CYBERSECURITY FOR SMES IN A POST-COVID ERA
In a post-Covid era, cyber-attacks have today become the fastest growing crime on a global scale with 50 percent of such attacks targeting Small and Medium Enterprises (SMEs) that do not have sufficient cybersecurity measures. This whitepaper, by dmg events, explores current trends, challenges and solutions for SMEs to avoid such attacks in a post-pandemic age.
As the cyber space continues to evolve from the weaponisation of software to its commercialisation and, today, the industrialisation of malicious operations and software, nation states are increasingly seeing the value in investing in technology to protect their countries, societies and companies. From start-ups to long-term Small and Medium Enterprises (SMEs), security is rarely on the agenda early or often enough. However, cybersecurity experts believe the rash of ransomware tearing through SMEs is changing that. What was formerly the privilege of only the largest enterprises is now the minimum bar for all companies. "The demand and the pressure for innovation is to bring that world-class maturity in security to all, without breaking the bank or disrupting services and innovation," said Sam Curry, Chief Security Officer at Cybereason.
The Covid-19 pandemic has demonstrated the importance of the Internet and computers for SMEs to maintain and grow their business. It has led to the adoption of cloud services, upgrading internet services, and potentially enabling staff to work remotely or to work with freelancers through multiple platforms. Over the past 18 months, the health crisis has led to an increase in malicious emails, phishing attacks, scams and malware. Criminals are also targeting SMEs as they are aware that many now have staff working remotely without adequate cybersecurity defences in place. As SMEs process a large variety of personal information, namely if they possess an online marketplace, they must be aware of privacy laws and regulations when dealing with personal identifiable information (PII). As a result, cybersecurity has become a valid concern for such businesses. If PII is stolen or lost, SMEs could face serious legal and potential financial repercussions. "The majority of SMEs use some basic security controls, such as endpoint antivirus protection, backups, firewalls and perform systematic software updates," said Dean Mikkelsen, Cybersecurity Consultant at UAE-based Hannibal Global Insight. "At the same time, fewer SMEs perform security awareness trainings of staff and utilise logging and alerting systems."
Cybercriminals are taking advantage of the current unprecedented pandemic crisis to mount increasingly sophisticated, massive, and frequent cyber-attacks. As organisations move to remote working, the likelihood of cybersecurity incidents is increasing due to insecure technical infrastructure, insufficient data security practices, and a lack of cybersecurity awareness. Education, retail, healthcare, and financial sectors are today emerging as lucrative and soft targets of cybercriminals because their data and ICT infrastructure is vital for day-to-day operations.
In response to the pandemic, many SMEs have shifted to have adopted cloud-based tools and platforms to ensure effective collaboration among staff, seamless communication with customers, and supply chain resilience. "SMEs had to invest in their internet facilities and websites," said Dr Ryad Soobhany, Assistant Professor, PG Project Director and Digital Forensics Course Leader at the School of Mathematical and Computer Sciences at Heriot-Watt University Dubai. "As with other industries, SMEs have struggled to keep up their cybersecurity tools and policies with the rate of digital infrastructure adoption. The lack of security measures has resulted in SMEs falling victim to an increased number of cyber-attacks." Indeed, a sharp increase in the volume of phishing attacks and ransomware on SMEs has been recorded since the onset of the pandemic. Attackers are also using social engineering to bait staff into giving up sensitive information online.
Until the dust settles, the post-Covid era is expected to be characterised by financial and operational pressures, while being marked by heightened cyber threats. Organisations - irrespective of size, industry, and financial prowess - are today re-evaluating their cybersecurity and budget priorities. A sense of collective urgency and a move towards new models that feature perimeter security, increased automation, next-generation identity, access controls and integrated security have now emerged. But most importantly, experts spoke of the current culture of cyber resilience, wherein SMEs are bridging the gaps, CISOs are enhancing their awareness, and policymakers are echoing cybersecurity concerns in political hallways. Soon enough, these trends are forecast to translate to multiple market-driven developments and regulations.
