Employees 'best line of defence' to prevent cyber attacks

SMALL and medium enterprises (SMEs) should not have to spend a large percentage of their budget on cybersecurity, if they take proper care and invest in employee education.

This is according to Aaron Eilat, the general manager of Custodio Technologies, a local cybersecurity SME that was established in 2014 and brought cyber research and development, and know-how from Israel to Singapore.

"Investing in cybersecurity solutions is very important to improve cybersecurity. However, SMEs need to invest in educating their employees, as they would be their best line of defence," Mr Eilat said in a recent interview with SGSME.

According to a QBE Insurance survey in 2017, up to 35 per cent of smaller SMEs in Singapore do not have cyber protection at all. 

Related story: Singapore CEOs cite cyberthreats as top risk: poll

Another survey done last year by EiQ Networks said that about 86 per cent of SMEs globally have less than 10 per cent of their total budget for information technology (IT) allocated to cybersecurity.

Mr Eilat said that industry-wide, expenditure on cybersecurity by SMEs is expected to go up, and SMEs are said to be the fastest growing customer segment, with a 12.8 per cent per annum increase in cybersecurity spending.

According to a 2016 Ponemon Institute report on the state of cybersecurity in SMEs around the world, the top three types of cyberattacks experienced by SMEs are web-based attacks (49 per cent), phishing (43 per cent), and general malware (35 per cent).

These attacks are also the most common in large enterprises, Mr Eilat said.

The study surveyed 598 individuals in companies with a headcount from less than 100 to 1,000.

In addition, these companies spent an average of US$879,582 because of damage or theft of IT assets from cyberattacks. Disruptions to normal operations cost them an average of US$955,429.

Related story: Horangi targets SMEs, the most vulnerable to cyber security threats

Mr Eilat recommends four ways companies can raise awareness on cybersecurity: updating software as soon as possible, training employees to spot signs of phishing, keeping abreast of the latest cybersecurity threats, and using existing cybersecurity resources such as courses and handbooks for tips.

"While extremely beneficial, orchestrating large-scale, company-wide cybersecurity drills may be too difficult and expensive for SMEs. What (employers can do) is to keep employees updated on what can cause a breach and what to do when a breach happens," he said.

This is where organising educational sharing sessions can help to identify poor cybersecurity habits, and highlight the repercussions of such habits.

"It is not a matter of 'if', but 'when' your business will be attacked. Protecting your business from cyberattacks can start from the basics," he added.