SMEs have to wake up to the need to make cybersecurity a top priority
July 11, 2023
Synopsis
Cyber frauds are no longer limited to large companies as small businesses are increasingly becoming their target. It’s high time SMEs understand the importance of investing in cybersecurity.
Cybersecurity has become important now more than ever given the rise in technology adoption across the globe. It’s no longer an important tool only for the large companies. Many cybersecurity leaders believe small businesses are equally at risk here.
Aaron Bugal, Field Chief Technology Officer, APJ, Sophos Group, says that many small business owners naively believe that because of their size, they’re safe from cyberattacks. “Also, being smaller means that small business owners and their employees are usually spinning many plates across a variety of job functions within the organisation. Therefore, cybersecurity can easily slip down the list of endless priorities. The lack of proactive cybersecurity practices means ransomware and other threats easily go unnoticed once they breach an SMB’s system. It is vital SMBs shift their mindset from the narrative ‘we won’t be breached because of our size’ to ‘every company is a target’ and re-evaluate their investment in cybersecurity solutions,” he says.
Explaining further here, Rahul Tyagi, co-founder, Safe Security, says that small businesses often rely on outdated or legacy systems that can have vulnerabilities that can be exploited by attackers. Additionally, the use of pirated or unlicensed software increases the risk of malware infections and compromises their overall security posture.
The Covid-19 pandemic has further increased the vulnerability of small businesses to ransomware attacks. “The shift towards remote work and increased reliance on digital technologies has expanded the attack surface for cybercriminals. Many small businesses struggled to adapt quickly and implement strong security measures, making them more susceptible to ransomware incidents. Furthermore, small businesses may lack the financial resources to effectively respond to ransomware attacks. They may not have sufficient funds allocated for incident response, forensic investigations, or data backups. This can leave them in a compromised position, with limited options for recovering their systems and data,” he says.
It is crucial for small businesses to prioritise cybersecurity to protect their operations and reputation. A successful ransomware attack can have severe consequences, including financial loss, disruption of services, and damage to the brand image. Rebuilding customer trust after a security breach can be challenging and may lead to the loss of potential clients, he says.
Common frauds
According to Tyagi, some of the common cyber frauds among small businesses include phishing, where attackers use deceptive emails very similar to the company’s to retrieve sensitive data; ransomware, where cybercriminals use malicious software to encrypt a business's data, making it inaccessible; and business email compromise, where the attacker gains access to a business email account and uses it to send fraudulent emails to employees or vendors, requesting funds transfers or sensitive information.
Sharda Tickoo, Technical Director, India & SAARC, Trend Micro, says that phishing emails have become very sophisticated. “They look very real and genuine and sometimes it becomes very tough to pick up these phishing emails, even if you have the best of the breach security software in place. Education or cyber awareness to some extent helps in taking care of these phishing emails, but in SMB, that may not be a focus area at all,” she says.
Further, today, SMEs are connected to larger enterprises and could also be a conduit to a large enterprise. So, if this SMB is attacked, there's a chance of this getting exploited all the way to the bigger enterprise.
One of the main reasons that small businesses do not heavily invest in cyber security is because of insufficient funds. But both Tyagi and Bugal say that not investing at all in cyber security could cause much higher financial loss, even closure of the company’s operations.
According to a report, Sophos’ The State of Cybersecurity 2023: The Business Impact of Adversaries on Defenders, a staggering 97% of Indian organisations found certain essential security operation tasks, such as threat-hunting, to be challenging. The survey also identified several key areas where businesses struggle.
Bugal says: “First and foremost, identifying the root cause of an incident proves to be a significant challenge for 88% of companies. This lack of understanding hinders proper remediation and leaves organisations vulnerable to repeated or multiple attacks from the same or different adversaries. Additionally, timely remediation presents a hurdle, as reported by 82% of respondents.”
The survey also highlighted that 45% of organisations feel overwhelmed by the advanced nature of cyber threats, leading 95% of respondents to seek assistance from external specialists to enhance their cybersecurity operations.
To protect themselves from breaches, Tyagi says that SMBs should consider implementing a cyber risk quantification solution. This solution provides a comprehensive understanding of their cybersecurity posture and helps make informed decisions to mitigate risks. “A significant advantage of cyber risk quantification is that it allows SMBs to assess and measure their cyber risk exposure quantifiably. This enables them to prioritise their cybersecurity investments and allocate resources effectively.”
He points out that the 2020 Cost of Cyber Crime Study by Accenture and the Ponemon Institute state that organisations using a quantitative approach to cybersecurity risk management save an average of $2.9 million compared to those using a qualitative approach.
Tickoo says that cybersecurity is a culture that an organisation has to embrace. It is a journey and not a one time thing; it must be constant.
[The Economic Times]