bluebay2014 - Fotolia
Small and medium-sized enterprises (SMEs) have become the preferred targets for cyber criminals.
Not only are they often easy targets, but they offer a stepping stone to larger, more lucrative corporate and government targets.
According to Bill Chang, CEO group enterprise at Singapore Telecommunications giant Singtel, SMEs are “an entry point into the large organisations that are part of their supply chain.”
The figures back this up. Smaller companies have been experiencing a steady increase in attacks in the past five years, according to Symantec’s 2016 Internet Security Report.
The report found that 43% of all attacks were targeted at small businesses with fewer than 250 employees in 2015.
“Every partner that plugs into an enterprise environment brings in a fresh set of vulnerabilities, which results in security lapses,” said Nikhil Batra, research manager, Telecommunications at IDC Asia-Pacific.
“Hackers and malware developers are constantly on the lookout for such partner ecosystems, where they can creep into a secure network through an unsecured partner.”
For example, in Thailand earlier in 2016, a third-party developer commissioned by the immigration police briefly leaked the personal details of 2,000 foreign nationals living in southern Thailand during the testing stages. The data contained the names, addresses, professions and passport numbers of the foreigners.
Cost of attacks costs less than you think
While large enterprises have the resources and often place a priority on investing in shoring up their defenses, SME priorities can be very different.
Most SMEs feel that they are too small to attract the interest of a hacker or are unaware how best to protect themselves. They also lack the IT staff to ensure that their systems and networks are protected.
However, an SME owner’s assumption that the business is too insignificant to interest cyber criminals may have been true in the past, but that is no longer the case. The decreasing cost of compute power and growth of automation allows cyber criminals to mass produce attacks at a fraction of what it used to cost.
“The cost of compute power has gone down and we can assume it will continue. The advantage goes to the attacker as it means they can launch greater and more sophisticated attacks at less cost,” said Mark McLaughlin, CEO at Palo Alto Networks.
“When the cost of an attack goes down, the number of successful attacks will go up at an alarming and exponential rate.”
Chang at Singtel said: “This is a major issue as large enterprises have funding and resources to build or leverage security service providers to increase their level of defenses, but SMEs either do not have the resources or do not bother.”
A popular myth is that attackers have to force their way into organisations. In fact, most breaches occur when attackers trick people into letting them inside, said Alex Lei, regional director for Southeast Asia at FireEye.
For instance, in January 2014, an employee of a contractor engaged by KB Kookmin Card, Lotte Card and NH NongHyup Card used a portable hard drive device to steal credit card data, according to prosecutors in South Korea. Some 20 million customers were reportedly affected by the firms’ data breach.
Asean is lagging in Southeast Asia
An added challenge, said Lei, is that Asia as a whole is still playing catch up in the cyber security space and Southeast Asia is at the rear of the pack.
“In 2015, the median time it took the typical Asia-Pacific organisation to know they had been compromised was 520 days – around 17 months. The global figure is only 146 days. In Europe, the Middle East and Africa, it’s 469 days, according to the 2016 Mandiant M-Trends Asia Pacific report,” he said.
The problem is compounded by the fact that Southeast Asia is significantly more exposed to targeted attacks than the global average.
“In the second half of 2015, 27% of the organisations we observed in Southeast Asia were exposed to at least one targeted attack. This is almost double the global average of 15%,” said Lei.
Regulation need to drive investment
A challenge is that most breaches in the Asia-Pacific region never become public, as governments and industry-governing bodies may lack effective breach disclosure laws, according to the Mandiant M-Trends Asia-Pacific report. SMEs are also less likely to understand attacks and report them to authorities.
Symantec’s 2016 Internet Security Report found that in 2015, more companies chose not to reveal the full extent of the breaches they experienced, with the number of companies that chose not to report the number of records lost increased by 85%.
“In Asean, a lot of [cyber security] breaches are not shared. [But] increasingly, countries will mandate that notification is mandatory when there is loss of customer, citizen and public data. Due diligence will take [cyber security measures] to different level,” said Chang.
Regulatory requirements can be a deterrent. For instance, Singapore’s Computer Misuse and Cybersecurity Act (CMCA) means law enforcement agencies have the power to investigate and apprehend individuals or entities behind cyber crime.
Data protection laws can also encourage organisations to ensure that their IT infrastructure is sufficiently secure in terms of data security. In the Asean region, Malaysia, Singapore and the Philippines have introduced comprehensive data protection regimes in the past five years.
Read more about cybersecurity in the Asean region
- Governments in Southeast Asia are considering setting up a regional equivalent of Europol to help fight cyber crime.
- Singapore government will table new Cyber Security Bill in 2017 to strengthen its online defences.
- Banks in Singapore are rolling out biometric technology to improve customer services by speeding up the authentication process.
- Security is a rising concern in the Asean region, with fears fuelled by incidents such as the recent hacking incident in Manila.
Singapore has started to enforce this, with a fine of S$50,000 from the Personal Data Protection Commission (PDPC) on K Box Entertainment Group, a karaoke chain, for not putting in place sufficient security measures to protect the personal data of 317,000 members, for inadequate data protection policies and the absence of a data protection officer (DPO). The company’s IT supplier, which was responsible for its content management system, was fined S$10,000.
Regulators in industries such as finance are also playing a role. In the Philippines, the central bank has set up a separate cyber security surveillance division to craft cyber security policies and conduct surveillance work, monitor cyber threats and test the ability of supervised institutions to manage cyber security issues.
Meanwhile the Monetary Authority of Singapore took “appropriate supervisory actions” against Standard Chartered, which had data of 647 of its wealthy clients’ stolen in Singapore. This data was taken from a server used for Standard Chartered Private Bank at a Fuji Xerox printing facility, which was hired to print bank statements.
“The truth of the matter is that nobody can guarantee that an SME or enterprise won’t be hacked or breached. It’s all about assessing their security landscape and mitigating the risk. SMEs need to have plans in case of any security breach,” said IDC’s Batra.
“Investing in security for enterprises and SMEs is like a country investing in its nuclear arsenal – with the hope that they never have to use it.”