When it comes to cybersecurity, SMEs may often be the weakest link in the supply chain that cybercriminals target for cyber-attacks. What should be done?

Technology has reshaped the way business is done today. Every company, regardless of their size and nature of business, has some element of digital technology that is core to their operations.

While such technology provides – among other benefits – competitive advantages, improved productivity and better control of operational processes, it also means the business can be vulnerable to cyber-attacks.

A survey conducted by Chubb has revealed a significant perception gap between cyber risk and how prepared Small and Medium Enterprises (SMEs) in Singapore are to deal with it. 

According to the Chubb SME Cyber Preparedness Survey, nearly two-thirds (63%) of respondents believe they are less vulnerable to cyber incidents than large companies, yet the majority of SMEs (56%) have experienced a cyber error or attack in the last 12 months.

The findings also show that the cyber incidents which occurred over the past year were mainly due to internal factors, among which included system malfunction or technical fault (22%), human error causing business interruption or data loss (20%), and data loss through system malfunction or technical fault (16%).

Cyber-attacks for SMEs on the rise

“Many SMEs believe they are too small to be targeted by cybercriminals or that internal issues will not greatly impact them. They think they are too small to fail.  However, our own claims data highlights numerous small business compromises that are decimating the cash flow of small businesses,” said Andrew Taylor, Cyber Underwriting Manager, Chubb Asia Pacific.

He continued: “In fact, smaller companies have a relatively larger exposure, as they face the same threats as larger businesses but do not have the means to implement comprehensive protection, leaving significant risk uncovered.”

“SMEs should never underestimate the value of the data they have, and they should move away from the mindset that they are too small to be attacked,” said Sumit Bansal, Senior Director of ASEAN and Korea at security company Sophos.

“Today’s business realm has no boundaries. Attack vectors and attack surfaces have changed. For cyber-attackers, it’s constantly about finding the weakest link and that could be man, machine or method. When it comes to IT security, SMEs are in a tight spot. Potential cyber-attacks on SMEs are on the rise, as they do not have the wherewithal to proactively combat the unknown.”

Are SMEs overconfident in managing cyber-attacks?

The survey reveals that most Singapore SMEs are confident in their ability to overcome a cyber breach following an attack.  Three quarters (72%) of the respondents believe they can overcome a cyber event, with the majority (55%) believing they can contain a breach within 12 hours.

This seeming overconfidence is contradicted by:

  • 66% believe they are not aware of all the cyber threats they face.
  • 32% of SMEs who experienced cyber incidents did not know which data files were affected.

Although cyber incidents make 62% of SMEs realize they are more vulnerable than they had previously thought, only 44% increased their security following a breach and one quarter (22%) took no action at all.

Whenever a data breach or cyber-attacks happen, there is often a lot of legwork being put into examining the root cause of data breaches. Sumit explained: “For SMEs, they simply do not have the time, budget or expertise to threat hunt, nor do they always understand why they need to do it. Even if SMEs see the value, their budgets do not come close to having a dedicated in-house team.”

He added that the sheer volume and diversity of malware, frequency of attacks and wide availability of toolkits on the dark web have meant that any compromised data could potentially end up there for sale.

Once that happens, he said, cybercriminals are able to fabricate the data or assume the stolen identities. The consequences are lasting, damaging and crippling to businesses.

What SMEs should do

Some steps he suggested that SMEs can take to strengthen their IT security include: 

  • Focus on the basics – Ensure that they have more than just the base security measures in place. It is important to ensure that these measures and applications are updated and patched on a regular basis. It will also help to speak to vendors to get expert opinion and to discuss the best solutions that will suit their IT requirements. There are solutions such as those from Sophos that analyses millions of threats to track and alert users to new threats, and then provide a full run-down on a clear and intuitive online hub. This will ensure that even SMEs get a wide-ranging understanding of the threats posed to their businesses, and hence reduce the time it takes to respond to attacks and ensure they stay protected.
  • Improve login hygiene – Steps such as implementing Two-Factor authentication and providing restricted access or on a need-to-know basis to sensitive information are crucial. A lot of the data breaches tend to occur through personal devices, so it is important to ensure that security processes and systems are in place to prevent threats from being picked up in a public domain.
  • Under virtual lock and key – Small businesses need to ensure encryption as an unavoidable cost that goes with compliance, rather than as an investment that helps keep the business healthy. It gives you a valuable extra layer of protection against hackers.
  • Knowledge is key –  While it is important for SMEs to have a security strategy, education plays an equally important part in that strategy. SMEs need to change their mindset because having the latest security solutions might not mean that they are safe from threats. The right culture and environment need to be cultivated so that cybersecurity is seen as a priority.

“Putting these tips into practice will ensure you are not just able to defend against potential attacks but defend in depth,” said Sumit.

Cyber insurance – a lack of understanding

The Chubb survey also uncovered a lack of understanding of cyber insurance with two-thirds (64%) of SMEs in Singapore not fully understanding the insurance solutions available while 70% have never purchased cyber insurance. 

In addition, almost half of the respondents (48%) would value advice on how to protect themselves from cyber-attacks as well as having a hands-on response service. “Clearly, there is a need for more education about the value of cyber insurance among SMEs.  This is why we place a strong emphasis on our preventive advice as well as response support,” said Tim Stapleton, Senior Vice President, Cyber & Technology, Chubb Overseas General.