‘MSMEs’ flawed belief of being too small to be attacked is root cause for ignorance of cyber security’

• By Prashant Bhat

Technology for MSMEs: IT and digitization have become an all-pervading reality for the business world. Mobile device penetration is at an all-time high in India, with a bigger potential for further growth. In the light of these facts, SMEs have begun to embrace technology as a business enabler at a faster pace. The Covid-19 pandemic has further strengthened SMEs’ belief that technology and digitization are paramount to their relevance in an increasingly limited physical contact world. SMEs have begun to increase their spending on technology for various fronts, ranging from back-office work to customer-facing operations. For example, mobile apps for customer and order management, SME focused ERP (some have ventured on to the cloud) focused on accounting and inventory management, e-commerce-oriented websites with payment gateway adoption, alignment of ERPs with service aggregator apps for better demand farming, and remote access and mobile-based access for back-office operations.

Hackers don’t differentiate between corporates, SMEs

As SMEs and startups adopt technology and drive the digitization of their operations as part of their growth and market relevance strategy, a key aspect that remains ignored across the board is cybersecurity. The root cause for such a gap is the typical flawed belief that “I am too small or irrelevant to be attacked”. The pandemic has proved to be a golden opportunity for cybercriminals to increase their pace of attacks and achieve greater success as most business leaders largely focused on the business continuity aspects with lesser attention to cyber defense.  This has helped cybercriminals attack one and all without differentiating between SMEs or conglomerates.

Attacks on SMEs, startups are well crafted, planned

Attackers realize that with large scale technology adoption in the SME sector, the focus and awareness on security hasn’t reached the maturity levels it should have. As a result, they have taken to wide-spread attacks on SMEs in sectors such as export houses, hospital facilities, medical support services (example hospitals, pathology labs), and manufacturing/logistics SMEs (that make up the supply chain for large consumer goods companies), NBFCs, e-retailers and even CA firms. The most common attacks in terms of SMEs are either ransomware or business email compromise (BEC) attacks. Some examples of BEC attacks on finance users are:

• Vendor communication spoofs: Attackers largely take advantage of the lack of security awareness of the end-users, by designing well-crafted emails with business language coming from spoof IDs (of known suppliers) and reference transactions (e.g. past invoices) to con SME employees into transferring payments due on invoices into bank accounts mentioned in the email (i.e. in reality the attackers’ bank account).
• CXO communication spoofs: Similar to the vendor communication spoof attackers, attackers design well-crafted emails to finance heads with imitating/spoof IDs of CEO and giving reference a “secretive” communication on the acquisition of a new company and asking for transfer of the amount to legal advisor’s banking account (that is, in reality, the attacker’s bank account). The transactions in many cases are executed by the accounting teams as there is a “formal communication” to serve as evidence justifying the transaction.

Apart from the above mode of attacks, attacks are also designed to achieve objectives and impacts, some of which include ransomware attacks on endpoints and business servers in order to extort money for data decryption/restoration, business servers being used for cryptocurrency mining, unauthorized banking transactions. The hackers do a strong reconnaissance before launching such attacks, this includes implementing spyware in employee laptops to gather business context information which is used to craft attacks. The Protiviti ISACA global survey that highlights the top 10 Risks anticipated by global IT leaders in 2021 are cyber breach, confidentiality & privacy, regulatory compliance, user access, security incident management, disaster recovery, data governance, third party risk, remote workplace infrastructure, and availability risk.

Why cybersecurity topical for SMEs

Insights, from the Protiviti ISACA survey, reveal that among key industries such as consumer-packaged goods/retail, energy utilities, financial services, healthcare, manufacturing & distribution, technology media & telecommunication (TMT), the cyber breach was the most common risk identified in the top 10 risks. With the personal data protection bill potentially on the anvil during the course of the year, the above cyber risks coupled with the potential penalties on account of a data breach can lead to severe business impacts both from a regulatory and financial perspective on account of penalties. Hence, cybersecurity is topical from this perspective even for SMEs.

Practical strategies and tips

It is pertinent to note that SMEs and startups operate on a limited budget. This however does not exempt SMEs from security spending. Smart security is the way to go for most SMEs, which involves key principles such as choosing a strong, legitimate IT infrastructure and applications for business, reducing the footprint of critical and confidential data across desktops, laptops, and emails, layering cyber-defense technology in IT systems where sensitive data is managed, imbibing a concept of cyber awareness of “trust but verify”, and last but not the least, plan for cyber insurance to cover for financial damages/costs incurred due to cyber-attacks.

SMEs should secure endpoints by implement EDR and anti-virus implementation, disabling USB drives, and rights to install non-business software. They should secure infrastructure by implementing server focused EDR solutions and UTM device to restrict internet access for business purposes only. Also, SMEs should subscribe to secure/reputed service providers. They should subscribe to domain hosting services that offer services around secure web development and WAF service (where e-commerce sites are in play), email service providers that offer spam mail protection and content screening, and in case SMEs are using SaaS, they should insist on SOC 2 reports conducted by independent third-party audit firms.

SMEs should also strengthen people security posture by building periodic awareness among staff on the concept of cyber-attacks covering topics such as phishing, ransomware, deep fakes, safe internet usage concepts and, legitimacy checks/validations/manual confirmations before executing financial transactions based on emails from vendors/suppliers, customers, CXOs, bankers, and regulators. To conclude, the critical success factors for an effective cyber program in SMEs would be to ensure that concepts of cybersecurity are imbibed in the culture and operational process of the organization on a continuous basis coupled with adequate management support.

Prashant Bhat is Managing Director, Cybersecurity & Privacy of Protiviti Member Firm for India. Views expressed are the author’s own.