Small and medium-sized businesses (or SMBs) are not ready for cyberthreats. A 2020 report PricewaterhouseCoopers Hong Kong revealed that 73% of SMBs do not have a dedicated cybersecurity team, and only 53% of them have antivirus solutions in place.
The same study found that while 90% of SMBs claim they have been able to detect cyberattacks within one working day, industry studies found that average dwell time in Asia-Pacific is 54 days. This implies a disparity between how SMBs view their cybersecurity capabilities, versus their actual readiness to cyberattacks.
This sets up the context for a roundtable recently hosted by tech giant Lenovo titled: “Cybercrimes are the next pandemic SMBs need to look out for”. Moderated by David Lian, Managing Director – Asia, Growth & Innovation at Zeno Group, the event featured the following speakers:
- Roy Ng, Director, Small and Medium Business Segment, Lenovo Central Asia Pacific
- Chris Tan, Client Technologist at Lenovo Central Asia Pacific
- Ang Yuit, Vice President, Strategies, Development of Association of Small & Medium Enterprises
- Milad Aslaner, Global Director, Cyber Defense Strategy & Public Affairs, SentinelOne
Vulnerable to cyberthreats
To kick off the discussion, David the moderator asked: Why cybersecurity and why now? How has the pandemic increased cybersecurity threats for SMBs?
Roy Ng said that while SMBs are seeing a growing risk in cybersecurity, some operators think that because they are small, they are not at risk for cyberthreats. “According to the Cyber Security Agency of Singapore, more than 40% of cyberattacks in the country are on SMBs. Plus, the attacks aren’t always about getting a ransom. Sometimes, SMBs hold customer data which is valuable to attackers,” he said.
Ang Yuit noted SMBs are not ready for cybercrimes. “If you look at the last two years, COVID has accelerated a lot of SMEs to go digital. Many are scrambling to do this and a lot of the foundations are not there. The state of cybersecurity awareness is not good to begin with because SMEs take the ‘Tell me when the problem is there and I’ll deal with it’ approach.”
Yuit added that for SMBs, resources are focused on operations most of the time. “So very often, many SMEs view cybersecurity as an insurance policy. With the acceleration of digitalisation, if you look at the SMB community in the digital world, the attack surface area has grown as there’s so many more online,” he said.
Milad Aslaner remarked that nobody is immune to attack vectors. “I believe everybody has data that is interesting for someone else in the world. As long as that is the case, they will be targeted.”
Milad then asked: “What is easier to compromise: a small shop with one person responsible for IT and security, or a large corporation with a $1 million budget for cybersecurity? If I wanted to target a large corporation, I’d go first for the small business that is a contractor of that large corporation. I’ll start from there with my supply chain attack.”
Chris Tan observed that SMBs see cybersecurity solutions as costly, but he believes otherwise. “It’s not true. In fact, today, most of the cybersecurity practices are scaled down and offered as a service.”
Awareness and education are important
Chris also brought up the need to raise awareness among SMBs. “We do wish for SMBs to understand: there’s no one-size-fits-all solution. Many SMBs are already maxed out with their staff doing the business operations. They need autonomous solutions to help them. We need to understand their background so we can offer the proper solutions and advice,” Chris said.
Roy said that user education is very important as well. “One example is those phishing emails we receive. The user is actually more familiar with these hacking trends, and they can help employers avoid the exposure. Technology is one part, but education is equally important.”
The problem, Milad observed, is that there isn’t enough awareness yet. “There will never be enough awareness because SMBs are so focused on their core business, but cybersecurity is not part of it. Cybersecurity is a necessity because you have connected devices, and personal computing that you need for your core business. It boils down to people, process, and technologies that SMBs need to think about,” Milad said.
Milad raised a sobering thought: “If I’m an attacker, I’d attack the SMB first because it’s easier. Then I’ll just attach my malicious activity to the invoice that will be uploaded, which will be trusted by this big corporation – because it’s coming from their SMB contractor. There’s nobody who’s immune to cybercrime, so it’s important to understand how to protect, detect, respond, and recover from cyberthreats – not just internally from an organisation perspective, but also from a supply chain perspective.”
Yuit said there is some degree of awareness in SMBs. “I think the gap is if it’s big enough to hit home. I’ve spoken to different businesses that have been phished, it’s not that the awareness is not there. On an organisational level, there is a lack of understanding about the tech layer. As an individual, they know it, but it’s something they need to be more aware of as a business.”
He added: “Personal data is a good beginning. In Singapore, one of the great things is the Personal Data Protection Act (PDPA) facilitating the awareness drive and actions. We all know the ramifications of data leakage and the fines involved. From that perspective, people are more concerned and are looking at how to lock down their data, and they’re more aware of it.”
Partnering with experts
When asked what were the key reasons SMBs don’t see that cybersecurity solutions are accessible, Yuit had this to say: “Locking down your personal and work devices is one area. From the organisational perspective, I think what’s lacking is how an SMB masters a plan and puts it together. How do I then secure that whole line of data coming through? There’s not enough actionable access for SMEs to look at that.”
Yuit also said that SMBs are inundated with many different solutions and don’t know what to choose. “If we can start looking at the complete needs of the SME more comprehensively, and then tackle the chain down from beginning to end and see where it fits, I think that would help.”
