Cybersecurity For SMEs In A Post-Covid Era – Technology | #cybersecurity | #cyberattack


CYBERSECURITY FOR SMES IN A POST-COVID ERA

In a post-Covid era, cyber-attacks have today become the fastest
growing crime on a global scale with 50 percent of such attacks
targeting Small and Medium Enterprises (SMEs) that do not have
sufficient cybersecurity measures. This whitepaper, by dmg events,
explores current trends, challenges and solutions for SMEs to avoid
such attacks in a post-pandemic age.

INTRODUCTION

As the cyber space continues to evolve from the weaponisation of
software to its commercialisation and, today, the industrialisation
of malicious operations and software, nation states are
increasingly seeing the value in investing in technology to protect
their countries, societies and companies. From start-ups to
long-term Small and Medium Enterprises (SMEs), security is rarely
on the agenda early or often enough. However, cybersecurity experts
believe the rash of ransomware tearing through SMEs is changing
that. What was formerly the privilege of only the largest
enterprises is now the minimum bar for all companies. “The
demand and the pressure for innovation is to bring that world-class
maturity in security to all, without breaking the bank or
disrupting services and innovation,” said Sam Curry, Chief
Security Officer at Cybereason.

The Covid-19 pandemic has demonstrated the importance of the
Internet and computers for SMEs to maintain and grow their
business. It has led to the adoption of cloud services, upgrading
internet services, and potentially enabling staff to work remotely
or to work with freelancers through multiple platforms. Over the
past 18 months, the health crisis has led to an increase in
malicious emails, phishing attacks, scams and malware. Criminals
are also targeting SMEs as they are aware that many now have staff
working remotely without adequate cybersecurity defences in place.
As SMEs process a large variety of personal information, namely if
they possess an online marketplace, they must be aware of privacy
laws and regulations when dealing with personal identifiable
information (PII). As a result, cybersecurity has become a valid
concern for such businesses. If PII is stolen or lost, SMEs could
face serious legal and potential financial repercussions. “The
majority of SMEs use some basic security controls, such as endpoint
antivirus protection, backups, firewalls and perform systematic
software updates,” said Dean Mikkelsen, Cybersecurity
Consultant at UAE-based Hannibal Global Insight. “At the same
time, fewer SMEs perform security awareness trainings of staff and
utilise logging and alerting systems.”

Cybercriminals are taking advantage of the current unprecedented
pandemic crisis to mount increasingly sophisticated, massive, and
frequent cyber-attacks. As organisations move to remote working,
the likelihood of cybersecurity incidents is increasing due to
insecure technical infrastructure, insufficient data security
practices, and a lack of cybersecurity awareness. Education,
retail, healthcare, and financial sectors are today emerging as
lucrative and soft targets of cybercriminals because their data and
ICT infrastructure is vital for day-to-day operations.

In response to the pandemic, many SMEs have shifted to have
adopted cloud-based tools and platforms to ensure effective
collaboration among staff, seamless communication with customers,
and supply chain resilience. “SMEs had to invest in their
internet facilities and websites,” said Dr Ryad Soobhany,
Assistant Professor, PG Project Director and Digital Forensics
Course Leader at the School of Mathematical and Computer Sciences
at Heriot-Watt University Dubai. “As with other industries,
SMEs have struggled to keep up their cybersecurity tools and
policies with the rate of digital infrastructure adoption. The lack
of security measures has resulted in SMEs falling victim to an
increased number of cyber-attacks.” Indeed, a sharp increase
in the volume of phishing attacks and ransomware on SMEs has been
recorded since the onset of the pandemic. Attackers are also using
social engineering to bait staff into giving up sensitive
information online.

Until the dust settles, the post-Covid era is expected to be
characterised by financial and operational pressures, while being
marked by heightened cyber threats. Organisations – irrespective of
size, industry, and financial prowess – are today re-evaluating
their cybersecurity and budget priorities. A sense of collective
urgency and a move towards new models that feature perimeter
security, increased automation, next-generation identity, access
controls and integrated security have now emerged. But most
importantly, experts spoke of the current culture of cyber
resilience, wherein SMEs are bridging the gaps, CISOs are enhancing
their awareness, and policymakers are echoing cybersecurity
concerns in political hallways. Soon enough, these trends are
forecast to translate to multiple market-driven developments and
regulations.

