Small business owners sometimes think that cybercrime is only an issue for big enterprises.
Although the news only reports major cyberattacks that cost millions of dollars, the reality is that 40% of cyber attacks in Singapore target SMEs.
Why is that?
Read on to learn:
- why cybersecurity matters for small and medium enterprises
- what are the common cybersecurity risks for SMEs
- how to prevent them
- and whether it’s worthwhile to get cybersecurity for your SME.
Why Does Cyber Security Matter to SMEs?
Gone are the days when a cybercriminal studies his target and carefully plans an attack. Today, cyberattacks are all automated.
SMEs are especially vulnerable to these attacks, as most have given little thought to their cybersecurity measures. There’s hardly any effort required for cybercriminals to hack into an unprotected SME’s network.
A cybercriminal needs only to set up a bot, which then scans the entire internet for vulnerable targets. After identifying their targets, the bots hack into the network using known loopholes and cybersecurity gaps.
Nobody is spared from these bots anymore. As long as you’re on the internet, they can trace you and get into your network.
Common Cybersecurity Risks for SMEs
How do cyber criminals gain entry to your digital systems?
Below, we’ve organised the most common cybersecurity risks for SMEs in order of the likelihood of attacks:
1. Untrained Employees
The weakest link in cybersecurity is the people. In a combined study with Stanford University, cybersecurity firm Tessian found that 88% of data breaches happen because of human error.
When employees are unaware of the threats and there aren’t any safeguards in the system, the risks increase exponentially.
2. Unfiltered Phishing Emails
Phishing is when a cybercriminal poses as a trusted contact and dupes readers into certain actions, like:
- Giving away sensitive information
- Clicking a link to a malicious website
- Downloading malware or ransomware in the form of a seemingly innocuous document
The most common form of phishing happens through emails. While some of these phishing attempts are easy to spot, a well-crafted email can easily induce readers into unknowingly compromising your systems.
Malware cleanups can cost upwards of S$1,000 a day, usually averaging around 3-5 days to fully clear.
And ransomware demands can cost anywhere from S$1,000 to millions of dollars.
3. Outdated Antivirus Software
Traditional antivirus software scans files against a database of known virus signatures. This database is called a definition file. When a match is found, the AV flags an alert and treats the file as a threat.
It’s like the police putting up wanted posters around the neighbourhood. When they spot the guy in the wanted poster, they arrest him.
Unfortunately, there’s a large number of new viruses being created all the time. If you purchased your antivirus software a while back, it’s most likely already out of date.
4. Outdated Workstations and Operating Systems
On occasion, your Windows workstation will have a little popup asking you to update your system. These releases are called patches because they’re meant to patch up the vulnerabilities or holes in the computer’s operating system (OS).
Once there’s a known OS vulnerability, the information spreads far and wide. Hackers then program their bots to exploit the holes for easy entry.
Think of your computer or server as a castle you have. There are holes here and there that you’re not aware of until someone discovers it. Once you do though, you can get a contractor to patch up the holes.
5. Malicious Websites
There are certain sites that are clearly malicious and should be avoided, like porn and gambling sites. Nobody would surf them on the company’s network during office hours…right?
You may be surprised to know that there are people who do exactly that. It’s not a pleasant surprise when you get a malware outbreak on your network.
Does My Small Business Need Cyber Security?
Earlier on we mentioned that cyber attacks are now handled automatically by bots targeting anyone and everyone. As long as you’re on the internet in some form, you’re a valid target.
But if you’re wondering if it’s worth it to invest in cybersecurity for your SME, here are four key questions to consider:
1. Does My Business Hold On to Sensitive Data?
This includes information such as your customers’ personal data, intellectual property giving your business a competitive edge, or even pricing data you don’t want your competitors to see.
Is the data protected not only from cyber attacks but also from disgruntled employees who may delete or leak it to third parties?
The risks apply even to your employees’ personal devices — if they use these for work at all. Say they respond to emails via their mobile phones or store sensitive business information on their laptops. A compromised personal device allows hackers entry into your systems.
Leaked or deleted information can cause serious damage to your business in the form of lawsuits, fines, loss of revenue, loss of your advantage over competitors, and so on.
2. Does My Business Communicate and/or Process Transactions Online?
One study found that one in four employees have clicked on a phishing email while at work. You may even know people close to you who have fallen victim to it.