CYBERSECURITY TRENDS AND CHALLENGES FACING SMES
With the development of the nature and quantity of cyber-attacks and the new remote working model adopted actively by many firms in the UAE, many new cyber trends are emerging. The most important trend that experts have mentioned is the increased attention given to personal data, risks associated with remote working and the need to budget and cater for efficient and appropriate cyber security tools.
Analysis of the most common cyber risks in the past years has revealed that the size and impact of these risks is not constant and frequently changes. In a country such as the United Arab Emirates (UAE), account compromise was the leading method of cyber-attacks in 2019, impacting 28 percent of companies surveyed, followed by credential phishing at 20 percent and insider threats at 17 percent. Cyber-attacks can have far-reaching and devastating financial and reputational impact for businesses. The research also found that financial loss was an outcome, at 29 percent, and data breaches - at 28 percent - were the largest consequences for UAE organisations in 2019, followed by a decreased customer base, at 23 percent. "SMEs are mainly dealing with the need to update their cyber security plans with the purpose of addressing their cyber risks and ensuring that their cyber security plan and tools are adequate and efficient to address such risks," said Rima Mrad, Partner at BSA Ahmad Bin Hezeem and Associates. "This is an area that is being treated with exceptional importance and we can see that senior managements of various SMEs are dealing with their cyber risks as an essential component of their overall business risks."
She spoke of the main challenge for SMEs as budgeting for cyber security measures, having the appropriate resources and tools to deal with cyber incidents, as well as handling the operational and reputational damages associated with cyber incidents. Increasingly, SMEs have become the new top target for cyber criminals as they lack skills and resources to manage their cybersecurity operations. The most significant cybersecurity challenges facing SMEs today, according to Dr Muhammad Khurram Khan, Professor of Cybersecurity at the King Saud University in Saudi Arabia, and Founder and CEO of the Global Foundation for Cyber Studies and Research in Washington D.C., include ransomware attacks, social engineering risks, supply chain vulnerabilities, and identity theft and impersonation. On the other end, employees often use their own personal devices for work, which increases the risk of sensitive information falling into an insecure environment. "While organisations are facing increasing cyber risks, the costs for data breaches have also risen from US$3.86 million to US$4.24 million, the highest total average costs ever," he noted.
Low cybersecurity awareness of the personnel, inadequate protection of critical and sensitive information, a lack of budget, ICT cybersecurity specialists, and suitable cybersecurity guidelines specific to SMEs, were some of the other obstacles mentioned by experts in the field. "These are not good trends considering how often cyber-attacks occur," Mikkelsen explained. "Governments have looked at large organisations with their rules and regulations, but often, SMEs are not considered. Many of the new laws can become burdensome on SMEs and many do not feel they have the manpower or resources to maintain some type of cybersecurity front to protect them from attacks."
He spoke of many SMEs as believing that they will not be hit by a cyber-attack as they are "a small fish in a sea of larger corporations and organisations". However, phishing attacks can occur and strike any company, no matter the size, including SMEs. With the move to the cloud, many SMEs have engaged with the cloud under a subscription model, but due to their size, many often do not qualify for special offers and have to deal with fixed cybersecurity SLA contract clauses and are hence unable to reach the SLA flexibility dedicated to large organisations. For Mikkelsen, this is evident with cloud providers worldwide, including in the UAE and the Gulf countries, which can lead SMEs to contract with smaller cybersecurity firms to maintain the security of their systems, whether outsourced penetration testing, or testing of phishing emails, among others. "The UAE has developed an attractive environment for SMEs to grow within the local ICT ecosystem and to develop small cybersecurity companies that can serve the region," he added. "They do not all have to aim to be the next Unicorn to survive and present options to businesses developed locally or internationally."