CYBERSECURITY TRENDS AND CHALLENGES FACING SMES

With the development of the nature and quantity of cyber-attacks
and the new remote working model adopted actively by many firms in
the UAE, many new cyber trends are emerging. The most important
trend that experts have mentioned is the increased attention given
to personal data, risks associated with remote working and the need
to budget and cater for efficient and appropriate cyber security
tools.

Analysis of the most common cyber risks in the past years has
revealed that the size and impact of these risks is not constant
and frequently changes. In a country such as the United Arab
Emirates (UAE), account compromise was the leading method of
cyber-attacks in 2019, impacting 28 percent of companies surveyed,
followed by credential phishing at 20 percent and insider threats
at 17 percent. Cyber-attacks can have far-reaching and devastating
financial and reputational impact for businesses. The research also
found that financial loss was an outcome, at 29 percent, and data
breaches – at 28 percent – were the largest consequences for UAE
organisations in 2019, followed by a decreased customer base, at 23
percent. “SMEs are mainly dealing with the need to update
their cyber security plans with the purpose of addressing their
cyber risks and ensuring that their cyber security plan and tools
are adequate and efficient to address such risks,” said Rima
Mrad, Partner at BSA Ahmad Bin Hezeem and Associates. “This is
an area that is being treated with exceptional importance and we
can see that senior managements of various SMEs are dealing with
their cyber risks as an essential component of their overall
business risks.”

She spoke of the main challenge for SMEs as budgeting for cyber
security measures, having the appropriate resources and tools to
deal with cyber incidents, as well as handling the operational and
reputational damages associated with cyber incidents. Increasingly,
SMEs have become the new top target for cyber criminals as they
lack skills and resources to manage their cybersecurity operations.
The most significant cybersecurity challenges facing SMEs today,
according to Dr Muhammad Khurram Khan, Professor of Cybersecurity
at the King Saud University in Saudi Arabia, and Founder and CEO of
the Global Foundation for Cyber Studies and Research in Washington
D.C., include ransomware attacks, social engineering risks, supply
chain vulnerabilities, and identity theft and impersonation. On the
other end, employees often use their own personal devices for work,
which increases the risk of sensitive information falling into an
insecure environment. “While organisations are facing
increasing cyber risks, the costs for data breaches have also risen
from US$3.86 million to US$4.24 million, the highest total average
costs ever,” he noted.

Low cybersecurity awareness of the personnel, inadequate
protection of critical and sensitive information, a lack of budget,
ICT cybersecurity specialists, and suitable cybersecurity
guidelines specific to SMEs, were some of the other obstacles
mentioned by experts in the field. “These are not good trends
considering how often cyber-attacks occur,” Mikkelsen
explained. “Governments have looked at large organisations
with their rules and regulations, but often, SMEs are not
considered. Many of the new laws can become burdensome on SMEs and
many do not feel they have the manpower or resources to maintain
some type of cybersecurity front to protect them from
attacks.”

He spoke of many SMEs as believing that they will not be hit by
a cyber-attack as they are “a small fish in a sea of larger
corporations and organisations”. However, phishing attacks can
occur and strike any company, no matter the size, including SMEs.
With the move to the cloud, many SMEs have engaged with the cloud
under a subscription model, but due to their size, many often do
not qualify for special offers and have to deal with fixed
cybersecurity SLA contract clauses and are hence unable to reach
the SLA flexibility dedicated to large organisations. For
Mikkelsen, this is evident with cloud providers worldwide,
including in the UAE and the Gulf countries, which can lead SMEs to
contract with smaller cybersecurity firms to maintain the security
of their systems, whether outsourced penetration testing, or
testing of phishing emails, among others. “The UAE has
developed an attractive environment for SMEs to grow within the
local ICT ecosystem and to develop small cybersecurity companies
that can serve the region,” he added. “They do not all
have to aim to be the next Unicorn to survive and present options
to businesses developed locally or internationally.”

