Smaller organisations often had to grapple with limited budgets and manpower, and would want certainty in how much they had to invest. This was pushing more to look at cyber insurance as a way to achieve this, said Ang Yuit, vice president of strategies development for the Association of Small & Medium Enterprises (ASME), an industry group which members comprise Singapore SMBs. Responding to ZDNet’s query about the adoption of cyber insurance amongst SMBs, Ang noted that such services provided a way for SMBs to boost their cybersecurity posture while managing their costs. Purchased at a monthly premium, cyber insurance helped these companies better determine how much they needed to put in and what they were getting back in return. It enabled SMBs to define the scope and investment of their cybersecurity protection, he said, in a virtual roundtable Thursday hosted by Lenovo. While it might not resolve every issue, Ang added that cyber insurance provided a viable alternative to simply purchasing security tools, which could be difficult to cost definitively. ZDNet understands that there are varying cyber insurance services encompassing packages that include some coverage of cost incurred during an attack and assistance in quantifying the attack’s impact on data and intellectual property. They also often are bundled with security assessment and incident response services, since it will be in the insurer’s interest to ensure the SMB has obtained a certain level of cybersecurity readiness and to mitigate the impact of an attack. In addition, insurers have been keen to provide more services targeted at SMBs, as these companies have much smaller infrastructure and, hence, carry less risks to assess and insure against, compared to large enterprises. Ease of adoption, in particular, is essential in driving greater security readiness in the SMB segment, according to Milad Aslaner, SentinelOne’s global director of cyber defence strategy and public affairs. Speaking in the roundtable, he said automation tools such as autonomous threat detection and response played a key role as they would help ease operations for smaller businesses. The ability to roll back from a security incident also was critical, Aslaner said. Getting SMBs to better safeguard their infrastructure was especially critical as many had rushed to go online amidst the global pandemic. This increased their attack surface and exposed more of their data, making them prime target for attacks, he cautioned, noting that cybercriminals would aim for companies with weaker security posture. Roy Ng, Lenovo’s central Asia-Pacific director of SMB, noted that many SMBs wrongly assumed they were too small to be targeted by hackers. Pointing to a study by Singapore’s Cyber Security Agency, Ng said the number of reported ransomware attacks last year mostly affected SMBs. While small, these companies held customer data that were of value to cybercriminals, he said.
SMBs less proactive, driven by direct business impact
Ang noted, though, that most SMBs were not adequately prepared to address security threats and already lacked a strong foundation, even as they accelerated their digital adoption in the last 1.5 years during the pandemic. “SMBs will deal with a problem when it’s there. [They’re more] focused on operational needs,” he said. ZDNet asked if these businesses then found it challenging to fend off third-party attacks, which required regular assessment, he reiterated SMBs’ tendency not to proactively address issues unless there was an immediate threat or risk. Unless the requirement was stipulated in the service contract, they would prioritise other business operations. He noted, though, that they were particularly concerned about ensuring compliance with Singapore’s Personal Data Protection Act (PDPA). Pointing to personal data management as a good starting point to drive greater security awareness, he said SMBs were more worried about how they should secure their data, so they would not have to face ramifications of a breach under the PDPA. Aslaner said SMBs also would need to improve their security posture, as more enterprises were looking at architectural changes amidst the rise of third-party attacks, with focus mainly on zero trust frameworks. He noted that organisations were adding cybersecurity requirements as part of their supplier and vendor agreements. SMBs then would have to ensure they met these baselines if they wanted to continue doing business with certain enterprise clients, he said. Chris Tan, client technologist for Lenovo’s central Asia-Pacific, suggested SMBs began by identifying their assets, including devices and data points. Ng also underscored the importance of user education, so employees could help their organisation avoid potential exposure and threat. According to IBM’s recent study, data breaches cost Asean companies on average $2.64 million per incident, compared to the global figure of $4.24 million. The cost of a breach, however, was $430,000 higher than the average for companies in Asean that had not undergone any digital transformation due to the COVID-19 pandemic. Organisations in the region took 307 days to detect and contain a data breach, including 223 days just to detect an incident, the IBM report revealed.
RELATED COVERAGE
Singapore sees spikes in ransomware, botnet attacksConstant review of third-party security critical as ransomware threat climbsRegulations against ransomware payment not ideal solutionGrowing reliance on third-party suppliers signals increasing security risksZero trust, basic cyber hygiene best defence against third-party attacksAPAC firms face growing cyberattacks, take more than a week to remediate