Cyber resilience key as SMEs step up digitalisation efforts

by Andrew Mahony, Head of Cyber Solutions - Risk, Asia, Aon

As more and more Small and Medium Enterprises in Singapore step up their digitalisation efforts with the help of government grants, it is important not to ignore the cyber threats that they may face, especially as many employees continue to work remotely. The ability to operate and connect remotely, which has seen us through this period, will remain critical and needs to be protected. A significant increase in remote work is likely to be an enduring legacy of COVID-19, given the obvious benefits to employees, the business bottom line, and the environment. The challenge for SMEs is to ensure that these employees are equipped to manage the increased cyber threat that COVID-19 has already enabled, as hackers look to take advantage of the pandemic and the increased attack surface that a Bring Your Own Device (BYOD) environment necessitates. A successful cyber-attack can pose an existential threat to smaller organisations which are not equipped to respond to the risk and do not have the cash reserves available to handle the financial impact. As we outline below, practical, affordable measures are available to SMEs to mitigate this risk.

Defend Against the Phishing Wave

Threat intelligence firms and government organisations have warned of an increase in malicious email traffic in recent months, with some phishing emails masquerading as official correspondence regarding COVID-19. To manage this threat, SMEs can conduct simulated spear phishing campaigns to test employees on a regular basis and these attacks should reflect the malicious emails the company is receiving. This is a relatively inexpensive exercise and when this information is shared with employees, they are better equipped to identify genuine spear phishing attempts.

The success of a remote workforce is also contingent on securing the digital infrastructure that has made this transition possible. Where possible, employees should be provided with laptops that are equipped with a Virtual Private Network (VPN) solution that uses multi-factor authentication. Devices should be fully patched and regularly updated and ideally, advanced endpoint protection tools will be installed to identify and defend against a range of attacks. For SMEs, the cost involved in equipping all employees can be prohibitive. For those companies, requiring employees to access systems via a VPN should be a priority. Employees should be encouraged to upgrade VPNS regularly, as vulnerabilities in older VPNs have recently been exploited to facilitate ransomware attacks.

Understand Changing Exposures

Outside of the office environment, many SMEs have pivoted to digital platforms to meet consumer needs. Restaurants are connecting directly with patrons or through delivery services, tele-consulting has become common for medical professionals and teachers are connecting with students via a range of videoconferencing apps. These may have started as temporary measures but the uncertainty around the easing of lockdown restrictions means they will be relied upon indefinitely. With this increased reliance on technology, SMEs will need to be aware of how their risk profile has changed as well as the potential financial impact of a cyber event.

Companies increasing their digital footprint may find themselves subject to data privacy regulations which, across Asia, continue to evolve and are trending towards alignment with the European Union General Data Protection Regulation. In Singapore, for example, amendments to the Personal Data Protection Act are expected to be tabled in Parliament later this year which may see harsher penalties (up to 10% of annual turnover) as well as requirements that breaches be notified to both the Personal Data Protection Commission and data subjects themselves. Even with the less severe penalties currently in place, the legal and forensic costs required to comply with a regulatory investigation can be significant.

Ransomware attacks – and ransomware payments – are also on the rise and these can have a crippling effect on SMEs when data cannot be restored from backups. These attacks are increasingly popular for hackers as they can prove more lucrative than selling compromised data on the dark web. While it won’t prevent the attack, backing up data securely and frequently can significantly minimize the downtime and subsequent financial impact, and help a company to avoid that awkward question – to pay or not to pay.

Brace for Disruption

This increased exposure should not halt the progress towards remote work and increasing connectivity - the benefits far outweigh the risks. But prudent steps can be taken to manage the threat of malicious cyber activity. SMEs can assess their cybersecurity posture and their changing exposure to cyber events and be prepared to respond to the worst, through business continuity planning and establishing an incident response network. Companies can also safeguard against the increased risk of disruption or data breach through a robust cyber insurance policy which can provide cover for the costs of engaging forensic and legal experts in response to an attack, business interruption losses and liability arising from a breach. For SMEs, premiums and deductibles on these policies are much lower than what is available to larger organisations with greater exposure to sensitive data.

The world that emerges from the pandemic will undoubtedly be a different one. It is important not to lose sight of the positives that have emerged from this unique period while we slowly embrace the return of some form of human interaction: the connection with family, the slower pace of life and, for many, the realization that working from home really works. By taking the steps outlined above that is preparing employees for spear phishing attacks, providing the digital infrastructure necessary to secure systems, increasing awareness of cyber risk and their financial impacts and transferring that risk via insurance, SMEs can confidently face the brave new digital world.