by George Lee, Vice President, Asia Pacific, and Japan, RSA
Have you been to the zoo and wondered what you would do if the lion jumped out of its enclosure? You’ve probably heard this before: To survive, you don’t have to be the fastest runner, you just have to out-run the slowest person.
In the world of cybersecurity, the lion would be the cybercriminal out for blood (company assets and data). Small to Medium Enterprises (SMEs), by the nature of their size, are not the largest or most obvious target and thus are safe. This thought might be the reason why a recent report by insurance provider Chubb highlighted that nearly half of the SME leaders surveyed said their organisation assumes it will never experience a cyber incident. 59 percent of respondents believed that large corporations are more at risk of cyberattacks than SMEs.
If there was a single lion that could only eat one of us, the approach might just work. However, the same report showed that 65 percent of SMEs were victims of cyberattacks in that very year. The situation we’re facing is actually more like that of an impending zombie apocalypse. Presuming for a moment that everyone has seen at least one zombie film, the threat sees hordes of zombies out to get you with very little intelligence. There’s the inevitable super-zombie, a state-backed hacker group if you like, but they’re probably not the biggest problem for most.
In this vein, cybersecurity feels a lot more like a constant struggle for survival than a carefully executed wargame. Whilst some organisations can attract specifically tailored attacks, they are few and far between. Majority of cyber incidents are one of the great hordes finding its way through your defences and taking a chunk out of your leg (exfiltrating priority assets). The idea that you only need to outrun your slowest friend doesn’t work when the threat is everywhere and doesn’t mind who it stumbles upon.
Singapore saw 9,430 reported cybercrime cases in 2019, according to the Cyber Security Agency of Singapore (CSA). That makes for 26 cyberattacks daily. Imagine what the numbers were in 2020, when the Covid-19 pandemic flipped the notion of the traditional office on its head and shoved companies headfirst into the new digital-first business reality?
SMEs may look at cybersecurity as something massively complex and hugely expensive that only their larger counterparts can afford. While cyber technology, nor teams are cheap, SMEs have two major advantages that make running a secure business easier.
Often viewed as a bad influence on security – being fleet of foot is a barrier to reaching security maturity – it also allows for critical business changes to happen more quickly. For example, a small business may identify an authentication or storage solution that provides more inherent security. They are in a much better position to make that change quickly. On the other hand, enterprise business is large and slower to change. Complex processes, complex team structures, complex mixes of integrated technology can make a business good at what it is doing now, but complexity is the enemy of cybersecurity – making even small changes extremely hard to make. The best-conceived cybersecurity program with unlimited budget can take years to implement and yet, a small business may be able to make a similar improvement in their security standing with smaller changes in a fraction of the time. Staying current is a large part of the battle.
Complexity also increases the attack surface. More systems to protect, more updates to install, more of everything makes the remit of cyber teams vast. Small businesses often have significantly smaller surfaces and can more easily achieve the same level of protection without the same expense in time and resources required for layer upon layer of security.
Agility also allows small businesses to make better use of point solutions or new technologies. Keeping pace with security tools or using narrower, more targeted tools can get smaller, simpler organisations much further than with a larger enterprise.
People are fundamentally and profoundly awful at security. It’s non-intuitive and heavily contextual to most. In smaller businesses, teams are closer. They interact more; know each other better; and they instantly recognize what’s abnormal in their environment. Training is more easily delivered and more effective because of the more personal connection between every individual and the business. While application of security technologies clearly has significant benefit, security really starts with users. Yes, users are also often the security weak link, but good users get you a really long way down the road in combination with some basic security controls.
While SMEs may not be a priority target for a threat actor, they are absolutely a target for the great horde of cyber zombies that can and will do serious harm. Cybersecurity is not just for big businesses. SMEs can achieve so much more in the security space than large corporations, and faster.
Embrace security, make it a part of your small business family, adopt some basic technical controls and make yourself much less appetising.
As Vice President of RSA in Asia Pacific and Japan, George Lee leads the overall RSA business ranging from sales, business operations, strategic alliance, to client experience across the region. With over 20 years in the IT and cybersecurity space, his consulting experience and leadership have helped him build high-performance teams that have successfully implemented operational changes, process improvement and business growth in the complex business environment across the region.