Following a widespread pivot to remote working, few of the
challenges spurred up are the risk of being unprepared,
complications due to disconnected cybersecurity controls and
solutions, the ability to revoke access and secure business data
when an employee leaves the organisation, and the threat of data
sharing intentionally or theft by a hacker. As SMEs often have less
stringent technological defences, less awareness of threats and
less time and resource to put into cybersecurity, they have become
an easier target for hackers than larger organisations. As a
result, the rate and tactfulness of cyber-attacks have increased
significantly. Since SMEs are largely operating remotely, they are
at the receiving end of these attacks, especially phishing.
According to research by Deloitte on the “Impact of Covid-19
on Cybersecurity”, 47 percent of individuals fall for phishing
scams while working from home. Increased use of video conferencing
tools, which are not fit-for-purpose for routine operations, has
also opened a new target avenue for hackers. Malware attacks,
ransomware, weak passwords and insider threat are other security
concerns facing businesses. Additionally, the hacking sphere has
witnessed an influx of new entrants who are specifically targeting
SMEs. “Lacking the experience and necessary tools, these new
entrants hope to capitalise on SMEs’ large attack surfaces and
lack of readiness,” explained S Kumar Subramania, Senior Vice
President at MAST Consulting. “SMEs’
“Bring-Your-Own-Device” (BYOD) approach and lack of
policy-led, tailored guidelines for the SME sector are surely not
helping.”

EMERGING CYBERSECURITY SOLUTIONS FOR SMES

With a lack of alignment between security and business
functions, bridging that divide, building the minimum needed in a
programme, and knowing whom to call and wrapping arms around risk
has become the name of the game for SMEs today. According to Curry,
small businesses need to find out if they are going to build
security departments or outsource much of them. For him, the
practice is not binary, however, SMEs can pick and choose how much
is internal or external. The first step he mentioned is to get the
right advisors, which do not have to be expensive or arcane, before
ensuring that the risk is seen and managed, incidents are handled
with oversight, and security is not abdicated. “They should
then pick partners, get a strategy, involve the business, prevent
the preventable, and have a detection strategy,” he said.
“Then practice, test and repeat.”

A common misconception is that SMEs are too small to be a
target, but history has proven that this is not the case.
Automation practices deployed in cyber-attacks have made it easier
to target hundreds or thousands of businesses at once. SMEs can
have access to a large amount of customer data, which needs to be
protected under General Data Protection Regulation (GDPR)
obligations. As many of these SMEs are connected or work with large
enterprises, awareness of cybersecurity risks and usage of
comprehensive integrated security tools has become of prime
importance to SMEs. “The most common form of attack is
phishing, which banks on the defendant’s lack of
awareness,” Subramania noted. “So, the first order of
business for SMEs is to raise awareness, upskill every
internet-facing employee, and set robust ‘dos and
don’ts’. The training is followed by investments into
Corporate Owned Personally Enabled (COPE) devices and licensed
antivirus packages for remote-working employees.” He
encouraged the use of multi-factor authentication and VPN, finding
that there is a lack of clarity on the use of VPN in the Middle
East, while almost all nations permit their lawful use.
“Ultimately, we urge SMEs to have a zero-trust approach to
dealing with cyber threats, handling even the slightest anomaly
effectively and timely,” he added.

Investing in the security of the SMEs need not be costly. As
humans are usually considered the weakest link in the security
chain, companies must make their staff more security aware on how
to identify and protect against cybersecurity risks. For Soobhany,
SMEs need to think of security-as-a-service and invest in managed
security service providers that can assist in providing specialised
solutions. These providers can work with the SMEs’ management
and personnel to provide bespoke security for their systems.
“SMEs need to keep anti-virus applications and systems updated
and invest in firewall and encryption facilities,” he said.
“They need to implement security policies that will keep them
on top of security vulnerabilities and manage access
control.”

Other recommendations include putting in place a tailored cyber
security management plan, which covers the protocol that manages
the implementation of the relevant policies and actions to mitigate
and address cyber risk exposure. Such a plan should contain proper
organisational structure, adequate identification of digital assets
owned by the company and how they could be impacted by a cyber
incident, as well as prioritising risks based on the impact on
business assets. A proper count of resources, including people,
processes and tools, and a continuous assessment and risk
monitoring of cyber security plans and policies are also needed to
ensure that they are adequate and updated regularly, particularly
with any changes in the company’s services and products or with
the introduction of new products or services. According to Mrad, a
budget for cyber security is necessary for SMEs, along with an
incident management plan on how to deal with a cyber incident.
“Typically, this should include a data security plan and
crisis management decision tree with a step-by-step as to how the
company should respond to a cyber incident or attack and who is
responsible to do what,” she noted. “Training employees
to understand their cyber risks and be ready to deal with it, and
obtaining appropriate cyber insurance is also vital.”

