A recent survey of Small and Medium Businesses (SMBs) across the Asia Pacific region provided quantified insight into the cybersecurity challenges faced by SMBs. Highlights of the study include:

• Malware attacks were the most common (85%) followed by phishing (70%)
• 29% of SMBs believe that downtime of more than one day would result in closure
• 74% of SMBs in India have experienced a cybersecurity incident in the last 12 months
  • 36% reported that their cybersecurity solutions were inadequate to detect and prevent an attack
• 62% of Indian SMBs that were attacked suffered a financial impact of $500,000 or more from cyber incidents over the last 12 months while 13% reported a financial impact of $1 million or more

The takeaways from this Cisco survey are clear and alarming: SMBs, including SMBs in India, are facing a significant escalation in cyberthreats and the consequences of a successful cyberattack are very severe, and could lead to cessation of operations.

Why are SMBs the Target of Cyberattacks?

Cyberattacks against large enterprises may make headlines, but Small and Medium Businesses are also considered attractive targets by cyberattackers for several reasons:

• Personally Identifiable Information (PII) has the same value (per record) on the dark web irrespective of whether it is sourced from an SMB or a large enterprise. Therefore cyberattackers will attempt to steal PII from SMBs if presented with an opportunity
• Ransomware operators depend on the encrypted data having value to the organisation that is being attacked; value of the data to others is not of primary importance to threat actors, which makes SMBs a viable target for ransomware even if the targeted business does not generate Intellectual Property (IP) or store PII
• SMBs are perceived as having less protection than large organisations and are considered easier to attack by threat actors

Small and Medium Businesses face the same risk of cyberattack as a large enterprise and, therefore, require enterprise-grade cybersecurity to protect them from attacks that could result in bankruptcy.

How SMBs Can Gain Enterprise Grade Cybersecurity

Before we discuss how SMBs can gain enterprise grade cybersecurity, let us first understand what enterprise grade cybersecurity looks like. Merely having technology measures in place, without following cybersecurity best practices, will not be sufficient to protect the organisation. Enterprise grade cybersecurity, at an organisational level, requires robust technology solutions backed up by policies and procedures that prioritise cybersecurity. These include:

• Creating a Cybersecurity Policy – Every organisation, large or small, requires a cybersecurity policy to define roles, responsibilities, and appropriate use of organisational IT resources. Such a policy should also lay down penalties for non-compliance to ensure that the policy is actually followed in day-to-day operations. This Cybersecurity Framework Policy Template Guide can be used to develop your organisation’s cybersecurity policy
• Developing a Cybersecurity Culture – Cybersecurity should not be a layer added as an afterthought, but built into all the processes in your organisation. This requires developing a culture of cybersecurity in your organisation that covers Hiring, Training, Procurement, Scrappage, Design, and Partnerships. We discuss how such a culture can be created here
• Deploying Endpoint Security – Inadequate, or absent, cybersecurity makes organisations highly vulnerable to cyberattacks. Deploying endpoint security like K7 Endpoint Security will secure the computing devices in your organisation and enable centralised cybersecurity management across the organisation. The survey mentioned at the beginning of this blog revealed that many Indian SMBs reported that their cybersecurity solutions provided inadequate protection; always verify the track record of the endpoint security solution by checking the ratings provided by international testing agencies like AV-Comparatives, AV-TEST and Virus Bulletin. It is critical to ensure that all devices that connect to the enterprise network are protected by endpoint security as even a single unsecured device can be used by a threat actor to launch an attack
• Deploying Network Security – Network-based attacks against the organisation can be prevented by deploying gateway security devices like K7 Unified Threat Management appliances that include Denial of Service (DoS) protection and gateway-level anti-malware to stop cyberthreats at the perimeter of the enterprise network
• Applying Patches Immediately – Security updates are provided by the OEM once vulnerabilities are discovered. These patches should be installed immediately as unpatched devices are easy targets for threat actors. Such updates are available for both hardware and software. Hardware, in this context, includes all networking equipment and networked devices such as routers and printers. Firmware updates for such devices should also be applied immediately
• Providing Training – In addition to attacking endpoints and networks, threat actors also attack end users by employing social engineering and the best defence against such tactics is a well informed employee. Training is a part of creating a cybersecurity culture but needs to be emphasised as technology-based cybersecurity solutions provide limited protection against social engineering which may not involve malicious code or links and may even attack employees through their personal devices or on social media

K7 Security’s enterprise cybersecurity solutions provide award-winning protection for businesses against a wide variety of cyberthreats including viruses, phishing, ransomware, and zero-day attacks, and scale to accommodate any size of business operations. Contact us for more information on how we protect Small and Medium Businesses against cyberattacks.