Yuit added that SMBs can navigate this glut of choice by partnering with other organisations like the Association of Small & Medium Enterprises, which understand the needs of SMBs. “We know that there’s a demand in the market, and there’s a gap. How do we bridge that? There is an ongoing conversation,” he said.
Even with limited resources, Yuit observed that SMBs are actually receptive in taking on new technologies. “They don’t need to overcome legacy systems to adapt to new technologies to secure their workflow required by their customers. I see that as a positive factor,” he said.
SMBs can also work with subject matter experts to improve their cyber readiness. “People like Chris can provide SMEs with consultations, and understand where pain points are,” said Yuit. “They (subject-matter experts) know their (SMB) use cases, and can develop and recommend something more tailored and suitable, so that they do not drain resources,” he suggested.
As SMBs emerge from the pandemic, Milad said that the attack landscape will continue to evolve. “It will continue to change and increase, because the interest of the attackers will not go away tomorrow, next year, or 100 years from now. As long as there is interesting data or objectives for someone, there will be cybercrime,” he said.
Milad also predicted that more organisations will add cybersecurity requirements as part of their render agreements and contracts, as more supply-chain-based cyberattacks occur. “If you want to continue doing business with certain enterprises, you need to have cybersecurity,” Milad said. “Otherwise you will not get the business next time around. Comparing SMBs and enterprises, an enterprise might be able to operate for a day or two, or even a week after a cyberattack.”
“An SME that is out of business for a week or two will have dramatic challenges to get back to business. Thus, cybersecurity must be top of mind. What will work best is – because cybersecurity is not their core business – SMBs can partner with companies and/or industry-leading experts to outsource the problem. It will reduce costs and bump up their cybersecurity and maturity,” Milad added.
Areas of investment
During the Q&A section, the panel was asked about the key areas of cybersecurity investment that SMBs should focus on in the ‘next normal’ workplace. Milad said that it should be about ease of use, simplicity, and the quality of security. “We need to be smart with what budgets we have. When I look at technological investments and recommendations, how will a solution help me as an organisation to reduce cost or be more effective with the resources I have?” he said.
“The second aspect is simplicity. For example, if I think about ransomware attacks, there are so many solutions out there that can protect, detect, and respond. But how many solutions out there can roll back from a ransomware attack?”
“The third one is end-user awareness. It’s important for users to become more aware of how phishing campaigns look, and how it might not be the best idea to plug random USB sticks into a corporate device, but it is happening, and it is how attackers are successful,” Milad said.
Roy recommended visiting the Cyber Security Agency of Singapore website, which he said has a free cyber health screening functionality where SMBs can spot weaknesses in their web domain, email system, and connectivity.
Another question was raised regarding cyber insurance: Is it an easy way to ensure that SMBs have security in place? Yuit suggested it’s something SMEs should consider and compared it with cybersecurity in terms of cost. “You can scope out how much it (i.e. cyber insurance) costs, versus for an SME, if I look at cybersecurity, it’s a never-ending hole. I don’t know how much I’m going to invest.”
“When SMEs look at insurance, they know how much they’re going to foot. It’s a very viable route – although it doesn’t fix the root issues. The security problems are still going to be there. But it’s a way for SMEs to protect themselves, from a financial perspective,” said Yuit.
To pay or not to pay
The final question was about ransomware. Parts of the tech industry think paying ransom should be prohibited. What is the way forward for SMEs, especially if they’ve been attacked by a ransomware intrusion?
Chris saw ransomware payment as a touchy topic. “To pay or not to pay. There has been ongoing debate. Regardless, I think you need to make sure that your environment is clean. If it isn’t, the ransomware is going to return a second time. If they already have that backdoor to your infrastructure, you can keep on paying the ransom but it’s not going to end,” he said
“If you’ve been compromised already, how will you ensure that you’re ‘clean’, in a sense that you’ve closed any form of backdoor?” Chris posed.
As for whether to pay or not, Chris said it depends on the business owner and how critical the data is. “I’ve seen the statistics, most of them do not actually get their data back. They don’t have to, but I’ve heard of cases where they paid and got their data back. It really depends.”
Yuit saw it differently. “If the cost and benefit is there, if we need the data, I think SMEs will consider paying for it. I have heard that amongst us, they say that very often, if you pay, you really do get it back. Unless somehow the key got lost, encrypted, or corrupted, so you can’t recover it. It seems like they (i.e. threat actors) are pretty ethical in delivering what they charge you for, that’s what I hear. I’ve never experienced it myself,” he said.
Milad shared that there has been an active debate in the United States on whether ransomware payment should be banned by Congress. “Just recently, the FBI stated that they don’t recommend to ban/prohibit ransomware payments because the attacker will still attack, the company’s going to hide that they’ve been compromised, and the ransomware will just exponentially increase,” Milad explained.
“There have been instances where ransom payments have been made to restore business continuity,” observed Milad. “In the end, it’s a risk-based management decision. How much does it cost me? Does it cost me less to pay and hope I get my data back and restore my business? Or does it cost me more to deal with the attack? After the attack, they need to figure out how it happened, and remediate why it happened in the first place. Because otherwise you’re just in an infinite loop with the attacker. Nothing prevents them from coming back tomorrow,” he concluded.