The 2015-16 report released by the Ministry of Micro, Small and Medium enterprises states that India is home to 51 million MSMEs and their contribution to the gross domestic product stands at a staggering 37.5 per cent.
A 2017 study titled ‘Impact of Internet and Digitisation on SMBs in India’ by KPMG and Google highlights that with growing internet penetration and digitisation of SMBs, the sector’s contribution to India’s GDP can increase by 10 percent, taking it anywhere between 46 to 48 percent by 2020.
But for digitalisation to fulfill its promise, it must be secure. If not, it presents opportunities for attackers to gain access to sensitive data and steal intellectual property,or worse. Over the next five years, as more devices get added into the digital ecosystem and more data gets collected, threats and risks will increase and security will be become critical to the digitisation strategy. And, contrary to common perception that only large enterprises face cyber threat, SMBs are equally at risk.
Cyber Security: a missing link in the Indian SME digitalisation journey
Traditional SMBs in India that once debated the relevance of digitalisation to their business are today adopting digital technologies at pace. They understand that technology is core to their business growth and even helps them gain competitive advantage. But in doing so, they are not creating a strong cyber security framework.
The reason for this is that SMBs often underestimate the value of their data. In fact, their cyber security strategy is often non-existent. If at all they do invest in cyber security, they limit it to basic security solutions such as anti-virus software and firewalls. But, that’s barely enough.
The age of intelligent cyber attacks
Today hackers are moving away from mass spam attacks to highly targeted attacks, primarily aimed at intellectual property theft. There is an increase in malware spear phishing, whaling, personalised scams and malicious attacks. According to the Cisco 2018 Annual Cybersecurity Report, malware is becoming more vicious and harder to combat. – ranging from network-based ransomware worms to devastating wiper malware. The report also states that mobile devices are the hardest to defend.
The increased usage of mobile devices at work has led to an increase in business email compromise (BEC) attacks, where cybercriminals get control of a business executive's email account credentials and use the account to steal money from the victim organisation.
Cryptojacking is the newest cyber security risk taking the world by storm. Hackers are turning laptops, desktops and even cellphones into a cryptocurrency mining machine. While stealing computing power may not seem as large a threat, it can cause irreparable damage by making devices unusable and even cause the organisation’s network to shut down.
Even as cyber threats are evolving, traditional ransomware, namely phishing emails containing malicious attachments, spam, malvertising and malicious domains, continues to be one of the most feared cyber threats. . According to the report, about 60 percent of the malicious domains that were analysed were associated with spam campaigns.
Why employees can mirror a cyber threat
Employees are often a critical link in the security chain and can also become potential security threats. With mobility solutions becoming the norm at workplaces, it’s now easier for employees to engage in theft of data. For instance, in mid-2017, there were two separate incidents where episodes of the highly popular television series Game of Thrones were leaked. While one was attributed to a hacker group, the other involved four people smuggling the episode out of Prime Focus Technologies, a company that works with Star India, HBO's distribution partner in India. This demonstrates how internal employees can intentionally or unintentionally pose a security threat where sensitive data is concerned.
Also, a large number of employees are not up to date with the new techniques used by cyber criminals. And this lack of awareness can lead to them unintentionally visiting infected websites which download and install malware, web-based IM applications, and exploit web servers, providing hackers access into the organisation's internal network.
Not just security, but advanced security is the need of the hour
So far, encryption was considered a key security tool. But, with voluminous increase in encrypted web traffic, both legitimate and malicious, the challenge to identify and monitor potential threats has increased manifold. In fact, the report highlights that as of October 2017, 50 percent of global web traffic was encrypted. ‘Encryption is meant to enhance security. But it also provides malicious actors with a powerful tool to conceal command-and-control activity. Those actors then have more time to inflict damage. This sends a strong call to look at encryption beyond just a security feature,’ says the report.
Unified threat management (UTM), a security approach where a single hardware or software installation consolidates multiple security and networking functions, has been long considered a feasible option by many mid-sized and small companies. But one big reason why UTMs may prove to be ineffective to combat today’s highly efficient cyber-attacks is that they introduce a single point of failure within the IT infrastructure. This means that any compromise at the UTM layer will result in the entire cyber security framework of the organisation failing.
Why adopting cyber security makes business sense
The obvious and known outcome of cyber-attacks includes financial and intellectual property loss and reputational damage. So adopting a robust security solution not only minimises these risks but also translates into competitive advantage. Businesses today list privacy and security as two important criteria when building business partnerships, and they are more likely to do business with an organisation that has a better security framework in place.
Another advantage to adopting robust security solutions is that it can help companies adhere to the compliance requirements mandated by global data regulatory organisations and governments, making it easier to do business and avoid penalties.
To stay ahead of cyber criminals and keep pace with the fast-evolving landscape of cyber security, SMEs must draft a security policy that clearly outlines the dos and don’ts for employees in very simple terms. As far as possible, SMEs should invest in relevant cyber security solutions from a single vendor. In fact, the 2018 CISCO Cybersecurity report states nearly half the security risk that organisations face stems from having multiple security vendors and products.
Organisations, irrespective of their size, must give due importance to cyber security. SMEs need cyber security protection just as much as enterprises. It’s time to step up security. See how security can drive your business. Take a trial right away.