Following a widespread pivot to remote working, few of the challenges spurred up are the risk of being unprepared, complications due to disconnected cybersecurity controls and solutions, the ability to revoke access and secure business data when an employee leaves the organisation, and the threat of data sharing intentionally or theft by a hacker. As SMEs often have less stringent technological defences, less awareness of threats and less time and resource to put into cybersecurity, they have become an easier target for hackers than larger organisations. As a result, the rate and tactfulness of cyber-attacks have increased significantly. Since SMEs are largely operating remotely, they are at the receiving end of these attacks, especially phishing. According to research by Deloitte on the "Impact of Covid-19 on Cybersecurity", 47 percent of individuals fall for phishing scams while working from home. Increased use of video conferencing tools, which are not fit-for-purpose for routine operations, has also opened a new target avenue for hackers. Malware attacks, ransomware, weak passwords and insider threat are other security concerns facing businesses. Additionally, the hacking sphere has witnessed an influx of new entrants who are specifically targeting SMEs. "Lacking the experience and necessary tools, these new entrants hope to capitalise on SMEs' large attack surfaces and lack of readiness," explained S Kumar Subramania, Senior Vice President at MAST Consulting. "SMEs' "Bring-Your-Own-Device" (BYOD) approach and lack of policy-led, tailored guidelines for the SME sector are surely not helping."
EMERGING CYBERSECURITY SOLUTIONS FOR SMES
With a lack of alignment between security and business functions, bridging that divide, building the minimum needed in a programme, and knowing whom to call and wrapping arms around risk has become the name of the game for SMEs today. According to Curry, small businesses need to find out if they are going to build security departments or outsource much of them. For him, the practice is not binary, however, SMEs can pick and choose how much is internal or external. The first step he mentioned is to get the right advisors, which do not have to be expensive or arcane, before ensuring that the risk is seen and managed, incidents are handled with oversight, and security is not abdicated. "They should then pick partners, get a strategy, involve the business, prevent the preventable, and have a detection strategy," he said. "Then practice, test and repeat."
A common misconception is that SMEs are too small to be a target, but history has proven that this is not the case. Automation practices deployed in cyber-attacks have made it easier to target hundreds or thousands of businesses at once. SMEs can have access to a large amount of customer data, which needs to be protected under General Data Protection Regulation (GDPR) obligations. As many of these SMEs are connected or work with large enterprises, awareness of cybersecurity risks and usage of comprehensive integrated security tools has become of prime importance to SMEs. "The most common form of attack is phishing, which banks on the defendant's lack of awareness," Subramania noted. "So, the first order of business for SMEs is to raise awareness, upskill every internet-facing employee, and set robust 'dos and don'ts'. The training is followed by investments into Corporate Owned Personally Enabled (COPE) devices and licensed antivirus packages for remote-working employees." He encouraged the use of multi-factor authentication and VPN, finding that there is a lack of clarity on the use of VPN in the Middle East, while almost all nations permit their lawful use. "Ultimately, we urge SMEs to have a zero-trust approach to dealing with cyber threats, handling even the slightest anomaly effectively and timely," he added.
Investing in the security of the SMEs need not be costly. As humans are usually considered the weakest link in the security chain, companies must make their staff more security aware on how to identify and protect against cybersecurity risks. For Soobhany, SMEs need to think of security-as-a-service and invest in managed security service providers that can assist in providing specialised solutions. These providers can work with the SMEs' management and personnel to provide bespoke security for their systems. "SMEs need to keep anti-virus applications and systems updated and invest in firewall and encryption facilities," he said. "They need to implement security policies that will keep them on top of security vulnerabilities and manage access control."
Other recommendations include putting in place a tailored cyber security management plan, which covers the protocol that manages the implementation of the relevant policies and actions to mitigate and address cyber risk exposure. Such a plan should contain proper organisational structure, adequate identification of digital assets owned by the company and how they could be impacted by a cyber incident, as well as prioritising risks based on the impact on business assets. A proper count of resources, including people, processes and tools, and a continuous assessment and risk monitoring of cyber security plans and policies are also needed to ensure that they are adequate and updated regularly, particularly with any changes in the company's services and products or with the introduction of new products or services. According to Mrad, a budget for cyber security is necessary for SMEs, along with an incident management plan on how to deal with a cyber incident. "Typically, this should include a data security plan and crisis management decision tree with a step-by-step as to how the company should respond to a cyber incident or attack and who is responsible to do what," she noted. "Training employees to understand their cyber risks and be ready to deal with it, and obtaining appropriate cyber insurance is also vital."