Fast-paced small business environments are all the more susceptible. Employees feel an obligation to respond to emails quickly, which also means they’re more likely to mistakenly click on phishing emails.
The scary part is that your email could already have been hacked and read by cybercriminals now — without anyone noticing.
3. Can Your Business Still Operate When Your Digital Systems Are Down?
A florist may still be able to sell and deliver flowers with their IT systems down.
But if your business does a lot of processing — like with customer claims — you’ll have a difficult time operating when the same thing happens to you.
Worse, your business may never recover from the loss of data. 60% of small businesses go out of business within six months of falling victim to a data breach or cyber attack.
4. Does Your Industry Have Requirements You Need to Comply With?
It’s common for certain industries to have compliance standards companies need to abide by.
For example, companies dealing with credit cards have to adhere to the PCI DSS (Payment Card Industry Data Security Standard). Financial institutions in Singapore have to adhere to the Technology Risk Management Guideline set by the MAS.
At the minimum, local businesses have to comply with the PDPA (Personal Data Protection Act). This applies to all companies handling their clients’ data. Check out the PDPA for requirements on securing your network against cyber attacks.
With the damage to SMEs rising each year from cybersecurity breaches, more and more companies find themselves spending thousands of dollars cleaning up malware, paying ransomware fees, paying PDPA fines, and recovering lost or stolen data.
In the next section, we’ll talk about changes you can make that may save you from paying hefty costs and wasting valuable man-hours.
How to Improve Cybersecurity for Your SME
The first thing to remember is that cybersecurity is a multi-layered defence. Important features of a robust defence may include unified threat management, data loss prevention, and managed detection and response.
However, these solutions are only effective when built upon secure practices that can be easily implemented within the company.
Below, we’ll talk about several security practices you can immediately take action on.
1. Conduct Ongoing User Awareness Training
The best employee cybersecurity training isn’t just a one-off course; it’s an ongoing education. For starters, you can do this with monthly or bi-monthly educational emails to your staff. The emails should update them on the types of cybersecurity threats, the tricks hackers tend to use, and so on.
Staying up to date with sites such as SANS or The Hacker News allows you to compose the emails yourself. Otherwise, you can engage a service provider who will also use mini-tests to help your staff fully understand the content.
2. Implement HR Policies for Cybersecurity
When you onboard a new employee, there are HR forms they have to go through. The Acceptable Use Policy (AUP) is one of them.
In IT audits and compliance, the AUP is an important document. It states the company’s stand on the usage of its technologies, system, and network.
Make sure your AUP covers these aspects:
a. Single Password Usage
The danger of recycling passwords is that once you get hacked for one system, any account that uses the same password is also exposed. The Single Password Usage clause indicates that staff have to use different passwords for each login to reduce the cybersecurity risk for the company.
b. Clean Desk
A Clean Desk policy says you shouldn’t leave sensitive information unattended on the desk. This means sticky notes with passwords, sheets of paper with important info, and even sensitive documents that cannot be shown to unauthorised personnel (like payroll sheets).
c. Password Construct Guideline
Simple passwords are easy for hackers to decode. All they need to do is use a brute force attack (i.e. a program) to guess the passwords until they get it. A simple password like “123456” takes less than a minute to crack. More complex passwords (e.g. an 11-character password with numbers and uppercase/lowercase characters) can take a hacker 41 years to crack.
The Password Construct Guideline policy states that the employee must use a complex password for the system.
d. Password Refresh/Expiration
Complex passwords don’t remove all your cybersecurity risks. It’s still possible for an employee to accidentally leak passwords via a virus or a compromised email.
Once these passwords have been leaked, hackers often don’t exploit the passwords immediately as there will be a state of heightened alert. They’ll wait for weeks or months before they strike.
That’s why passwords should be changed after a certain period, making them useless to hackers. The Password Refresh policy informs the employees that they’re to change their password after a set duration.
As you may have guessed, these policies are hard to follow. It’s tempting for a lot of staff not to follow them. That’s why we’d recommend the use of IT system restrictions and solutions like a password manager and Single Sign-On (SSO).
3. Install IT System Safeguards
The following solutions are a bit more technical, but serve as an important failsafe against human error:
a. Implement MFA/2FA
You’re probably more familiar with 2FA as it’s what you’ll need for SingPass or bank account logins. 2FA is a type of MFA, which stands for Multiple Factor Authentication.
