If there is one key take away from the experience we have gone through in 2020, it would be to be prepared for risks. Planning for the unexpected can make a difference in how businesses mitigate uncertainties. This is especially critical for Small and Medium Enterprises (SMEs) as they are more vulnerable due to their lean operations and smaller budgets.
But what about data risks? As digital technologies pervade business environments, data risks are becoming a critical reality in boardrooms. The proliferation of decentralised work, for one, has created new cyber vulnerabilities for businesses. Nearly two-thirds of SMEs reported experiencing a cyber incident over the course of 2019, and the number of successful COVID-19-themed phishing attacks increased throughout the first few months of 2020, according to a report put out by insurance company Chubb. Also, these figures are set to rise if cyber resilience is not strengthened quickly.
There is also the fact that cyber attackers are becoming more sophisticated. For instance, cyber criminals are now using artificial intelligence (AI) to analyse behavioural patterns and identifying weaknesses to bring up the effectiveness of their social engineering attacks. In line with global trends, Singapore and the rest of ASEAN witnessed an increase in complexity as well as scale of cyber threats. This has resulted in hefty losses for businesses across verticals, from e-commerce to manufacturing.
Compounding these threats are the existing gaps between perceived and actual preparedness for data loss among local SMEs. Chubb also reported that more than half (54 percent) of data breach incidents were caused by a risk SME leaders had already identified, but failed to act on. Almost every organisation that reported a ransomware attack was running anti-virus software, have firewalls set up, and other cyber security software in place – yet they were still penetrated.
This is interesting because it signifies the importance of data protection and its role in a larger cyber security strategy. Cybersecurity and data protection should not be siloed but complement each other to provide businesses with full control over their data.
In this year of disruption, it is timely for businesses to analyse their data risks and strengthen their approach to data management and protection. Here are three ways SMEs can kickstart this journey.
Prioritising Your Frontline Defence
When it comes to cybersecurity, humans are the weakest link.
The global shift to remote working this year sprouted a massive remote workforce who needs to access corporate data from home networks. What may not be obvious is that many employees working from home may also be doing so using consumer-grade personal devices that lack proper security. Most workers may not even be aware of the associated risks and possible consequences of these actions. They may also be unaware of the options available to them as they struggle to get work done away from the office and balancing family and personal commitments.
The common theme here is the lack of cyber awareness.
SMEs should actively educate their employees about data risks and provide training on data handling and security. Beyond protecting data stored on devices, employees also need to be aware of the protocols when transferring data between devices, or between data centre or cloud storage and devices, as well as between data centre and cloud.
Knowledge is power. Educating employees can go a long way in keeping the frontline defences of a business strong.
Strengthen Protocols for Data Classification
While employees play their part, businesses need to establish the right protocols too. Aside from strengthening defences, how can businesses protect their most valuable asset – data? This is even more important for sensitive data, such as personally identifiable information, such as names and contact details, identity card numbers and credit card information.This year, especially, we see sensitive data collected and managed for contact tracing and other health and safety control reasons.
Sensitive data needs to be protected and safeguarded in accordance with data regulations. Not everyone in the organisation should be able to access sensitive data either. But first, businesses need to identify the sensitive data before protecting it.
To do this, I always suggest asking these three questions: what is the nature of data being collected? To whom does it belong? What is its intended use? Once these answers have been identified, the right protocols can be set up to protect this data efficiently.
Government organisations are also calling for stronger data protection measures. Singapore has recently amended its PDPA legislation to encompass more comprehensive data protection measures for businesses, safeguarding data privacy and security. Such measures emphasise the part everyone plays in the security of our shared cyberspace, as outlined in Singapore’s Safer Cyberspace Masterplan.
The right data protection calls for strong security that begins with stringent data classification efforts. SMEs can take reference from local and regional regulatory frameworks should they be unsure about their next steps.
Balancing Flexibility with Risk Awareness
Adopting new technologies and accelerating digital transformations may seem daunting for SMEs because of the data risks that come with it – but they do not have to be. Forward looking businesses will know the importance of having a contingency plan to minimize such risks.
To mitigate cyberattacks, businesses will require risk awareness coupled with the flexibility to respond effectively. Flexibility and risk awareness are a combination of people, process and technology. The people and process aspects require business leaders to inculcate a culture of accountability and responsiveness, while the technology aspect is about empowering employees with adequate tools to respond effectively.
SME leaders should waste no time in nurturing employees with the relevant knowledge, skills and tools to mitigate risks and recover from attacks. Just like we would plan for credit risks in a financial crisis, data risk-aware businesses will balance data risk appetite with cyber security budgets. By targeting resources strategically, SMEs will be able to secure their digital transformation for the long term.
SMEs that take a strategic stance in cybersecurity awareness and protection are better positioned to thrive in the increasing digitalized business environment moving forward.
The important thing to note is that everyone within the business organisation, and not just IT, is responsible for data management and security. SMEs will need to step up their efforts to ensure that employees of all levels are aware of data risks. They will also do well to nurture a long-standing culture of data and risk awareness.
SMEs are the key driving force for Singapore’s increasingly digital and data-driven economy. As many accelerate their digital expansion plans, understanding the associated data risks will be critical in successfully scaling up competitiveness in the marketplace.
The contributor is Vice President & General Manager, Asia Pacific and Japan, of Commvault