Ultimately, organisations need to consider cybersecurity as a top priority, as attacks can have devastating impacts on finances, operations and reputation. Small businesses must always be vigilant, follow best practices, and take practical steps to protect their data and systems. For Khan, these burgeoning risks are the reasons why companies must educate their employees about recognising, identifying, and reporting different types of cyber risks. He mentioned human error as, by far and away, the largest reason of cybersecurity breaches, thus, business leaders and employees should be educated, trained, and made aware of cybersecurity as part of the organisation's strategic focus. "This does not mean the use of cybersecurity tools and technology should be ignored, but they should complement people and processes to make a resilient and safe environment," he added.
IMPORTANCE OF CYBER TOOLS FOR SMES IN A POST-COVID ERA
SMEs handle a variety of information, from personnel records, customer information and details about production, to procurement details, financial data, policies, procedures, and others, with each one of them holding a different value to the organisation, and laws, regulations or agreements that may mandate their protection. As a result, lacking a specific backup policy, an updated endpoint anti-malware solution implemented on all types of devices, or using obsolete or unpatched software that does not auto update, could seriously jeopardise SMEs' critical and sensitive information, making the organisation an easy target for cyber-attacks, like ransomware or others. "Today, the largest cyber threat facing SMEs is being unprepared, which is why cybersecurity adoption has become a necessity rather than an option," Khan explained. "Following through with the right course of action and implementing smarter and advanced cybersecurity risk management strategies will enable organisations to successfully negate modern-day threats."
In addition, adopting robust security mechanisms, protocols, and processes will enable businesses to combat contemporary threats with agility and precision. With the rise of automation and machine learning capabilities in the Fourth Industrial Revolution (4IR), attackers are today able to crawl up and down the internet, knock on doors and open them only having to figure out who they have compromised after they sink their teeth into a target. "Unfortunately, the hackers are using automation to help guide them on which companies are likely to pay a ransom," Curry said.
As the COVID-19 pandemic has taught the world the need for resilience and readiness, such a lesson is particularly true for cybersecurity. With more than 70 percent of security executives believing that their budgets will shrink this year, according to McKinsey research this year, picking the right tools will prove paramount. With more than 2.57 million phishing attacks detected across the Middle East in the first quarter of 2021, according to security company Kaspersky, and a Dubai Future Foundation report revealing that phishing attacks jumped by 600 percent in the region post-Covid, experts found that phishing warrants greater attention. "Under this scenario, the adoption of security orchestration and automation (SOAR), which can automate threat investigations and remediations, makes a compelling case," Subramania explained. "SMEs must understand that a cyber-attack is not a human-scale problem anymore. We need better integration between people, processes, and technologies, and this calls for strategic investments, despite a low-budget environment."
Equipping and educating themselves about cyber risks is a critical component for SMEs going forward as their ability to survive or handle the damages of serious cyber incidents is considered quite limited. For Mrad, SMEs are expected to be fully aware of their cyber risk exposure and understand whether they have an appetite to deal with such risks and the limits of such an appetite. Based on such practice, they are recommended to develop their cyber risk management plans accordingly. In the post-Covid era, most companies will retain some form of remote working and augment their online presence that can increase customer base, which will increase their vulnerability to attacks. As cyberthreats continue to evolve, SMEs will need to be equipped with the right security tools that will ensure there is no downtime to their online presence, which could lead to loss of revenue. "For instance, if an SME suffers a ransomware attack, they might lose access or data related to their customers and suppliers," Soobhany noted. "They must invest in security tools and policies that can assist in safeguarding the company and the staff."
