandatory; for everyone else it's the difference between knowing what happened and guessing.
12. Quarterly security review and annual penetration test
Quarterly review of firewall rules, AD permissions, MFA coverage, patching status. Annual external penetration test (Request a quote depending on scope) - identifies what attackers would actually find. Required for PCI DSS, recommended for everyone. Azizi Technologies includes quarterly review in enterprise AMC contracts.
How much does the full 12-item checklist cost in Dubai?
A 10-user Dubai office can pass all 12 items for roughly Request a quote one-off plus Request a quote in licences and monitoring; a 50-user office should budget Request a quote one-off plus Request a quote monthly. The firewall dominates the one-off spend; EDR, email security and backup storage drive the recurring line. The whole stack costs less than one percent of payroll for most offices - an order of magnitude below the Request a quote a typical Dubai ransomware recovery costs.
| Office size | Right-size firewall | One-off hardware + setup | Monthly recurring |
|---|---|---|---|
| 5-10 users | FortiGate 40F | Request a quote | Request a quote |
| 10-25 users | FortiGate 60F | Request a quote | Request a quote |
| 25-50 users | FortiGate 100F | Request a quote | Request a quote |
| 50-100 users | FortiGate 200F | Request a quote | Request a quote |
Indicative cost to pass all 12 items, by Dubai office size (2026)
One licence covers four checklist items
Microsoft 365 Business Premium (about Request a quote per month) bundles MFA and conditional access (item 5), Defender for Business EDR (item 7), Defender for Office 365 email security (item 10) and Intune device control. For Microsoft-shop SMBs it is the single highest-value security purchase on this page.
In what order should you implement the 12 items?
Start with MFA and a tested backup restore in week one: together they cost almost nothing and neutralise the two most expensive outcomes - account takeover and unrecoverable ransomware. Everything else follows in declining return-per-dirham order:
- 1Week 1: enforce MFA on every admin and remote account (item 5), then run one full test restore of your backups (item 6)
- 2Weeks 2-4: review or replace the firewall with IPS and DPI on (item 1), set the patching cadence with a named owner (item 4)
- 3Months 2-3: segment VLANs (item 2), move staff WiFi to WPA3 or 802.1X (item 3), and roll EDR out to every endpoint (item 7)
- 4Quarter 2: layer in DNS filtering (item 9), upgraded email security (item 10) and 90-day centralised logging (item 11)
- 5Ongoing: replace legacy VPN with ZTNA as licences expire (item 8) and lock the quarterly review plus annual pen test into the calendar (item 12)
What should a basic incident-response plan include?
A one-page incident-response plan that answers five questions - who do we call, what do we isolate, where are the logs, how do we restore, and who must we notify - is the difference between a 2-day outage and a 2-week one. You do not need a 40-page framework - just this page, printed and stored off the network it protects.
- Contact tree on paper: IT provider, firewall vendor, cyber-insurance hotline, management - phone numbers, not emails
- Isolate, do not power off: pull the network cable or disable the switch port so logs and memory evidence survive
- Preserve firewall, EDR and Microsoft 365 audit logs immediately - this is where 90-day retention (item 11) earns its keep
- Restore only from the offline backup copy, and only after the entry point is closed - restoring into an open hole repeats the incident
- Notify where required: Dubai Police via eCrime.ae, your card processor under PCI DSS, and your regulator (DFSA in DIFC, FSRA in ADGM) within their stated windows
- Hold a 30-minute post-incident review within 14 days and convert every finding into a checklist fix
Does the UAE PDPL change what your office network must do?
Yes, but in outcomes rather than products: the UAE Personal Data Protection Law (Federal Decree-Law 45 of 2021) requires any business processing personal data to apply appropriate technical safeguards and to be ready to report breaches to the UAE Data Office as its executive regulations come into force. That duty maps directly onto items already on this page - MFA (item 5), encrypted backups (item 6), segmentation (item 2) and logging that can evidence what happened (item 11). DIFC and ADGM firms answer to their own stricter regimes, the DIFC Data Protection Law 2020 and ADGM Data Protection Regulations 2021, both of which carry active breach-notification duties today. Azizi Technologies maps every deployment against the regime that actually applies to the client, not a generic template.
Be wary of PDPL-certified hardware claims
There is no such thing as a PDPL-certified firewall - the law mandates appropriate safeguards, not specific products. What auditors and regulators ask for is evidence: configurations, logs, restore tests and a written incident plan.
Free 60-min Dubai network security audit
Send your office address and rough setup (firewall vendor, AD or Google Workspace, on-prem or cloud servers) - we'll book a free 60-minute review and email a written report mapped against this 12-item checklist within 24 hours.
Frequently asked questions
Does this checklist apply to small Dubai offices too?
Yes - items 1-7 are mandatory for any Dubai office regardless of size. Items 8-12 are scaled based on size and compliance scope. A 10-person office can implement the full checklist for around Request a quote hardware plus Request a quote annual recurring cost.
What's the cheapest way to hit DIFC / ADGM compliance?
FortiGate firewall + Microsoft 365 Business Premium (includes Defender, MFA, conditional access) + Sophos endpoint + Cloudflare DNS filter + monthly Azizi AMC. Total under Request a quote for 25-50 user office. Hits 80 percent of regulator requirements out of the box.
How often should firmware be patched on Dubai office firewalls?
Critical CVEs within 7 days, high within 30 days, medium within 90 days. Test in a staging window when possible, but unpatched firewalls are the single biggest Dubai breach vector right now.
Is EDR overkill for a 10-person Dubai office?
No - Microsoft Defender for Business at Request a quote per month covers 90 percent of EDR needs. Sophos Intercept X is Request a quote. The cost is trivial vs the typical Request a quote ransomware recovery.
Do you offer SIEM / centralised logging for Dubai SMBs?
Yes - Microsoft Sentinel for Microsoft 365-shop clients, Wazuh open-source for cost-sensitive deployments, or Splunk for enterprise. Standard SIEM setup Request a quote plus Request a quote monthly.
What's the difference between SOC 2 and ISO 27001 for Dubai businesses?
SOC 2 is the US-origin attestation report focused on operational controls. ISO 27001 is the international standard for information security management. DIFC and ADGM accept both. ISO 27001 is more common in UAE because it's certified (not just attested) and broader in scope.
Usman K.
· IT Support LeadIT support lead at Azizi Technologies. Manages 24/7 helpdesk, Microsoft 365 migrations, server administration, and managed IT contracts for Dubai SMBs. Microsoft Certified. Mentioned by name in client reviews for fast resolution.
Ready to get the same results we wrote about?
Free 24-hour SEO audit. Transparent AED pricing. Real Dubai client case studies. No sales call required.