In less than a year, Indian businesses have seen a spate of ransomware attacks—WannaCry, GoldenEye, Petya and the latest, Locky. Ransomware is a malware that hijacks computers, encrypts important files, denies access to them, and then asks the victim to pay ransoms to have the files decrypted. Though very few businesses disclose cyber attacks due to fear of loss of reputation, experts believe Indian businesses have been hit hard by ransomeware since they are ill-prepared to ward of cyber threats. India was the third worst-hit country by WannaCry, according to a Kaspersky Labs report. The number of users attacked by ransomware in India has nearly doubled from 2015-16 to 2016-17, a report says.
If big companies are ill-prepared to face the cyber threat, small and medium enterprises (SMEs) are sitting ducks because most of them are not prepared at all. They have no processes or systems in place nor do they hire dedicated cyber professionals. According to a 2016 study by Kaspersky Lab and B2B International, 42 per cent of respondents from SMEs agreed that cryptomalware was one of the most serious threats they faced.
A survey conducted by cyber security firm ESET in the Asia Pacific region in 2016, found that Indian SMEs have been the most vulnerable to cyber attacks in the past three years.
Shortage of qualified personnel that SMEs can afford to hire, lack of resources to spare for cyber security, business transactions on smartphones and careless employees are some of the main reasons for vulnerability of SMEs. However, the biggest challenge for Indian SMEs is the emerging technology. Fast-evolving cyber security technology leaves SMEs unsure about the solutions that suit them best.
Below are the main challenges that SMEs face in implementation of cyber security solution, according to the ESET report:
The BYOD problem
Bring-Your-Own-Device (BYOD) is so common these days that employees assume it is safe and acceptable to use their own devices to access the network at their own workplace. For 22 per cent SMEs, it’s the biggest challenge. While companies can ensure that their own devices are well-protected, they do not have control over personal devices. Creating awareness among employees is the only solution to this problem.
To remain nimble and agile, SMEs work with multiple third-party vendors and suppliers. These vendors and partners may hold sensitive information about them but may not have the necessary cyber security measures to prevent an attack. 19 per cent of SMEs have identified this risk as a challenge. Small businesses need to consider options such as authentication and network monitoring.
Lack of prioritisation
As SMEs scale and grow, cyber security may not remain the top priority since more pressing requirements emerge with scaling. This challenges becomes even bigger when the same team looking at cyber security is tasked with other growth projects that are considered more important. 24 per cent SMEs see this as a challenge.
The ESET survey finds that funding remains the biggest barrier when it came to cyber security for close to one third of the companies. Smaller SMEs (35 per cent) find it particularly difficult to justify the investment needed especially when such funds can be used for other purposes. The lack of sufficient budget is apparent in developed markets such as Japan (40 per cent), Singapore (34 per cent) and Hong Kong (28 per cent) compared to emerging markets such as India (24 per cent) and Thailand (20 per cent).
Shortage of qualified personnel also ranks highly on the list of challenges in cyber security adoption. 27 per cent of companies believe that there is a lack of experienced professionals in the space that they can hire. This is not surprising considering that cyber security became a major consideration only in the last few years. Demand for cyber security experts currently outstrips the supply of such individuals. Unlike enterprises, SMEs do not necessarily have the funding to outsource the role to a managed service provider.
Another barrier to the adoption or upgrade of cyber security solutions is the constantly changing technological landscape. SMEs are unsure where and when they should invest in a solution as they are afraid that they are not investing in the latest technology. They are also unsure how well the technology suits their organisation. Companies in India face this dilemma the most, with 35% of SMEs in the country citing emerging technology as a barrier to ensure cyber security.
Besides the reasons listed above, the most visible problem with SMEs is ignorance or neglect of basic cyber security processes. SMEs can have enhanced security even if a few simple measures are taken diligently. Kaspersky Lab experts recommend the following precautionary steps for SMEs:
Back up your files
Make regular backup copies of all important files. Companies should have two backups: one in the cloud (for example Dropbox, Google Drive, etc.), and another on an additional server or on removable media if the data volume is not too big.
Choose a good service provider
Trust only well-known and respectful service providers who invest into security. Usually you can find security recommendations on their websites. They publish third-party security audits on cloud infrastructure. Don’t assume cloud provider can’t have security, availability or data leakage problems. Raise a question what do you do if security provider loses your data. There should be transparent data backup and restore processes together with data protection and access control.
Pay for tools
Avoid using only free security and anti-malware software. Small businesses expect the basic security tools offered within free solutions to be sufficient. Free tools do provide basic protection, but they fail to provide multi-layered security support. Instead, take a look at dedicated solutions. They do not require a large financial outlay, but deliver a higher level of protection.
Update systems regularly
Regularly update your OS, browser, antivirus, and other applications. Criminals use vulnerabilities in most popular software to infect user’s devices.
Prevent IT emergencies
Invite an expert to configure security solution for your company. Small businesses usually don’t have an IT department or full-time dedicated administrator. They simply rely on the most tech-savvy person in the office to take care of computers, in addition to his regular duties. Don’t wait until something breaks. Use IT support from an IT service provider to review your software and security configuration in advance.
Source: The Economic Times