AS the world continues to digitalise, the attack surface for cybercrime broadens.
While headlines shout out stories of major companies being conned out of millions by ‘deep fakes’ and other sophisticated attacks, there are many more untold stories of small and medium enterprises (SMEs) losing their shirts as a result of phishing or ransomware.
At a recent panel hosted by SGtech and Swiss tech company Acronis, industry experts gathered to give their insights into the issues facing SMEs as they undergo digital transformation.
Covid saw a drastic increase in the global volume of cyberattacks. Chief Security Officer of Microsoft Singapore, Dennis Chung, broke down the implications of the current laws of the land regarding SMEs and ransomware.
“In 2021, 84% of Australian SMEs were victims of at least 1 ransomware attack, of which 51% paid the ransom.”
Chung added: “In response their government passed the ‘Ransomware Action Bill 2022’ to fine SMEs whose ransom funds are found to have funded terrorism or aided money laundering.”
Singapore has since joined the Counter Ransomware Initiative, a 61-nation alliance that seeks to limit ransomware payments, in an effort to starve the cyber criminals of funding, and similar laws have been implemented. Local SMEs that send payments in response to ransomware will be charged with funding such criminals regardless of their victimhood.
First course of action when subjected to ransomware, says Microsoft’s Chung: “Call your lawyer before taking any actions. Your lawyer will likely ask you, ‘Do you know who you’re paying?’”
ALSO READ: Is Retirement A State Of Mind?
Protecting Productivity
Contributing to 70% of employment and 45% of nominal GDP, SMEs are a crucial economic pillar of Singapore’s economy. Yet, while digital transformations of these sprouting enterprises are often discussed, they are infrequently implemented.
Acronis Chief Information Security Officer Kevin Reed explains the extent of the issue. While many headlines read about large ransomware demands in the millions of dollars, that is not a sustainable business model for the cyber criminals.
“The size of an average SME ransom is around US$2,000 (S$2,700).”
While this may seem insignificant, many small companies can be crushed by the after effects of a ransomware demand. Whether it be leaked data, further demands by cybercriminals, the resulting loss of confidence in the business when customers find out, or the legal implications of trying to pay your way out of trouble.
If financial and potential data losses due to ransomware attacks alone are enough to shut down many small businesses, then consequent fines may put the nail in the proverbial coffin.
Unlike larger organisations, for SMEs the loss of client and industry trust after experiencing such incidences may be impossible to come back from.
Sound security practices are no longer ‘nice to haves’, but ‘must haves’.
Many SME owners are unsure of how to begin their digitalisation journey. Fear of additional costs discourages many from embarking on this process altogether, and, for others, cybersecurity may seem a trivial facet of business operations.
Protection is not prohibitively expensive for smaller concerns. Monthly subscription services and government grants such as the Digital Acceleration Grant and Productivity Solutions Grant can help ease the burden on the cashflow of an SME seeking professional advice.
ALSO READ: The Big Business Behind Ransomware
Tailored Solutions
Modern cybercrime rarely involves hacking. Most criminals log into their victims’ accounts after extracting information via phishing. An SME’s employees can be the biggest vulnerability to their cybersecurity, but if properly trained, they can provide an effective shield.
Given the lack of publicity on this topic, many SME owners may be unaware of the full extent of the consequences of cybersecurity breaches. Even the informed will likely not have the expertise to make relevant yet cost effective security decisions.
CEO of SoMin.ai Professor Aleks Farseev highlights the issues with the SME designation. “The formal definitions of SME are, ‘company with less than 200 employees’, and ‘below $100 million turnover’.
“Security concerns of companies with 2 or 199 employees are likely to be drastically different,” he reasons.
As it is unlikely that the definition will be changed anytime soon, it’s evident that there will be an equally broad range of cybersecurity requirements, and more often than not expertise will need to be outsourced.
3 Easy-to-implement Security Practices Every SME Can Deploy
Instead of keeping servers in the back room, utilise a reputable cloud service provider.
Managing such systems is complex, your business is unlikely to have as many dedicated professionals as a large outfit.
Chung noted that “Microsoft’s Singapore branch alone has over 5,000 cybersecurity professionals dedicated to defending the platform. Can you match that?”
Implementing this seemingly insignificant practice costs 5% of your effort but will give 95% improvement in your business’s level of security.
Many complain about certain types of 2FA being inferior, but in reality any barrier is better than none.
A password manager can store many more passwords than most individuals would care to remember.
While some password manager services such as LastPass have experienced centralisation-related issues, the objective here is for you to not repeat passwords and use a different password for every account.
Security breaches related to password reuse occur when least expected.
Maybe you forgot that you used your go-to password for a deserted forum you frequented 5 years ago. If the forum is compromised, the attackers now have your email address and a related password and they can use this combination to try to log in to a number of critical services you may utilise.
The general rule is that longer and varied passwords are more difficult to guess via brute force, password managers can also help you to generate the necessarily complicated and incomprehensible code.
Go Far Together
SME owners should ask themselves if they know what they cannot afford to lose, be it data or otherwise, i.e. which among their digital assets are the most crucial for business operations and require the biggest moat. Likewise businesses need contingency plans for scenarios in which these honeypots are compromised.
Unity is strength, and businesses will benefit from sharing their experiences of best practices and seeking expertise. Outsourcing expertise to ‘CTO as a service’ (akin to borrowing a tech guru to help your business) agencies or specialists will be a good option for most.
Setting up robust digital protocols may secretly be the best way to save money and ensure the longevity of a business.