The COVID-19 pandemic has disrupted business practices globally and ushered a new norm of remote (or flexi) work as well as increased reliance on cloud storage and services. While this brings us tremendous convenience to stay connected and productive wherever we are, the life post-digital transformation is relatively novel for most people, and our cybersecurity acumen may not have kept up with the level of sophistication malicious hackers are developing to take advantage of our negligence.
Between privacy and health, people usually choose health, writes historian and best-selling author Yuval Noah Harari on Financial Times. This is our self-defence mechanism responding to the false dichotomy at work when people fell prey to phishing emails impersonating the World Health Organisation which contained malware in March 2020.
Regardless of the recent COVID-19 situation, cyber attack is rapidly evolving and is a crime that may happen any time to millions of internet users. Approximately, 14 cyber attacks a day were reported in Malaysia in the year 2018. The services industry is most vulnerable, which accounts for 73% of phishing attack cases. Unsurprisingly, most Internet users have fallen victim to cyber attack and half of them have never fully resolved the incident. It takes an average of 30 days and an average cost of MYR7,323 to come to a resolution. In a survey conducted by Cybersecurity Insiders, 60% of the respondents said the biggest fear they faced in association with cyber attack was financial loss.
As a result, cyber attack has been a growing concern due to its destructive financial consequences. An alarming fact would be that 83% of company owners view cyber attack as one of the top 3 threats to businesses, but only 38% of them feel prepared for a sophisticated attack.
Why Should Companies Worry about Cyber Attacks?
- Companies has the Information Hackers Need
Larger companies have the resources to address cybersecurity issues, however, smaller companies often do not. In practice, business owners or their immediate family members handle many different roles within the small business. They may not have implemented proactive security measures due to budget constraints, poor governance, lack of security policies and controls, lack of employee awareness and lack of information technology knowledge and resources to hire that knowledge. As a result, many smaller businesses are at a great risk of having their systems compromised.
In the opinion of many company owners, they are operating their businesses in a much smaller scale and therefore, there would not be any valuable information for hackers to gain. In that respect, most company owners neglect the need to implement cybersecurity protection measures in their companies.
Evidently, the Information Security Breaches Survey found that 60% of small businesses had suffered a security breach. In that view, hackers are exceptionally aware of this false sense of security, and increasingly exploiting the smaller businesses’ lack of preparedness and security expertise. A notable certainty: if a company has a website, it is vulnerable to hackers.
Some criminal hackers are motivated for cash, where they gather online banking credentials, customer and employees’ information and other statutory information. Even if smaller companies do not store financial information, like customer payment details, the data that smaller companies do hold, such as employee payroll details, proprietary data or client information carry a value to hackers.
2. Illusion that Antivirus Software Alone is Sufficient to Prevent Cyber Attack
Historically, security software like paid antivirus software has been the go-to solution for business users wanting to protect their companies from cybercrime. Having said that, antivirus protection is still an essential as business owners indeed need all the protection that antivirus software does offer.
Unfortunately, the protection provided solely by the antivirus software is often significantly weak. Small business owners eventually realise that even by using antivirus software, they find malware infecting computers. Statistically, there is a 48% increase of malware in the year 2019 according to the Seqrite Annual Threat Report 2020 and business owners are facing an unprecedented risk within the cyberspace today if no precaution is taken.
The software may stop many of the malicious attacks on the companies’ computers as long as all of their computers are kept up to date. However, the antivirus software gives a false sense of security and does not educate the business owners and their employees on how their actions influence the cyber attacks made against the business.
The antivirus does not completely cease the insider threat of someone causing vulnerability or letting an attacker in. There is also the possibility of conflict between antivirus programmes if multiple antivirus programmes are activated and used on one computer.
3. Usage of Personal Devices instead of Company and Corporate Devices
The primary reasons for company owners to implement the practice for employees to use their own devices for work are to reduce cost, convenience and flexibility for company employees. Allowing employees to use their own devices at work can present assorted problems. Employees are also taking those exact devices back home and/or when travelling, which allows them to work from places other than the office.
Allowing employees to use their own device at work, or the lack of monitoring thereof, is the biggest cybersecurity risk faced by small business owners. Employees’ personal devices are unlikely to have implemented the same level of security as corporate devices, and they may be significantly easier for hackers to compromise. As such, business owners are obliged to educate and enhance information security awareness of their employees to reduce the risk of cyber attacks.
Companies that allow employees to use their own devices should also ensure they have a strict policy in place, while ensuring that employees understand good cybersecurity practices and the potential consequences for the company if such practices are not duly observed. Without incorporating the necessary steps to monitor the use of personal devices, smaller companies may face a higher cost in the future to tackle cyber attack-related issues within the company.
The Paramount Importance of Early Prevention
Understanding and being aware of the value of prevention measures to minimise the risk of cyber attack is of utmost importance for a healthy operational business. Digital transformation in Malaysia is leaving companies vulnerable to sophisticated internet threats and attack campaigns conducted by organised cyber crime cells and hostile nation-states with a view of disrupting socio-economic activities and stealing critical, important and sensitive information. Data is valuable, and business is vulnerable.
Business owners should conduct a cyber security audit to assess business process vulnerabilities and the relative risk of being exploited or exploitable for losing a large percentage of sales revenue due to cyber fraud, and implement prevention steps such as enhancing the security of work email systems of the company to guard against cyber attacks. Business owners and employees should stay vigilant of any suspicious cyber activities, for instance unknown sources in emails and links.
As of today, having solely an antivirus software as protection would never suffice as hackers are developing more sophisticated processes and methods for cyber fraud and cyber attacks. Along with an antivirus software, developing a comprehensive standard business process and promoting cybersecurity education can assist business owners in reducing risks and vulnerabilities both on organisational and individual levels, thereby improving fraud detection and remediation.
Cyber Attack Stays Put
Cyber attack is growing more quickly than any other crime and affects the world destructively, causing serious destruction to political, economic and social sectors. The number of threats that cyber attacks unleash continues to increase exponentially, and smaller businesses run a risk of losing data, sales, productivity and assets. Any company can be a prime target, thus it is vital to take all necessary steps to safeguard the integrity of business information, technologies and processes. As a saying goes according to the CNN Tech reports:-
“The cold fact is that no single solution can prevent all cyberthreats. Sophisticated attacks on networks routinely bypass network security systems, no matter how rock-solid they are – or claim to be.”CNN
Only effective filtering tools, education of users regarding the threats and continued vigilance can prevent these attacks. In conclusion, equipped knowledge with regards to cyber attack and early prevention could minimise such cases occurring in a company and also increase business owners’ resistance from being scammed. By collaborating on standards and prevention, we can make a difference in the world.