Protecting Digital Assets
During the 10th WIEF Global Discourse on Cyber Security for MSMEs, three experts discussed how it impacts small businesses, steps for data governance and more. Here’s a summary of that virtual session in December 2020.
In the wake of the pandemic crisis, there has been a surge in the use of online and digital tools, primarily to support communication and online trade. What this means is, it creates new opportunities for malicious actors to take advantage of the disruptive effects of the crisis and target businesses, especially MSMEs as they are an easy target due to lack of resources to implement comprehensive cyber security solutions.
Now, more than ever, MSMEs must understand and manage information that’s in their possession and establish policies as well as securing suitable IT infrastructure for online protection. This is so they can ensure business growth, protect employees and continue to garner trust from customers.
The 10th WIEF Global Discourse discussed the importance of securing IT infrastructure as well as data, the future of cyber security and solutions to overcome the threats. It also raised awareness and educated participants on what to do to protect their businesses against cyber threats.
Here is the summary of the virtual session which was moderated by Nordin Abdullah, Managing Director of Glenreagh Sdn Bhd in Malaysia.
How does cyber security impact SMEs?
Speaker 1: Dato’ Dr Amirudin Abdul Wahab, CEO, CyberSecurity Malaysia
We’re moving into a highly connected world. Digital technology has now become a vital tool that enables organisations, big and small, to intensify the business by venturing to various activities such as e-commerce. Also, using the technology to enhance efficiency and reduce costs. At the same time, we need to understand that there are risks involved. A Cisco [Systems] report states SME digitisation will contribute about RM75 billion to RM99 billion [to Malaysia’s] GDP by 2024. As it is, SMEs contribute 38.3 per cent to Malaysia’s GDP. Basically, SMEs invest about 18 per cent into tech. Out of which, 14 per cent focuses on upgrade of software and 11 per cent on cyber security. Cyber security is about lack of security awareness.
Speaker 2: Rieva Lesonsky, President and CEO, GrowBiz Media, United States
So, every small business needs to realise that they’re vulnerable because it’s easy to hack into small businesses because they don’t have the security system to withstand those attacks.
Speaker 3: Bobby Varanasi, Chairman & CEO of Matryzel Consulting Inc, Malaysia
Let’s take a look at the developed world first, and then we’ll come to the developing world. So, we can make some comparisons. It’s no longer just a conversation about cyber security. It’s called digital assets security. You got a whole bunch of assets from your desktops, laptops, servers, data centres, networks, websites, payment interfaces and payment gateways to all the data that you’re hosting either on a cloud or a third-party provider.
Technological solutions are coming into play, such as automatic turn off and visual identification biometrics. But they’re extremely expensive. So, you can forget SMEs adopting them. It’s not just an issue of capital. It’s a much larger issue of the outcome. Note that digitisation or digitalisation are often used interchangeably. But they’re not the same. Most SMEs in the last five years have started digitising their manual procedures and policies. Digitalisation is a completely different animal altogether where you’re looking at removing silos to the information flows which means security has to be an end to end view.
What would be steps for data governance to minimise cyber risk?
Dato’ Dr Amirudin Abdul Wahab:
Recently, Malaysian government launched Malaysia Cyber Security Strategy for 2022–2024. It covers five strategic pillars:
1. Focus on effective governance as well as management and how to manage various government entities and private sectors.
2. Public and private sectors to work together to centralise legislative framework and enforcement.
3. Catalysing world class innovation, technology and industry.
4. Enhancing capacity and capability, building awareness and education. Especially the people aspect is important.
5. Strengthening global collaboration. It’s because cyber security isn’t a local issue, it’s a global issue. So, it’s important to work collaboratively.
When it comes to cyber security, the weakest link is people. Cyber security begins with the individual. That’s why Malaysia, through CyberSecurity, has developed a capacity building framework, awareness and education framework. CyberSecurity has a programme called CyberSAFE – where SAFE is short for ‘security awareness for everyone’. This programme is for those who use digital technology and not practitioners. It focuses on users of the internet and best practices.
Then there’s competency training where various types of technical and management training for practitioners are provided. For organisations, a professional programme called Global Accredited Cybersecurity Education (ACE) Scheme by CyberSecurity, gathers input from industry partners and the public sector. ACE helps build the right talent to protect organisations.
