Micro, small and medium enterprises are victims of more than 40% of cyberattacks today, and the number is rising. Yet for most MSMEs, cybersecurity is an unexplored terrain with under 10% of them working on cybersecurity. MSMEs believe that they are too small to warrant the attention of cyber miscreants. Hackers, on the other hand, are finding it tougher and tougher to attack larger companies due to the cyber fortresses they are building up. Thus, they are increasingly turning their attention to MSMEs.
The most common cyber threats that MSMEs face are critical data leaks, unacceptable digital interface controls, Trojan horse attacks, duplicate payments, phishing, malware, ransomware, and denial of service. These can result in huge financial losses, business continuity disruptions, data losses, and so on. The ultimate result is bankruptcy and business closure. MSMEs must build a solid, yet cost-effective cybersecurity strategy. This may seem daunting at first. But three key principles will make the journey much easier — Start simple; Define goals; Build a short-, mid-, and long-term roadmap.
A cybersecurity framework for MSMEs
Protection: Appropriate safeguards to ensure protection of all systems, networks, and infrastructure. Consider using the COSO framework. Implement a monthly audit of all systems, networks, and infrastructure. User access must be restricted and documented. This allows for the breaches to be contained and easily detectable.
Detection: Strong monitoring and detecting capabilities to ensure events are identified in real-time. Studies indicate breaches go undetected for weeks together and by then the damage is beyond repair. Implementing the right systems can auto-detect suspicious activities before they spread.
Response and Recovery: An agile response and recovery (R&R) system is very important, especially in today’s remote employee workforce model. Delays in response and recovery could have a detrimental impact on MSMEs. A research study showed that 60% of small businesses shut down within six months of a cyberattack. A clear response plan, with well-defined processes, clear roles and responsibilities, and an adequate communication plan are critical to R&R.
Compliance: This area has become very important especially as more and more processes move fully online. For instance, the EU’s General Data Protection Regulation (GDPR) has several compliance requirements for data storage, breaches, and response plans. Staying compliant not only is mandatory but also will make your business stronger and less susceptible to threats. Digitising all compliance with laws, regulations, and protocols is key.
Build employee awareness: Unaware employees are highly vulnerable to threats such as phishing, and social engineering. Creating a well-informed cybersecurity culture is important. Even simple strategies such as following good password hygiene or making password refreshments a religion, will make a big difference.
In addition to the above, MSMEs must consider the list of 10 points that may help in developing a cybersecurity plan for your SMB:
- Build a baseline of all business-critical assets, information, data, and reports to identify your digital assets.
- Include your extended network of vendors, partners, customers, etc. in the above. All APIs must be encrypted.
- Prioritise external-facing online systems e.g., eCommerce websites, vendor portals, etc. if applicable. Ensure that you install protective software.
- Ensure all digital devices (like laptops, devices, phones) are in scope, especially given that several of us are working from home today.
- Conduct a detailed audit/assessment to identify potential gaps and understand levels of severity.
- Build a plan to address the gaps; use planning services/tools, like threat modelling to help you plan better.
- Do not be constrained by lack of in-house expertise – work with partners who are experts in this space and can provide a complete range of security solutions.
- Managed services are a great way for SMBs to resolve the skill gap issue. They are cost-effective with better, tried-and-tested solutions.
- Continuous monitoring and regular testing of the cybersecurity setup is important. Very much like testing your home security system.
- Execution of the plan is key. But remember this is not a one-time deal – the strategy and plan for cybersecurity needs continual evolution and should be a key agenda item in the business planning process.
If the above still feels intimidating, as a starting point, below are some simple things SMBs can do right away to improve their cybersecurity defence:
- Password management: Refresh password every 30 days, prevent password sharing in emails and texts, introduce 2-factor authentication.
- Lock your servers. Lock screens of desktops and laptops when away from them.
- Separate your networks: Guest WiFi Network ≠ Company WiFi ≠ Database Server Network.
- Use only authorized app stores.
- Encrypt all emails with sensitive data
For several of us, the first exposure to anything cyber were the early Terminator movies. Cyberdyne and Skynet became the topics of umpteen discussions. Most of these movies followed a similar plot – the future is ugly and can’t be fixed. So, people are sent back in time to address it in the present (or their past), thus changing the future and making it better. And Schwarzenegger saves the day.
Given that time travel isn’t possible, at least not yet, none of us will have the ability to go back in time and fix things. The good news is that there are things today that can help SMBs prevent an ugly future, especially when it comes to cyber safety.
Cybersecurity is not as expensive as it once was. Neither is it as intimidating as it was. It is easy to get started. Get an audit done and understand where you stand and what options you have to begin with. SMBs should make this a priority before it is too late.
(Vijaya Rao is CEO, techvio.com. Ram Kapadia is a thought leader and entrepreneur based in Mumbai.)