Ultimately, organisations need to consider cybersecurity as a
top priority, as attacks can have devastating impacts on finances,
operations and reputation. Small businesses must always be
vigilant, follow best practices, and take practical steps to
protect their data and systems. For Khan, these burgeoning risks
are the reasons why companies must educate their employees about
recognising, identifying, and reporting different types of cyber
risks. He mentioned human error as, by far and away, the largest
reason of cybersecurity breaches, thus, business leaders and
employees should be educated, trained, and made aware of
cybersecurity as part of the organisation’s strategic focus.
“This does not mean the use of cybersecurity tools and
technology should be ignored, but they should complement people and
processes to make a resilient and safe environment,” he
added.

IMPORTANCE OF CYBER TOOLS FOR SMES IN A POST-COVID ERA

SMEs handle a variety of information, from personnel records,
customer information and details about production, to procurement
details, financial data, policies, procedures, and others, with
each one of them holding a different value to the organisation, and
laws, regulations or agreements that may mandate their protection.
As a result, lacking a specific backup policy, an updated endpoint
anti-malware solution implemented on all types of devices, or using
obsolete or unpatched software that does not auto update, could
seriously jeopardise SMEs’ critical and sensitive information,
making the organisation an easy target for cyber-attacks, like
ransomware or others. “Today, the largest cyber threat facing
SMEs is being unprepared, which is why cybersecurity adoption has
become a necessity rather than an option,” Khan explained.
“Following through with the right course of action and
implementing smarter and advanced cybersecurity risk management
strategies will enable organisations to successfully negate
modern-day threats.”

In addition, adopting robust security mechanisms, protocols, and
processes will enable businesses to combat contemporary threats
with agility and precision. With the rise of automation and machine
learning capabilities in the Fourth Industrial Revolution (4IR),
attackers are today able to crawl up and down the internet, knock
on doors and open them only having to figure out who they have
compromised after they sink their teeth into a target.
“Unfortunately, the hackers are using automation to help guide
them on which companies are likely to pay a ransom,” Curry
said.

As the COVID-19 pandemic has taught the world the need for
resilience and readiness, such a lesson is particularly true for
cybersecurity. With more than 70 percent of security executives
believing that their budgets will shrink this year, according to
McKinsey research this year, picking the right tools will prove
paramount. With more than 2.57 million phishing attacks detected
across the Middle East in the first quarter of 2021, according to
security company Kaspersky, and a Dubai Future Foundation report
revealing that phishing attacks jumped by 600 percent in the region
post-Covid, experts found that phishing warrants greater attention.
“Under this scenario, the adoption of security orchestration
and automation (SOAR), which can automate threat investigations and
remediations, makes a compelling case,” Subramania explained.
“SMEs must understand that a cyber-attack is not a human-scale
problem anymore. We need better integration between people,
processes, and technologies, and this calls for strategic
investments, despite a low-budget environment.”

Equipping and educating themselves about cyber risks is a
critical component for SMEs going forward as their ability to
survive or handle the damages of serious cyber incidents is
considered quite limited. For Mrad, SMEs are expected to be fully
aware of their cyber risk exposure and understand whether they have
an appetite to deal with such risks and the limits of such an
appetite. Based on such practice, they are recommended to develop
their cyber risk management plans accordingly. In the post-Covid
era, most companies will retain some form of remote working and
augment their online presence that can increase customer base,
which will increase their vulnerability to attacks. As cyberthreats
continue to evolve, SMEs will need to be equipped with the right
security tools that will ensure there is no downtime to their
online presence, which could lead to loss of revenue. “For
instance, if an SME suffers a ransomware attack, they might lose
access or data related to their customers and suppliers,”
Soobhany noted. “They must invest in security tools and
policies that can assist in safeguarding the company and the
staff.”

