SMBs under threat: understanding the effects of organised cybercrime

Amin Talebi Kahangi, Managing Director, SRKK Singapore

With its current trajectory, cybercrime will cost the world $10.5 trillion USD annually by 2025. One key takeaway is this — cybercrime is big money, and this explains the growing threat of cyberattacks on a scale like never before.

In Singapore alone, organisations are facing an average of 54 security incidents a day, and 62% of cybersecurity professionals in the city-state find it challenging to keep up with the attacks. Cybersecurity organisations such as the Cybersecurity Agency (CSA) have even urged businesses to improve and invest in stronger digital security measures.

These worrying attacks are far from random. Stemming from fully-organised enterprises specialising in cybercrimes, business models like Cybercrime-as-a-Service, Phishing-as-a-Service, and Ransomware-as-a-service are increasingly apparent in the dark web, paving the way for more cyberattackers in the industry.

This essentially means that businesses, no matter the size, should never be complacent with their cybersecurity measures. Known to bring about business closures, cyberattacks are mostly significant and can cause irreparable damage — but understanding their long-lasting effects can paint a realistic picture for business owners and help them initiate intuitive countermeasures. 

#1: Steep losses to cover damage control and compensation

Ransomware attacks have increased tremendously over the past year, with the main targets being small and midsize businesses (SMBs) and social media platforms. By holding critical files, systems, apps, and personal data to ransom using the ransomware-as-a-service model, hackers are able to use existing infrastructure to push out ransomware payloads.

Also occurring alongside the loss of data is the fiscal harm which occurs to a business, particularly when there is a risk of highly confidential information being compromised. This risk could open avenues for businesses to be sued by dissatisfied clients, resulting in the need to pay out compensation to clients, legal retainer fees, and even crisis communications.

Eventually, organisations will lose out on significant portions of their revenue — out of 500 cybersecurity decision-makers in Singapore, 80% noted that security breaches in the past 12 months led to losses of up to 10% of their organisation’s revenue.

#2: Crippled productivity and business continuity

By destroying or cutting off valuable company information to businesses, operations have no choice but to be halted until demands are met. Without productivity and progress, companies lose huge amounts of money, time, and ultimately, revenue as hours and days go by.

Nearly every business experiencing a cyberattack has been forced to shut down parts, or all of their operation, until the attack is solved. This particularly impacts SMBs from sectors such as IT and manufacturing, which operate round-the-clock, leaving them precious little time to strengthen breached systems. This also allows ransomware groups to exploit their vulnerabilities to the fullest.   

#3: Plunging reputation and broken customer trust

Trust is the essence of every relationship. Hence, in addition to loss of revenue, businesses affected by cyberattacks will also have to contend with issues such as a loss in client confidence, investor backing, potential losses of contracts and a decreasing brand value. More than the immediate losses, it is the potential losses, and accompanying “what if’s” and “maybes” which may further damage a business’s reputation with new potential clients.

As for the public, a cybersecurity breach will be seen as a failure in the mandated company’s role in protecting their customers’ data, leading to the feeling of betrayal and loss of confidence. While businesses may have the resources to recover and build up their reputation again, the financial ramifications, as well as the loss of customers and company value, will immensely set the company back.

#4: Costly intellectual property disputes

Multiple major companies have USPs and rely on the confidentiality of this intellectual property for the continuation of their product line. For example, F&B businesses such as KFC, Cadbury Chocolates, Oreo Cookies known globally for their iconic recipes.

Even sundry items such as Panadol and Colgate have such a hold on the general public, that they are instantly recognised as the default brand, with many often referring to generic versions of the same items by the specific brand names. Should any breach or leakage of these recipes  and formulas occur however, it could spell doom for their entire business.

#5: Forced revamping of operations, regardless of preparation

Albert Einstein defined insanity as doing the same thing over and over again and expecting different results. In this vein, businesses which have been affected by cyberattacks have no choice but to revamp their operations process; be it shoring up or heavily investing in all-new cybersecurity protocols, or altering their mode of operations to prevent the occurrence of similar security breaches.

This could also include courses on digital literacy focusing on cybersecurity for staff in order to improve awareness of potential risks online. Businesses may also have to rethink how they collect and store information to ensure that sensitive information isn’t vulnerable (for example, many companies have stopped storing customers’ financial and personal information, in a bid to dry out potential data mines for hackers).

What must first be understood by businesses is that cybersecurity is not a one-off purchase — it is a long-term defence which needs to be kept “alive” to provide effective protection against cyberattacks. Some steps to take include partnering with a cybersecurity consultant to provide professional advice on how to strengthen and create an up-to-date cybersecurity infrastructure. Additionally, a company can hire a Chief Technology Officer (CTO) to determine its short and long-term security needs.

Equally important is having a basic grasp of existing cybersecurity risks and how they can be avoided — businesses can achieve this by providing opportunities for employees to learn more about the latest IT security trends and threats. In addition to improving their awareness on the subject, this also empowers them to make informed decisions in keeping potential threats at bay, while helping stop any existing gaps in a business’s IT infrastructure.