Does limited resources have to equal poor security for SMBs?
Does limited resources have to equal poor security for SMBs?
When Steven Lee was told a colleague was having problems with his laptop, he didn’t expect it to be serious.
In his role as the IT manager for an education company, he managed the IT over six tuition centres across Singapore as well as the devices used in each and those of the staff. But when he opened it up, he was confronted with a message saying that the laptop was locked and it was being held to ransom. To get it unlocked, he needed to pay US$1,500 in Ethereum to the hackers via an online exchange.
Ransomware is the latest tool in the cyberattackers arsenal following attacks around malware, phishing, DDoS, and SQL injections.
But as businesses continue to fall prey to hacking and cyberattacks, why security is still an issue for businesses and what they need to do to keep their data safe?
We spoke to Ian Lim, Field Chief Security Officer, Asia Pacific at Palo Alto Networks and Chris Connell, Managing Director for the Asia Pacific (APAC) at Kaspersky how SMBs in Singapore can best deal with security given limited resources.
More of the same old thing
Cyberattacks have become commonplace over the years and even more so as we began to Work From Home (WFH) with Covid-19.
According to Connell, the estimated financial impact of a data breach has started to decline with a breach in 2020 costing an SMB an average of US$101 thousand compared to US$108 thousand in 2019. However, this didn’t take into account intangible costs like reputational damage that also need to be considered.
Connell added that Kaspersky’s studies have shown that timely detection is essential when it comes to equating costs with the discovery of breaches. “Financial losses were 32% lower in enterprises and 17% lower in SMBs that could detect a breach almost instantly. To put this into perspective, if the cost of a breach when instantly discovered was US$98k, this will cost SMBs US$118K if the breach was discovered a week later,” he added.
According to Lee, when the Singapore Government closed tuition centres and they had to switch to online teaching, there was a rush to ensure that teachers were equipped with a device that could video conference, an adequate camera, and sufficient bandwidth for video streaming.
“It didn’t mean that there wasn’t a focus on security, just that it wasn’t the first thought that came to mind,” Lee said, “Devices like laptops that were new had some form of basic security but some staff members using their own devices had let their own security subscription lapse.”
As to why businesses were still vulnerable after so many years of hearing about security, Lim said that the reason why SMBs were still vulnerable to malware and ransomware attacks was three-fold.
- Firstly, the pandemic opened up a lot of attack surfaces because people started working from home and companies began investing heavily in digital capabilities.
- Secondly, attackers are constantly evolving and many SMBs see security as a point-in-time initiative -- they are not updating their security capabilities to keep up with attackers.
- Thirdly, the pandemic has put a lot of pressure on SMBs to pivot their business, retain their employees and stay profitable, which takes time, focus and budget away from cybersecurity. In addition to malware and ransomware, phishing and in particular, business email compromise are still very prevalent in SMBs.
But given that businesses access the Internet via service providers like Singtel and StarHub, can’t they handle security?
Most service providers do offer business customers some form of managed security service. But like all things, there is a cost.
Lee said that his company had considered outsourcing security before but had baulked at the cost so they’d resorted to a simple push system of updates and simple anti-virus protection.
For Connell, all businesses should be looking to ensure that all the links in their cyberspace are adequately backed up and protected. He also warned that securing internally wasn’t enough, a business also needed to look at their partners and suppliers to ascertain that their third-party service providers have taken steps to guard against data breaches.
Why can’t technology solve everything?
As businesses of all sizes continue pivoting to the cybersphere and accelerate their digital transformation, now more than ever, cybersecurity solutions should also keep pace than remain in the era of traditional security infrastructures.
For Lee, using technology solutions like device managers, security monitoring dashboards, and VPNs has helped his device and security management and maintenance easier. But he is hoping that technology can help him to more and further reduce the burden on chores like monitoring and responding.
Around this, Lim said that we can build automated security workflows to address mundane cybersecurity activities such as removing phishing emails from users’ inboxes so that the limited security staff can focus on higher-value activities. Artificial Intelligence (AI) and machine learning (ML) to correlate from various sources such as endpoints, firewalls and cloud to baseline normal behaviour and flag anomalies.
“Automation in cybersecurity has definitely come a long way but here’s the catch: our adversaries are human and they are constantly evolving,” he said, “We can use automation to help but the human element plays a pivotal role in a successful cybersecurity posture.”
Connell added that with the rapidly changing needs of digital businesses, traditional security systems is no longer a silver bullet that will always be able to keep up with the ever-changing needs and demands.
Solutions like Software-defined security implement a computing environment for a business's information security that is controlled and managed by the security software, and can be automated, he added.
But automation isn’t the magic bullet for cybersecurity.
Lim cautioned that while automation in cybersecurity has definitely come a long way but there is still a catch. “Our adversaries are human and they are constantly evolving. We can use automation to help but the human element plays a pivotal role in a successful cybersecurity posture,” he warned.
Government legislated security?
There is currently no government legislation around a minimum level of security for SMBs in Singapore.
Given the number of SMBs in Singapore, Lim said that increasing attacks on them can affect Singapore’s workforce and economy. And all too often cybersecurity is seen as an optional expenditure as it doesn’t lend itself directly to the bottom line. “To that end, legislation might be helpful to establish the appropriate structure and standards for cybersecurity policies for SMBs.”
For Lee’s company, he said that management fears that the cost of government legislated security would have to be passed on to their customers and cause them to look for cheaper alternatives.
Connell said that we need to take a step back and recognise that cybersecurity is not a one-size-fits-all solution. He said, ”An organisation’s cybersecurity strategy needs to take into account the unique needs of the business and for SMBs, their ability to balance potential minimum requirements against their immediate needs of growth.”
Taking care of the future
Even after so many years, we’ve been talking about security, there exists a disconnect between the awareness of the need for security and implementation.
Connell added that at the end of the day, cyberattacks are still dependent on finding the weak links in a company’s defences and taking advantage of them. But in these hybrid working times, 73% of employees have not received any IT security awareness training from their employer since transitioning to working from home, leaving them and the business vulnerable.
Lee says that many of his staff feel that the security that comes with their laptops is enough to keep them safe. “They are aware that there are threats but they rely on what they have and what the company gives them to keep them safe. But as we’ve seen, that isn’t the case.”
Lim explained it by saying that knowledge is one thing, taking action is another and that being in an SMB doesn’t make you any less of a target than an enterprise. “Attackers are opportunistic and they see SMBs as easy targets with minimal IT Security capabilities, training or staffing,” he added.