By Ricky Kapur, Vice President of Sales, Marketing and Operations, Microsoft Asia Pacific.
The past few months have brought unprecedented change to people and organizations around the world. Retail moved almost exclusively to e-commerce platforms and businesses had to rapidly pivot their operations online and in the cloud. As our CEO Satya Nadella puts it, in 2020, we’ve seen two years’ worth of digital transformation in two months – a truly phenomenal pace.
The immediacy and scale at which we had to adapt brought new security challenges. Our recently launched Digital Defense Report revealed that attackers have taken advantage of these challenging times to capitalize on opportunities every day, with every country in the world having at least one COVID-19-themed attack. Attackers have also exploited gaps in traditional security policies, which didn’t cater to an all remote workforce – we’ve seen entire networks ransomed in under 45 minutes, and an increased number of distributed denial of service (DDoS) attacks.
SMEs NEED A SECURE, REMOTE WORKFORCE
As digital transformation continues apace across all sectors, every business regardless of size is at risk of a cyberattack. This Cybersecurity Awareness Month, we must build safeguards and be prepared to combat lurking cyber threats.
And small-and-medium enterprises (SMEs) are often more vulnerable.
Many small businesses don’t think about cybersecurity until after a security breach. Not having cybersecurity can cost your business money, time, and result in lost sensitive information. Based on industry conversations, we learn that a large percentage do not know how to protect their companies, lack dedicated IT staff and have inadequate computer and network security.
Failing to invest in cybersecurity actually costs more in the aftermath of a cyberattack, in terms of money, time and loss of sensitive information. In the past year, SMEs were the target of 43% of cyberattacks, and on average, the cost of each attack was $184,000, with a report suggesting that 60% of small businesses fold within six months of a cyberattack.
These statistics are concerning for the Asia Pacific region, where SMEs comprise more than 98% of enterprises and employ 50% of the workforce. They are an integral part of the region’s social and economic well-being, contributing up to 40% of the national GDP in countries like Malaysia and Singapore.
COMMON CYBERSECURITY THREATS FOR SMEs
The first step of preparedness is awareness and as an SME, you need to know the threats to watch out for. Here are some common ones:
- Email and phishing scams use email and text messages to hook their victims. They often send fake but official-looking information that ask victims to click on a link to enter sensitive financial and personal data. The data is then used for identity theft or resale.
- Passwords. Cyber criminals can get access to your passwords by tapping into databases, looking at servers to find unencrypted passwords, and using email, text messages or social engineering.
- Server attacks. DOS (Denial of service) SQL injection and drive-by attacks target websites and servers. DOS attacks overload system resources so it can’t handle the volume of service requests. SQL attacks read and modify sensitive data in databases. Drive-by attacks plant a malicious code that will infect a visitor’s system to capture and transmit sensitive data.
- Man-in-the-middle attacks involve hackers intercepting data from a victim on a fake page. These attacks are complemented by the use of phishing.
- Social engineering attacks involve human interactions to acquire sensitive information. This can include phishing attacks and also physical activities. For example, a bad actor could leave a USB key loaded with malware in your business. An unknowing employee could plug it into a company computer, exposing the system to malware or other malicious programs.
TIPS FOR SECURING YOUR SME FROM CYBERSECURITY THREATS
With business continuity at stake, SMEs can guard their organization’s intellectual and personal information.
- Invest in cloud-based endpoint protection technology. Security technology is fundamentally about improving productivity and collaboration through inclusive end-user experiences. With the shift to remote work, it’s important to empower employees to work whenever and wherever.
- Have a plan for devices. Employees are also likely to be working on sensitive business data across multiple devices, so be prepared for this potential vulnerability by incorporating mobile device security into your cybersecurity plans.
- Set up multi-factor authentication to login to apps and systems. This brings an additional layer on top of a strong password and is an important way to reduce risks of identity compromise. Users receive a numerical code by email or text message and enter it along with their password to gain access. Biometric features like Windows Hello can also help make the login process quicker and more secure.
- Embark on a Zero Trust journey. A Zero Trust strategy has moved from being an option to a business priority, with our shift to remote work. Companies relying on traditional security solutions such as firewalls were more susceptible to COVID-19 themed attacks. In time, Zero Trust architecture will become the industry standard, which means everyone is on a Zero Trust journey whether they know it or not.
- Assess risks and vulnerabilities. Cybersecurity underpins to operational resilience. Hire an external consultant to test systems that have external access, such as websites, drives and folders. Create procedures to follow in case of a breach and make network and computer security top priorities, on par with other key business priorities. Following that, regularly evaluate risk thresholds and ability to execute cyber resilience processes through a combination of human efforts and technology products and services.
- Update your software and systems continuously. Make sure you’re running the most updated and newest versions of softwares and security patches. Properly configure network security and use antivirus software.
- Backup all your data as protection against ransomware attacks. Use an offsite cloud provider in addition to on-site backup.
- Leverage cloud-based integrated security solutions. A remote workforce has shown us that security must be beyond a solution deployed on top of existing infrastructure. Integrated security solutions make it easier to develop a comprehensive cyber resilience strategy and to prepare for a wide range of contingencies.
- Employee training is key; employees can be your first line of defense against cyber threats. In 2019, we blocked over 13 billion malicious emails, of which 1.6 billion were URL-based email phishing threats. Make sure to actively communicate security policies to employees, along with prevention education and guidance on reporting suspicious emails.
- Have digital empathy: To say that we are living in unprecedented times is an understatement. We’ve had to adapt to new ways of life, in our homes, and our workplaces. At times like these, we need empathy more than ever. Empathy is the ability to understand the feelings and thoughts of another person. To walk in their shoes. During times of constant disruption and change, empathy can reduce stress and bring people together. By applying empathy to digital solutions, we can make them more inclusive. In cybersecurity, that means building tools that can accommodate a diverse group of people’s ever-changing circumstances. It also means developing technology that can forgive mistakes.
SECURITY IS THE FOUNDATION OF DIGITAL EMPOWERMENT
Cybercriminals will always be looking for ways to attack and steal data. So security should be an individual responsibility and practiced conscientiously. We need to adopt good internet habits and remember that we all have a stake in the security of our personal and organizational data.
While we can’t predict the threats, it’s essential for every business leader and employee to have a digital security first mindset. It’s equally important to have digital empathy to ensure our remote workforce continues to feel engaged and ensures your business continuity and resilience.