Small and medium businesses (SMEs) running on tight budgets are now just as attractive a target for cyber criminals as the grand prizes of large companies with more sizeable online footprints.
These SMEs can be infiltrated then commandeered to engineer a large-scale cyber attack on bigger targets. Or they can be targets themselves for the increasing amount of sensitive data they churn out thanks to the digitalisation of operations.
Particularly in Asia-Pacific, these vulnerable SMEs have to put up stronger defences and be better prepared for the inevitable online threat, says Robin Schmitt, the general manager for Asia-Pacific at Neustar.
The company started out as a domain name registry and provider of number portability services but has since branched out into security services as well.
Schmitt tells Techgoondu in this months Q&A that SMEs cannot afford to lag behind when its comes to cyber security, especially in Singapore where regulations protecting private data requires them to have safeguards against online threats.
NOTE: The responses have been edited for brevity and house style.
Q: How would you rate Singapore SMEs’ readiness in terms of defending themselves against today’s online threats?
A: Asia-Pacific as a whole is less prepared to deal with online threats than the rest of the world. The region leads the field in the amount of damage left in the wake of a distributed denial of service (DDoS) attack, with 20 per cent of enterprises here not even planning on investing more in DDoS defence, according to the recent Neustar DDoS Attacks & Protection report.
The report found that 77 per cent of organisations in the region have sustained DDoS attacks, compared to 75 percent of organisations in Europe, Middle East and Africa (EMEA) and 70 per cent in North America.
Worryingly, 43 per cent of Asia-Pacific organisations took three or more hours to detect a DDoS attack, the highest proportion compared to respondents in North America and EMEA. This reflects the general unpreparedness in this region.
Only 19 per cent of Asia-Pacific organisations detected a DDoS attack in under an hour, compared to the global average of 29 per cent. The organisations are also slow to respond. It took 45 per cent of APAC organisations three or more hours to respond. That’s centuries in Internet time.
Singapore SMEs are just as vulnerable to attack as SMEs in other countries. Companies of any size can be targeted by cyber criminals in today’s Internet-connected world.
And SMEs are also a good way to target the larger companies they serve. In Singapore, 99 percent of enterprises in Singapore are SMEs. This makes increasing awareness of good cyber hygiene among Singapore SMEs crucial.
Q: Recently, a karaoke chain was fined for not having protected its customer data adequately from a cyber attack. Do you think SMEs here understand the risks they face in data protection?
A: It really depends on how technology-savvy the management of that SME is. Many startups today are tech-oriented and their founders do understand the financial and reputational risks of not adopting good cyber security and know where the major vulnerabilities are.
It has to be highlighted that the Personal Data Protection Commission only took action against rule breakers in April 2016, although the Personal Data Protection Act took effect mainly in 2014.
As more companies receive heavy fines for failing to protect consumers’ personal data, even less tech-savvy SMEs are beginning to realise that they are liable for not protecting customer data adequately, whether that data is stored in electronic or non-electronic forms.
Q: Is it fair to expect SMEs to invest in sophisticated cyber defences or hire experts like a chief data officer to safeguard customer data?
A: What is fair is to expect SMEs, as with a company of any size, to be aware of the dangers of conducting business online and to take what steps they can to avoid cyber attacks.
While it may be ideal to adopt sophisticated solutions and hire in-house expertise that can support the technology, demand outstrips supply for security and data talent. SMEs tend to lack the budgets that larger companies have in protecting themselves from cyber attacks.
SMEs can consider outsourcing some or all aspects of cyber protection instead. There are companies specialising in offering a wide range of security-as-a-service options, enabling SMEs to balance their budgets against what is “nice to have” versus what they absolutely “need to have”.
And while they may not have specific in-house data or security expertise they can still appoint someone senior to ensure a top-down approach to a security-first attitude in business operations.
Q: Briefly, what are the strategies that an SME can adopt in an era where their IP cameras could potentially be taken over to carry out an attack on someone else?
A: We’re fresh from recent attacks by the Mirai botnet, which has been responsible for some of the largest and most disruptive DDoS attacks the world has seen.
With the rise of insecure IoT devices including IP cameras, Mirai-like DDoS attacks will definitely grow in size, complexity, and ferocity in 2017.
Ransomware, phishing, and malware have all proved so effective for cyber criminals this year that next year is likely to see more attempts at theft, disruption, extortion, and impact.
SMEs can protect themselves by obtaining threat and risk intelligence to help make decisions on what to prioritise. They have to continuously monitor the network, and also run vulnerability assessments, penetration tests and security audits.
Being prepared is important as well, by having a plan to handle a data breach. This plan should include a process to notify victims within 30 days and deal with lost or stolen devices.
Hiring third-party consultants will also help provide an independent assessment of their readiness and help improve employees awareness and prepare to mediate a security breach.
Last but not least, SMEs should start with identifying what’s most valuable to them and taking steps to ensure that those “crown jewels” are protected.
No one can protect everything all of the time, but SMEs can ensure that their most important data is given maximum protection.