In 2020, SMEs were the target of 43 per cent of cyber-attacks, with an average cost of US$184,000, according to Verizon. Just in Singapore, phishing attacks against SMEs increased by 60 per cent, with devastating results in some cases, as reports further suggest that 60 per cent of small businesses fold within six months of a significant attack.

The Asia Pacific region is an ideal breeding ground for cybercrime. The general lack of cybersecurity consideration, policy preparedness and institutional oversight, paired with high digital connectivity, a large volume of cross-border data transfers and developing regulations increase exponentially the vulnerability of Asian firms.

Such weaknesses must be addressed as soon as possible in order to avoid the risk of businesses throughout the region losing over US$750 billion, according to Kearny’s conservative estimate.

SMEs and startups often believe that they will not be the target of a cyber-attack due to their relevant size or importance – but that is a myth. The best way to protect small and medium-sized businesses is to avoid common misconceptions such as “security through obscurity”. Most hackers are targeting the most vulnerable companies with an open cyber door rather than the biggest ones.

In this context, it is essential that organisations of all sizes and industries protect themselves from cyber incidents, realising and patching vulnerabilities before hackers manage to find and exploit them.

Identify, protect and detect

In accordance with the guidelines set out by the National Institute of Standards and Technology (NIST) framework, which advice on how organization stakeholders can manage and reduce cybersecurity risk by using business drivers; identifying the cybersecurity threat, protecting the digital infrastructure, and detecting malicious activity when they arise can go a long way in terms of protecting your company from cyberattacks.

This can be done through a combination of traditional cyber defence techniques, including compromise assessments, well-rehearsed incident response plans and playbooks, and other forms of vulnerability management.

Proper cyber hygiene is also key to securing open digital doors that can be exploited by attackers. Starting with the lowest hanging fruit is a good first step to improving your cybersecurity posture.

Also Read: Why Malaysia is quickly becoming a cybersecurity hub for the rest of the world

Enforce a strong password policy

Passwords are the first line of protection against any unauthorised access to your personal computer. The stronger the password, the higher level of protection your computer has from malicious software and hackers.

  • A strong password must be at least eight characters long
  • It should contain characters from the four primary categories, including:
    • Uppercase letters
    • Lowercase letters
    • Numbers
    • Characters
  • It should not contain any of your personal information—specifically your real name, username, or even your company name
  • It must be unique and dissimilar from your previously used passwords
  • It should not contain any word spelt completely

Enable Multi-Factor Authentication (MFA) across your organisation

Multi-factor authentication (MFA) is the most simple and effective way to confidently identify a user, protect their personal and organisational data, and prevent identity theft.

The primary benefit of MFA lies in enhancing your organisation’s security by requiring users to authenticate their identity with more than a username and password. While important, usernames and passwords are vulnerable to brute force attacks and can be stolen by third parties.

MFA systems require users to provide two or more factors in order to access an account or platform. These factors fall into three categories:

  • ‘Something you have’ – like a mobile phone or a token;
  • ‘Something you are’ – a biometric indicator such as a fingerprint or face scam;
  • ‘Something you know’ – such as a password or a security question

Adhere to the Principle of Least Privilege

The Principle of Least Privilege is the idea that any user, programme, or process should have only the bare minimum privileges necessary to perform its function. For example, a user account created for pulling records from a database does not need administrative rights; a programmer whose main function is updating lines of legacy code does not need access to financial records.

The principle of least privilege works by allowing only enough access to perform the required job. In an IT environment, adhering to the principle of least privilege reduces the risk of attackers gaining access to critical systems or sensitive data by compromising a low-level user account, device, or application. Implementing this principle helps contain compromises to their area of origin, stopping them from spreading to the system at large.

Also Read: Big Tech vs data protection laws in Asia: Who is compromising?

The last mile

Whilst a strong digital infrastructure and good cyber hygiene can protect organisations from up to 90 per cent of cyber risks, these measures do not make a business impenetrable. Attackers are continuously working to find loopholes in the system, and a singular instance of negligence can severely compromise the cybersecurity of the company. Thus, having a cyber insurance policy that acts as a risk transfer tool that can cover the last mile of cyber risk is invaluable.

According to IBM’s 2020 Cost of a Data Breach Report, the average cost of a data breach stands at US$3.86 million. Sample costs include everything from business interruption losses, extortion payments, liabilities, remediation costs and financial penalties.

In Singapore, the maximum financial penalty for cyber data protection breaches is 10 per cent of an organisation’s annual turnover of S$1 million, whichever is higher.

Standalone cyber insurance policies typically provide coverage for the full spectrum of cyber risks, from a human error to cyber-attacks, financial losses, and reputational damage. These insurance policies also include access to a professional response panel consisting of digital forensics, legal consultants, and public relations experts to streamline and facilitate the entire cyber incident response process.

In the middle of a cyber crisis, having a specialised team managing incident response and recovery provides peace of mind and ensures that any situation is addressed appropriately.

Virtually every modern business holds digital assets that are at risk. The data, software, and computers that you use every day are critical to maintaining normal operations.

Whilst most of the bigger firms and institutions may have an in-house cyber team, and a comprehensive cyber insurance policy in place, the recent rise in cyberattacks against both SMEs and mid-market businesses have highlighted how important it is for organizations, regardless of size to build cyber risk resiliency. Preventing cyber breaches and developing a well-prepared cyber strategy can save organisations millions of dollars by avoiding strict cyber breach penalties that are in place to punish negligence.

Investing in a comprehensive cyber insurance policy not only ensures compensation for damage and monetary losses but also offers expert DFIR services and breach management support.

Without a strong cybersecurity posture, incident response plan, and coverage in place, one cyber compromise can be the difference between business as usual and shutting down for good. Ensuring that the company is doing all that it can to protect itself from cyber breaches is crucial in an evolving cyber threat landscape where neglecting ‘the last mile’ can have unforgiving consequences.

Editor’s note: e27 aims to foster thought leadership by publishing views from the community. Share your opinion by submitting an article, video, podcast or infographic

Join our e27 Telegram groupFB community or like the e27 Facebook page

Image Credit: Petter Lagson

The post Practical tips to protect your business from cyber attacks appeared first on e27.

content first appear on e27

Leave a Reply

Your email address will not be published.