Using 2FA means you need to have two methods of proving your identity: a password for one and a token, mobile app, email, SMS, or phone call for the second. This makes it harder for cybercriminals to invade your system even if they know your password.
2FA is especially important for your email system as email is often hacked. With compromised emails, cybercriminals either set the account to secretly forward all emails to them or use it to trick your customers into paying them.
I’ve seen both cases. In one case, an accounting firm had its director’s email forwarded to someone else. In another, a customer wired S$20,000 to another bank account after receiving an email from the company.
Most online software now have MFA in place. If the one you’re using does not, ask your vendors to have it implemented.
b. Email Protection
This is also called email filtering because it filters through all the mail you receive.
There are two types of email filtering in the market, so be sure you’re getting the right one! The first is the old-school type: it only looks at spam and blocks those emails. This is next to useless nowadays. Get it if you only want to deal with spam emails.
The second type of email filtering is more advanced, as it:
- scans attachments for malware
- detects phishing, imposter, and fraudulent emails
- prevents your email domain from getting blacklisted
- encrypts your emails
- rewrites links inside emails to reroute them through a filtering server so you don’t click through to malicious sites
- ensures email continuity
Except for reading your email for you, it does just about anything. (By the way, it also filters spam email!)
Check with your email service provider on the protection they’re using. Otherwise, if your email services are hosted in-house, you’ll need to look into setting up your own email filters.
c. DNS Filtering
This stands for Domain Name System Filtering. In essence, it protects you from landing on suspicious or malicious websites.
You may be thinking of content filtering, where employees are banned from surfing websites in certain categories like porn, gambling, shopping, and so on.
DNS filtering does that — and more. Not only does it block employees from going to undesirable websites, but it also filters all outgoing traffic from your office computers. Even traffic from programs running in the background goes through the filter.
Ransomware is well known for using this technique, making DNS filtering a good way to stop it. DNS filtering also helps with phishing links, DDoS attacks, and man-in-the-middle (MitM) attacks.
To implement this, route all outgoing network traffic to a DNS filter’s proxy server. The proxy server will then do the filtering for you.
d. Network Separation
At the basic level, this means separating your office network from a public network (like the guest WiFi). Knowing what it is and implementing it correctly are two different matters, however.
Just putting up the WiFi SSID as Public/Guest WiFi doesn’t magically separate the two networks. You have to either physically separate them with two different internet lines (which can be costly) or use a firewall and switches to control them.
At a higher level, almost everything is categorised and grouped into different segments: server network, printer network, workstation network, and so on. Companies that are very strict on security can have seven or more different networks.
If you have a small office with fewer than 10 employees, consider using the basic telecom routers with built-in functions to separate WiFi. Bigger companies should consider engaging a professional to design a network that’s more suitable for your needs.
Backups are the last layer of cybersecurity. While they don’t prevent cyber attacks, they enable you to recover and get back on your feet a lot faster when you’ve been breached.
You don’t even need a cyber attack to lose your data. Common forms of data loss include hardware failure, human error, and ex-employees deleting all data before leaving the company.
A word of caution: a simple copy-and-paste into an external HD is no longer a valid backup strategy in today’s context. You should be using a modern backup solution for the job.
When deciding on backup software, look for one that enables you to recover multiple versions (e.g. copies from the last seven days) and encrypts the files so that even when hacked, nobody can read the data.
f. Security Monitoring
The best way to know what’s happening in your network is to have an eye on it at all times.
There are two types of monitoring: Endpoint and Network. Essentially you have a Security Operation Centre (SOC) reviewing the logs of your workstations, network devices, and servers 24/7 for signs of compromise.
Depending on the type of SOC you engage, you may only hear from them when there are suspicious findings. Others will dig deeper to find the actual threats and deal with them.
The constant monitoring allows you to detect a wide range of threats — particularly “sleeping agents” that manage to slip in. This allows you to respond to the threats more quickly. Certain industries also require 24/7 monitoring as part of compliance.
Security monitoring is very effective against cybercriminals. Compared to other solutions, however, it can be expensive as you need skilled professionals who have the expertise to look for and deal with threats.
Today we went through the basic steps you can carry out to improve your company’s cyber security. We’d recommend starting with the first layer — your people and your internal HR policies.
Don’t stop there though. Remember, good cybersecurity is multi-layered.
To further tighten your cyber security, look into solutions that can protect you from the different types of cyber attacks. There are solutions such as URL filtering, email gateways, unified threat management, data loss prevention and more.