On data governance, one of the things that we’ve not seen, is policy catching up with industry, the elimination of silos with policymakers or policymaking institutions. And this is true of almost everywhere in the world. So, there are regulators for each different industrial sector and they work in their own little bubble, being in complete control of whether it’s the Securities Commission, central banks or telecommunications agency.
For users, their data flows through all the industries. The day you buy a Ford, it goes through a banking provider by way of your payment data and gives your details to all the Walmarts and other retailers of the world. You know you’re crossing telecommunications networks. So, your data is fungible. Users don’t understand data fungibility enough. This brings back the point of people being the weakest link because the ones who can create strength, which are the regulators, don’t collaborate.
Collaboration between regulators is the new reality, and creating frameworks where information and knowledge is cross-pollinated so that users’ data remains safe. This is the biggest picture of data governance.
What should SMEs do first to deal with a malicious attack?
It’s called endpoint security. The vulnerability of a person is found out at his extremities. You don’t know the core. Only if you’re working for an organisation, you may know its core and thus, hit the service directly. However, if you’re sitting on the outside as a hacker, they’ll look for the extremities and all the activities that typically come in the form of websites as well as portals as the starting point, plus your emails.
When you get links, don’t click on them. Users get so many links in a day because that’s the entry point for hackers and a test of the efficacy of your existing security as well as your behaviour. So, endpoint security is cybersecurity services for network endpoints that include antivirus and email filtering as offered by, for example, Kaspersky. It’s something not being taken seriously enough but it should because it can distinguish between the attempts versus the real vulnerabilities. Technically, hardcore attempts are approximately four per cent of actual attempts. How do we keep our data safe? Simple things that we take for granted like wireless passwords, could be volatile.
How to keep updated on types of cyber attacks?
Dato’ Dr Amirudin Abdul Wahab:
A SME study stated that 71 per cent of ransomware attack is targeted at SMEs and average cost per attack USD116,000 which is USD234 per attack. But only 14 per cent of businesses are prepared to defend against these attacks. Another Malaysia-centric study stated that about 37 per cent of SME leaders have poor understanding of potential cyberattack and another via Verizon Business 2020 Data Breach Investigations Report mentioned about 20 per cent of data breaches in 2020 involve small businesses. CyberSecurity has a help centre to receive reports and we categorise them into various categories and found that about 70 per cent reported were related to fraud.
It’s data. It comes down to the amount of data you’re generating. At a national level, it’s considered critical information because it’s part of the physical infrastructure and network of trade and economic. It should be protected. Today, access to this information is heightened because they’re all connected to international gateways. We aren’t isolated as a nation. We’re connected by way of tables with people from all over the world. So, those endpoints are a way to get into the system and it’s possible to find that particular individual or an entity that gives access. That’s the biggest reason why you see different networks completely independent of the rest of the networks within a country.
Malicious defence network is on its own, it’s isolated from the rest of the networks. There’s a reason for that. It’s because that is the highest level of national security threats. When it comes to banking infrastructure, you can’t disconnect banks from the rest of the world. Thus, secure protocols, the entire end to end security is needed. This is where you need not just money, but a whole lot of intelligence, to be able to handle them in a proactive basis. This is where regulations come into play as well. SMEs are contributors to it. SMEs need to understand endpoint security, digital asset security, isn’t just about their own business but it’s their role in the economy.
Malaysia, along with Oman and Australia, is the third most highly ready country in the world for cyber security. According to Global Cybersecurity Index (GCI), published by the World Economic Forum in conjunction with ABI research, out of the top 20 countries, Malaysia is number three and the only other Islamic country. It’s important to know how to sustain this status by adhering to stringent global standards which may be difficult to adopt but they are necessary.
Don’t look for quick and easy solutions that you can plug and play. By the time you implement a solution, it has become obsolete. There are a lot of small companies that do consulting and can build contingency plans for you but they’re not for free.
The thing to remember is, to keep being updated. The bigger your business is, the more vulnerabilities you’d have. So, check twice a year to ensure what you have installed is adequate in terms of cyber security. Be constantly on top of this.
Dato Dr Amirudin Abdul Wahab:
Cyber security may be costly but insecurity is costlier. Therefore, it needs to be managed and seen as not a constraint but an enabler to grow a business. It should be seen not as a technological problem but a business problem. Only then will cyber security be seen as an important catalyst to business growth.
Main photo by Jefferson Santos on Unsplash