Small and Medium-sized Enterprises (SMEs) are an important driver for innovation and growth in Singapore and ASEAN. SMEs also stand to gain the most from innovative technology because it is complicated and costly for them to set-up and run ICT in the traditional way. Taking into account cybersecurity, SMEs do not always understand all the risks and business consequences for the development of technologies without the adequate level of protection against cybercrime. Companies from the smallest startup to the largest organisation suffer from cyber attacks.
Cybersecurity is essential for organisations of all sizes. Organisations need to ensure they have taken all the necessary precautions to protect their data. However, not all companies are affected by malicious attacks in the same way. It is a fact that SMEs face far greater threats, risks and challenges combating cyber attacks. Why and what are the main reasons SMEs fail to recover from a catastrophic cyber attack? Is there anything they can do about it to have a stronger defensive strategy?
All these threats seem to have multiplied overnight. The devices that were once useful and entertaining seem to have spontaneously metamorphosed into menaces. In the early days, computers were behind closed doors and labs, but this has changed. Instead of being protected behind locked doors, computers large and small are exposed in ways that could not have been imagined by their inventors. Nearly every computer is attached to networks that can be accessed from anywhere on the planet by almost anyone.
SMEs as a desirable target for cyber attacks
This perception is a significant issue for small businesses because their lack of interest in cybersecurity makes them a desirable target for criminal hackers.
A rather large number of small businesses do not put enough money and resources into cybersecurity. Many do not monitor or implement strong enough cybersecurity defences that will adequately protect their data. The absence of such defences makes their data more susceptible to attacks. Although they may not feel that their information has much value to criminals, it very often does. Small businesses still hold personal, proprietary and financial information, but they do not have the security defences in place that many large organisations do, and that as a result makes them an easy and attractive target.
In the event an organisation has been hit by a ransomware attack, the criminals responsible will typically demand it pays a ransom to retrieve its data. It is very tough for small businesses to recover from ransomware attacks, so they are often more willing to pay the ransom than larger organisations would be. Again, this makes them an attractive target for many criminals. Even in paying out the ransoms, there is no guarantee that the data would be recovered in a timely or secure manner. That is why prevention is always better than cure.
How cyber attacks work
Three of the most common ways SMEs are hacked is by phishing (a form of social engineering attack), poor password management and IT device/equipment vulnerabilities.
Phishing campaigns are fake emails that impersonate someone who you may trust: an online provider, bank, popular website or sometimes a colleague. These emails try to trick you into giving away sensitive information.
Passwords are crucial for ensuring the security of your data. If a password is easy to guess or used for multiple platforms, it becomes less secure and easier to hack. Passwords should be unique, preferably long and complex, and should never be shared.
IT vulnerabilities are a result of a network not having the right security measures in place to protect data. These vulnerabilities can lead to malware attacking an organisation’s data.
Protecting yourself from cyber attacks
There are many simple ways an SME can protect itself from a cyber attack. Implementing a firewall is one of the first things an organisation should do, as this will put up a barrier between your data and the hacker, restricting their access.
It is imperative to educate your employees to adopt proper cybersecurity procedures. They should complete staff awareness training to ensure they can identify a phishing email, follow basic security measures such as regularly changing passwords and adhering to security policies. Installing security software is vital to keep your data secure. There is still the chance that after training your staff, they may again fall victim to a phishing email.Installing anti-malware software will help protect your organisation from malware that may be contained in these types of email.
SMEs do have inherent advantages over larger companies. As an example, their agility enables them to be flexible and adjust to changes quickly. They lack the red tape and complexities larger organisations have to overcome to get things done fast. In reality, an SME needs to seek solutions matching their size and needs, which are not necessarily the same solutions used by a big organisation. The fact that a Fortune 100 company chooses to work with a complicated and expensive vendor does not mean it is the best fit for an SME. It might just be the best for them but may not be a good fit at all for a smaller operation.
Smaller companies with leaner and smaller IT teams can use and consider autonomous systems to help them not only detect but also mitigate security threats. The idea of a full protection solution does not belong only to the top-tier companies and can be introduced and adopted by SMEs if they are open to the new wave of cyber security solutions emerging, which is just about the right time.
The threats are such today that no organisation can claim to be 100% protected. However, if you put a few of the following controls in place, your organisation begins to become less appealing to hackers as most of whom are looking for the quickest and easiest ROI. One of the starting points then is to try and obtain a high-level evaluation of your organisation’s cyber security posture and a documented summary of recommendations for improvements with the cybersecurity assessment and audit.
- Cecil Su, Director, Technology Risk Advisory, BDO LLP -