As SMEs in the region embrace the opportunity to widen their customer base with the adoption of digital and cloud-based tools, they should be mindful that this type of migration comes with increased cybersecurity risks. The management of SMEs needs to view the security of their company as primordial and invest in advanced security tools and policies. As large enterprises are currently adopting AI-guided security management, cloud-based security monitoring platforms or the addition of analytics, the protection of their infrastructure and assets is set to improve. For SMEs, the cost of these security technologies is becoming more affordable, which is expected to help them gain commercial advantages in adopting these digital technologies and prepare them against cyber threats and attacks.
With the Middle East cybersecurity market expected to grow from US$15.6 billion in 2020 to US$29.9 billion by 2025, at a Compound Annual Growth Rate (CAGR) of 13.8 percent, along with the exponential digital transformation and the evolving use of digital platforms, IoT, cloud services, web and mobile applications, and 5G networks, organisations of all sizes may face the threat of sophisticated, organised and coordinated cyber-attacks. Ransomware, social engineering, online fraud, privacy violations, and DDoS attacks are set to continue to be the most significant threats to regional SMEs and organisations. It is therefore of utmost importance for regional enterprises to proactively identify security vulnerabilities of their systems in order to remain secure and resilient against cyber-attacks. "Hence, it is vital to build cybersecurity capacities and capabilities to close the skills gap and overcome gender disparity in the profession to meet the demand of the market," Khan explained.
The high rate of technology adoption in the Middle East will mean that, going forward, cybersecurity will have to keep pace with it, as experts foresee the market for security training and upskilling will grow significantly in the next couple of years. On the other hand, as SMEs reorganise their priorities and increasingly enter the market seeking third-party service providers, the industry is expected to witness more vendor activities. For Subramania, there will be more competition, client expectations, and optionality in terms of cybersecurity tech - all leading to improved services and products. "Concurrently, policymakers will facilitate favourable conditions for SMEs to cope with cyber threats, as the SME sector is the backbone of the Middle East's economy," he added. "In a way, we liken this to the Pygmalion Effect, wherein high expectations lead to improved performances."
As experts foresee the local cybersecurity marketplace to grow within the UAE and the Gulf countries, the UAE has put in place such an ecosystem with its Cybersecurity Strategy, launched in 2019, where it clearly states that it wishes to foster a culture of entrepreneurship in cybersecurity and enable SMEs to safeguard themselves against the most common cyber-attacks. The UAE is also looking to develop the SME marketplace to create or foster new start-ups in the cybersecurity space, which may take some time, and many enterprises, even in cybersecurity, are considered bootstrapped until they can produce revenue that would encourage greater investment by potential investors within the UAE and the GCC countries. "It is a common problem worldwide, the funding of small software companies, as many institutional investors are risk averse when it comes to investing in very small companies, even in growing fields where there is a need for cybersecurity and privacy expertise," Mikkelsen noted. "When it comes to developing standards, the UAE is unique in that it wants to aid SMEs with the development of the 'essential cybersecurity standard for SMEs', what is needed as a minimum and the potential for continuous training. The UAE wants to create a one-stop portal for SMEs to enable them to implement the standard that is developed."
With cybersecurity expected to be the main and most important risk addressed under SMEs' general business risk assessments, mainly due to the growing number of cyber incidents and the increased reliance on IT systems, data and technology in the way SMEs operate, experts also foresee more regulations and laws will be passed in the region to address the regulatory aspects of cyber incidents and cybersecurity issues. These include more restrictive data protection regulations and advanced obligations on senior management in having an active role in addressing cyber risks within their organisations. "Cyber compliance requirements will also increase, including the checks and balances that companies will be required to do, and the adequate minimum measures expected to be adopted to address their relevant cyber risks," Mrad said.
Overall, experts believe some SMEs will be lucky for quite a while, while others will either adapt or face existential failure. "Now is the time to contact that cyber friend, to spend a small amount of money and time to get a crawl-walk-run strategy in place that is affordable," Curry concluded.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.