Startups and SMEs are facing a wave of cybercrime during the Covid-19 pandemic
In the non-fiction classic In Cold Blood, Truman Capote documents a 1959 crime that shook the state of Kansas. One glaring detail about the crime stood out from the rest: the criminals walked into the house they were robbing through an unlocked door.
An unlocked door is manna for thieves, and for the cybercriminals targeting young businesses across the world, the Covid-19 pandemic is a backdoor swinging wide open. With workforces shifting to remote work and poor security hygiene making networks vulnerable, the pandemic has laid bare several weak security links within business networks.
Co-founder and CEO of Singapore-based cybersecurity firm Horangi, Paul Hadjy believes that the security attacks that have taken place since the onset of Covid-19 are expected. The pandemic has given attackers a new guise to take advantage of weak cybersecurity practices by using tried-and-trusted tricks from the playbook.
“The old mindset around security is that you’re building a wall around your network. With people working from different networks, there’s just more surface area to cover from a security perspective,” says Hadjy.
Most startups and small and medium enterprises (SMEs) are ill-equipped to take on sophisticated security threats. By underestimating the need for strong cybersecurity practices, they increase their susceptibility to unknown, zero-day vulnerabilities.
“Most SMEs and small startups struggle with getting the basics in place. And really, that’s just culture,” Hadjy says.
Crisis Mode: A field day for cybercrime
Verizon’s 2020 Data Breach Investigations Report (DBIR) found that though small businesses were targets for over a quarter of all cyberattacks. The good news is the trend is moving downwards; its 2018 report found the number to be as high as 58%. At the same time, these attacks can force up to 60% of SMEs to shut shop within just six months of a breach (Switchfast).
Hadjy notes that while businesses regulated by authorities, such as the Monetary Authority of Singapore or the Hong Kong Monetary Authority, pay attention to cybersecurity measures, unregulated businesses do not take it as seriously as they should.
The pandemic has become a smokescreen for targeted attacks. Spear-phishing (a type of email attack to steal sensitive information) related to Covid-19 has seen a meteoric spike of 667% since the end of February alone, according to Cynet global threat telemetry data.
For context, research reveals that a trillion fraud emails are sent out every year, half of which comprise phishing attacks (Valimail). The attacks aimed at businesses, which leads to unauthorized funds transfer, generated losses of $1.7 billion worldwide last year alone, a Federal Bureau of Investigation report reveals.
Employees have become a lucrative attack vector due to chaos in the current enterprise ecosystem. Over 60% of workers in the Asia Pacific region are using personal devices for work, and a majority feel they have not been adequately trained on cybersecurity for working from home (2020 CrowdStrike Work Security Index).
“Wherever a data breach has happened [in recent years], it’s due to the mismanagement of a human link such as an employee who made a mistake,” says Nandakishore Harikumar, co-founder and CEO of India-based cybersecurity firm Technisanct.
Unsecured networks are exposed to links that dupe users into downloading malware, like the fake John Hopkins University coronavirus map. Attacks on remote access points and tools have spiked, with a 23% surge in brute-force attacks (trying password combinations until the correct one is found) on servers in April 2020 (Kaspersky), and 500,000 hacked Zoom accounts were put up for sale on the dark web the same month.
Further, the shift to remote working has catalysed cloud deployment in businesses. “The world has moved to cloud servers lately. It’s the human element that makes it insecure. To some extent, we can mitigate the impact of human error by taking up proper security practices,” says Technisanct Co-Founder and CTO Dinson David Kurian.
Cloud infrastructure flags the need for stronger cybersecurity practices within organizations. Since public and private cloud service providers have different security protocols, and these can be updated often, companies migrating to cloud need to be sure about who has access to their data, and how.
The challenge with SMEs and startups, Harikumar says, is that they may simply not understand the technical aspects pressing risks of cybersecurity, and that is the foremost obstruction to awareness and decision-making within the company.
Crucial first steps
A complete cybersecurity cover entails security policies and protocols, cybersecurity audits, and solutions to fortify a company’s networks and data. Startups and SMEs, however, are often cash-strapped even under non-pandemic conditions. Where budgeting for cybersecurity was once a struggle, it’s now completely out of the question.
Even if there was a panacea for the crisis, it is unlikely that young businesses will be able to afford it. And they do not need to, because immediate measures that can help protect their networks and data require more time and effort than money.
“If you have the right policies and requirements in place, it can save you a lot of money and reduce your risk significantly,” Hadjy explains.
The most basic but potent course of action for young businesses is to attend to the cybersecurity culture within the organization. Employees need to be brought up to speed on the relevance and application of appropriate security practices, such as being wary of potential email scams, installing antivirus on their operating systems, and securing their home networks.
“One underlining statement for the cybersecurity crisis across the world is that unless we create massive awareness, cybersecurity issues cannot be solved. Cybersecurity has to be brought into the organization as a culture,” Harikumar says.
Multi-factor authentication (MFA), as Kurian and Hadjy both point out, is another important security tool. MFA relies on authenticating the user through access codes as well as passwords, providing layered protection to business information and networks.
Businesses can also encourage their developers to adopt a zero-trust model. “It’s zero trust because just like the name implies, every system must be authenticated before they exchange data. It will ensure that even if one of the systems is compromised, it will not affect the remaining systems as easily,” Kurian explains.
The new normal will be digital
Young businesses have realized the implications of going digital, and how it can serve their organizational needs more effectively. The digital transformation precipitated by the pandemic is expected to continue even after workers return to a level of normalcy.
“This situation has brought interesting opportunities for companies to make that digital transformation. It will help protect them if future situations like this arise. And of course, it’s helping them save money in most cases,” Hadjy notes.
For young businesses keen to cut costs, automation and cloud solutions show a clear pathway to staying lean. The ‘new normal’ will give the opportunity for young businesses and corporations alike to find flexible and digital ways to work. When they do, it is in their interest to address cybersecurity as a culture within the organization, and keep the digital doors locked.
Sharon is a staff writer at Jumpstart.