Tight budgets no barrier for SMEs’ cybersecurity — expert

August 29, 2023

0 3 minutes read

TOWFIQU BARBHUIYA-UNSPLASH

By Miguel Hanz L. Antivola

SMALL- and medium-sized enterprises (SMEs) are attractive targets for cybercriminals due to their potentially limited security measures, according to an expert.

A cyberattack can be disastrous for enterprises, often leading to not only monetary losses but also reputational damage that can erode customer trust, Yeo Siang Tiong, general manager for Southeast Asia at Kaspersky, said in an interview with BusinessWorld on the sidelines of the company’s Asia-Pacific Cyber Security Weekend in Bali, Indonesia last week.

“Having that security stance ahead of time is important,” Mr. Tiong said on prioritizing cybersecurity in response to the increasing number of data breaches.

The Philippines ranked fourth globally in the number of cyberattacks and second as the most attacked country by web threats worldwide last year, data from Kaspersky and the Department of Information and Communications Technology showed.

Kaspersky reported that SMEs in the Philippines saw 658,874 web attacks in the first half of 2022 alone, with 17,786 detections of Trojan-password stealing ware attempting to infiltrate the corporate network and steal sensitive information.

Mr. Tiong noted that small business owners must invest in their people and technology as their first key steps to protecting their enterprise. “Your devices and central resources are protected, and you encrypt the channel going in — that is when your company is fully protected.”

“A simple firewall was enough before, but now on top of that, you need to have a VPN (virtual private network),” Mr. Tiong said on the perimeter of wireless connections of a business network getting more difficult to defend.

Devices such as personal computers, laptops, and even mobile phones brought into the workplace must each have an encrypted channel to prevent open invitations for hackers, he noted. “The very virtue that [employees] bring a compromised device into the company’s environment, the company is affected as well.”

Although investment in software is more manageable than that in hardware, Mr. Tiong noted the need for expertise to handle threats and attacks when they actually occur in the business.

“If there’s an alert or warning, you should know how to respond to it,” he said. “We have seen a lot of SMEs who cannot handle and come to a point in time when they seek expertise.”

Mr. Tiong said that a lot of SMEs work with a close system integrator or IT provider, but some also outsource and pay a fixed sum to a dedicated provider who can monitor and respond to their security. “It makes sense to get someone to handle everything for them.”

However, an investment in employee awareness is a key aspect in cybersecurity solutions as criminals are targeting anyone with a device, according to Mr. Tiong.

Kaspersky has said that it currently receives an average of 400,000 new unique malicious samples every day, from one new virus every second in 2011 and one every minute in 2006.

With limited resources, Kaspersky recommends that SMEs create a cybersecurity handbook, grant employees minimum access rights, use a secure password manager, and install antivirus software on corporate devices.

“Small business owners may think their companies are too insignificant to become a target for cybercriminals. There is a certain logic in that because attackers usually look for maximum profit with minimum effort,” Mr. Tiong said.

“This sector is part of a bigger chain and like dominoes, if a single password stealer can enter a small enterprise’s systems, consider the entire chain compromised,” he added.

“As they grow up in their journey, there would be more investment you put in central resources to protect the company and monitor suspicious activity in real time.”

“It still remains the same. It’s a catch up game. Stay aware and ahead of it.”

TYPES OF CYBERATTACKSMr. Tiong noted that phishing, ransomware, cryptojacking, and drive-by download attacks are common threats faced by SMEs, similar to those encountered by large enterprises.

Phishing involves the deceptive process of obtaining a user’s credentials and confidential information. Through the use of social engineering techniques, fraudsters present themselves as legitimate providers or organizations, sometimes resorting to intimidation to coerce recipients into revealing personal data.

Ransomware has taken a new form with the emergence of ransomware-as-a-service (RaaS), wherein criminal groups rent out the program to encrypt or block access to data and then demand ransom from the victim, as explained by Mr. Tiong.

According to Kaspersky’s report, from 2015 to 2022, 58% of malware families offered as a service are ransomware. Notable families include Conti, REvil, LockBit, Cl0p, and DarkSide.

Moreover, cryptojacking uses phishing or malware to gain hidden unauthorized access to a user’s cryptowallet. “It compromises your devices and hijacks its bandwidth to do cryptomining,” Mr. Tiong said.

In 2022, Kaspersky research found cryptojacking accounted for over 5% of attacks on internet-connected computers. In the same year, Kaspersky software detected nearly 30 million cryptojacking attempts aimed at business systems.

SMEs also contend with drive-by download attacks, which involve unintentionally downloading malicious programs onto a user’s device. These attacks typically occur on seemingly safe websites and exploit security vulnerabilities within a system. A common tactic involves inserting a flash drive loaded with malware into the company’s PC, according to Mr. Tiong.

“Employees need to be aware of these, in company or personal devices,” he said. “The two key steps a company needs to do are invest in its people and invest in the technology.”

Neil Banzuelo