The common perception is that large corporations are more susceptible to cyber-attacks, but SMEs are the most vulnerable targets.

As remote working becomes the norm worldwide, and organizations relook their procedures to include an element of off-site work in the post-pandemic years, securing the workforce has become paramount.

For SMEs, which account for 44% of cyber-attacks worldwide, these attacks are often more difficult to recover from, and can spell the end for many business owners. While SMEs may recognize the need to incorporate cyber-defenses into their systems, many often face critical hurdles to do so – spelling a vicious cycle of inadequate protection and dire business consequences.

Aside from the livelihoods of individual employees and business owners, SMEs play an integral role in contributing to the economic robustness of countries – and thus, it is paramount that they are protected and prepared for any imminent cyber-attacks.

Bearing in mind the constraints that SMEs are faced with, how can they safeguard their data and rethink their approach to cybersecurity? CybersecAsia had the opportunity to discuss SME cybersecurity challenges with Ms. Camellia Chan, Founder & CEO of Flexxon Pte Ltd.

What, in your opinion, are the top three cybersecurity hurdles SMEs face?

Chan: SMEs generally face three common hurdles to establishing robust cybersecurity systems, which I refer to as “ACT”:

1. Awareness – The cybersecurity world is a very specialized and fast-evolving landscape – even for experts. For SMEs, cybersecurity is not something that directly impacts their day-to-day business, performance, or growth. Because of this, many often lack awareness and understanding, or may take the risks of cyber-attacks lightly. Without the technical capabilities, expertise, and training to address such threats, many SMEs find themselves ill-equipped to implement the necessary steps to protect their data.
   
2. Cost – Given the current paradigm of software and signature-based protection, building and maintaining a robust cybersecurity infrastructure is a costly undertaking. In addition, there is a need to continually maintain, update, and strengthen this infrastructure over time to address new threats, which means more funds and resources need to be allocated on an ongoing basis. Many SMEs, which are already facing tighter cash flows and fewer resources than multi-national corporations (MNCs), may not have such funds set aside to strengthen their cybersecurity safeguards.
   
3. Talent – Even as SMEs accelerate their digitization efforts to contend with today’s competitive economic climate, they may find it difficult to make the necessary security investments – whether it’s through building an in-house team of specialists or enlisting a costly third-party vendor for support. Without a ready pool of talents, it is difficult for SME owners themselves to plan, set up, and maintain the right cybersecurity infrastructure to protect against both known and unknown threats, now and into the future.

What exacerbated these challenges, and what is the potential short- and long-term business impact?

Chan: Even if SME owners recognize the need to strengthen their cybersecurity setups, many are often constrained by the challenges of Awareness, Cost, and Talent. As such, many often prioritize business productivity and revenue gains instead, leaving investments in cybersecurity on the backburner. Consequently, they often find themselves in a Catch-22 situation, caught in a vicious cycle of inadequate protection and dire business impacts. In 2020 alone, over 40% of cyber-attacks worldwide were made against SMEs.

In the short-term, business impacts can range from data loss, to business disruptions. As far back as 2017, a study by Osterman Research found that one in three SMEs in Singapore were hit by ransomware attacks and 61% of these SMEs suffered downtime of more than nine hours – the equivalent of one full working day. And although 73% of those surveyed “put a high or very high priority on addressing the ransomware problem”, “only one in 10 were confident of stopping ransomware attacks”. Over the years, the threat and volume of cyber-attacks has only risen exponentially, and recognizing this danger is key for SMEs to survive and thrive. Beyond these short-term consequences are longer term effects that can even lead to business failure in quite a few key areas. Based on the same 2017 study by Osterman Research, nearly one-fifth of affected SMEs had to shut down their business operations because of ransomware attacks. In a more recent study by Cybereason, it uncovered the following:

1. Loss of revenue: 66% of organizations reported significant loss of revenue following a ransomware attack
2. Employee layoffs: 29% reported being forced to lay off employees due to financial pressures following a ransomware attack
3. Business closures:  26% of organizations reported that a ransomware attack forced the business to close operations entirely for some period of time

These vulnerabilities will continue to worsen in the foreseeable future, as remote working becomes the norm among various businesses including SMEs. With a growing remote workforce that is logging in from home or from public spaces with Wi-Fi access, employers bear the brunt when cyber-criminals exploit these unsecured loopholes that widen the attack surface and increase both short-term and long-term business risks.

What strategies and solutions can SMEs adopt to address these challenges?

Chan: As Dr. Vivian Balakrishnan, Singapore’s Foreign Minister (who was also the Minister-in-Charge of the Smart Nation Initiative then) shared at an event in April 2021: “Today, if you are still dependent on signature-based detection like your standard anti-virus software, you’re almost not protected at all.”

To protect your business from any form of cyber-attacks, your cybersecurity infrastructure must operate at 100% efficiency at all times. Akin to defending physical borders with sentries and guards, your defense against your enterprise’s digital borders must be able to recognize and defend against every threat that comes your way. However, it only takes one successful incursion to wreak havoc on the entire system.

However, many cybersecurity solutions employed in the current market, such as anti-virus software, still need to be able to identify and recognize the threats before they act. To do this, they must rely on constant updates to identify the latest threats, and failure to do so could invite unknown actors to exploit the system’s vulnerabilities and cause irreparable damage. At the rate new viruses and cybercrime methods are emerging, this is a never-ending race in which current software and signature-based protection just cannot keep pace with.

For SMEs looking to strengthen their cybersecurity stance, a plethora of resources and support for SMEs to adopt cybersecurity solutions and best practices to safeguard their critical data and business operations are available. For instance, SMEs in Singapore can approach agencies like the Cyber Security Agency of Singapore (CSA) to learn of the latest offerings in this area that can help address their cybersecurity needs in a meaningful and sustainable way.

What steps should they take to clear these roadblocks to implementing a robust cyber-defense, using Singapore as an example?

Chan: For SME owners based in Singapore, the first step is to approach local trusted cybersecurity agencies, like CSA, for advice in strengthening your business’ cyber-defense posture. With their guidance and recommendations, business owners can have a cybersecurity audit done to identify any existing problem areas in their infrastructure. This ties back to helping business owners build greater understanding and awareness of their current architecture, as well as the growing relevance and importance of cybersecurity in today’s digitally connected world.  

Next, business owners can approach Infocomm Media Development Authority (IMDA) to seek out readily available solutions and their eligibility for government grants to help defray the costs of building their cybersecurity infrastructure. This can be helpful in alleviating the financial constraints that SMEs are often faced with.

Finally, business owners may also consider tapping on initiatives and programs designed to grow and nurture their tech talent pool. For instance, SMEs can explore and tap on Enterprise Singapore’s Capability Development Grants for Human Capital Development to help nurture and retain the right in-house talent to build and maintain their cybersecurity infrastructure.

For SMEs outside of Singapore, you can look for similar government agencies in your own country to see how they can help you address these three hurdles of Awareness, Cost, and Talent,as you look to protect your business data and operations from cyber-attacks.

SMEs need to ACT upon crossing these obstacles, so that they can have greater clarity on how to protect their business against cybersecurity challenges in an effective and sustainable manner, and focus on their true business objectives with a greater peace of mind.