FORWARD-LOOKING CONCLUSION

As SMEs in the region embrace the opportunity to widen their
customer base with the adoption of digital and cloud-based tools,
they should be mindful that this type of migration comes with
increased cybersecurity risks. The management of SMEs needs to view
the security of their company as primordial and invest in advanced
security tools and policies. As large enterprises are currently
adopting AI-guided security management, cloud-based security
monitoring platforms or the addition of analytics, the protection
of their infrastructure and assets is set to improve. For SMEs, the
cost of these security technologies is becoming more affordable,
which is expected to help them gain commercial advantages in
adopting these digital technologies and prepare them against cyber
threats and attacks.

With the Middle East cybersecurity market expected to grow from
US$15.6 billion in 2020 to US$29.9 billion by 2025, at a Compound
Annual Growth Rate (CAGR) of 13.8 percent, along with the
exponential digital transformation and the evolving use of digital
platforms, IoT, cloud services, web and mobile applications, and 5G
networks, organisations of all sizes may face the threat of
sophisticated, organised and coordinated cyber-attacks. Ransomware,
social engineering, online fraud, privacy violations, and DDoS
attacks are set to continue to be the most significant threats to
regional SMEs and organisations. It is therefore of utmost
importance for regional enterprises to proactively identify
security vulnerabilities of their systems in order to remain secure
and resilient against cyber-attacks. “Hence, it is vital to
build cybersecurity capacities and capabilities to close the skills
gap and overcome gender disparity in the profession to meet the
demand of the market,” Khan explained.

The high rate of technology adoption in the Middle East will
mean that, going forward, cybersecurity will have to keep pace with
it, as experts foresee the market for security training and
upskilling will grow significantly in the next couple of years. On
the other hand, as SMEs reorganise their priorities and
increasingly enter the market seeking third-party service
providers, the industry is expected to witness more vendor
activities. For Subramania, there will be more competition, client
expectations, and optionality in terms of cybersecurity tech – all
leading to improved services and products. “Concurrently,
policymakers will facilitate favourable conditions for SMEs to cope
with cyber threats, as the SME sector is the backbone of the Middle
East’s economy,” he added. “In a way, we liken this
to the Pygmalion Effect, wherein high expectations lead to improved
performances.”

As experts foresee the local cybersecurity marketplace to grow
within the UAE and the Gulf countries, the UAE has put in place
such an ecosystem with its Cybersecurity Strategy, launched in
2019, where it clearly states that it wishes to foster a culture of
entrepreneurship in cybersecurity and enable SMEs to safeguard
themselves against the most common cyber-attacks. The UAE is also
looking to develop the SME marketplace to create or foster new
start-ups in the cybersecurity space, which may take some time, and
many enterprises, even in cybersecurity, are considered
bootstrapped until they can produce revenue that would encourage
greater investment by potential investors within the UAE and the
GCC countries. “It is a common problem worldwide, the funding
of small software companies, as many institutional investors are
risk averse when it comes to investing in very small companies,
even in growing fields where there is a need for cybersecurity and
privacy expertise,” Mikkelsen noted. “When it comes to
developing standards, the UAE is unique in that it wants to aid
SMEs with the development of the ‘essential cybersecurity
standard for SMEs’, what is needed as a minimum and the
potential for continuous training. The UAE wants to create a
one-stop portal for SMEs to enable them to implement the standard
that is developed.”

With cybersecurity expected to be the main and most important
risk addressed under SMEs’ general business risk assessments,
mainly due to the growing number of cyber incidents and the
increased reliance on IT systems, data and technology in the way
SMEs operate, experts also foresee more regulations and laws will
be passed in the region to address the regulatory aspects of cyber
incidents and cybersecurity issues. These include more restrictive
data protection regulations and advanced obligations on senior
management in having an active role in addressing cyber risks
within their organisations. “Cyber compliance requirements
will also increase, including the checks and balances that
companies will be required to do, and the adequate minimum measures
expected to be adopted to address their relevant cyber risks,”
Mrad said.

Overall, experts believe some SMEs will be lucky for quite a
while, while others will either adapt or face existential failure.
“Now is the time to contact that cyber friend, to spend a
small amount of money and time to get a crawl-walk-run strategy in
place that is affordable,” Curry concluded.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.



Original Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

seventy seven − 73 =