SMEs: Small in Business, But Get Big on Cybersecurity While many SMEs, the newer ones especially, have started undertaking regular digital risk assessments, many of the more established SMEs have to do some catching up

Cyber insecurity is no longer just a buzzword, it has become a reality for Small and Medium Enterprises (SMEs). When cyber attacks came to the fore as a recognised threat to businesses, the first port of call was to shore up cyber defence systems of the large and more well-known businesses. But now the threat has permeated to the smaller players, as their importance in the economic value chain grows and they become a part of the digital economy. While many SMEs, the newer ones especially, have started undertaking regular digital risk assessments, many of the more established SMEs have to do some catching up.

One of the foremost challenges for many SMEs is the recognition that the IT and Systems department needs to be more evolved than just hardware repair. Given their budgetary constraints, this is understandable, but if they want to be part of larger supply chains or hire vendors themselves, these organisations are morally and economically responsible to securing their business through up to date cyber defence. Hackers work on the theory that SMEs do not spend seriously on shoring up their cybersecurity and that the techniques that they used a year on large enterprises will work even today on smaller enterprises. More often than not, this theory holds good. While tools like antivirus or a basic firewall may offer a degree of security, SMEs do need to customise security controls and re-assess these on an ongoing basis. For example, what worked for an SME a year ago may no longer be even the minimum requirement given the scale of growth. In fact, many large companies are now insisting on equal cyber defence and data security norms from their vendors, a large portion of such vendors are in the SME segment. This will add a compliance pressure that has been missing otherwise in this sector.

As the digital landscape for these SMEs changes, so does the cyber insecurity landscape. A fake news link made to sound authentic enough is sufficient for a malware to be installed on the user's device to gather data and other important information. The flexible-economy nature of many of these SMEs, where one can work from home or a café also creates new security risks, with many of their employees choosing to work on personal laptops or smartphones which do not offer the high-quality data encryption necessary for business transactions. Companies may also need to start insisting that employees report all devices they use to access work-related information and ensure that these devices are also as secure. Insider attacks continue to be one of the most significant cybersecurity threats, but ignorance and negligence among personnel are also a large area of cyber insecurity for SMEs. While most organisations and personnel are now engaged in double backing up of files, security code authentications and such, much work remains to be done especially concerning regular updating of security protocols and reporting of possible and actual hacks. Ensuring that personnel understand what data encryptions and secure transaction mean, requires creating an organisational culture around cybersecurity.

Restricted access to processes and products are another area of concern for SMEs. Because many of these organisations work at family scale or with a very small number of employees, restricted access is not a protocol. However, this creates more vulnerability for zero-day attacks and the like. Most of these are not known until the business or product has been lost or an investigation has taken place. However, with the increased penetration of AI and machine learning, predictive cybersecurity is now an option, and SMEs need to shift from responding to preventing cyber attacks mentality.

Investing in cyber security also signals an attitudinal shift in recognising that while competition still exists, all businesses are still interconnected. As such, most cyber attacks go under-reported or unreported in India because businesses worry that knowledge of such an attack would give their competitors an edge and drive customers to their rivals. However, the competitor is just as vulnerable, and one way to achieve a competitive edge would be to prioritise cyber defence and instil customised plans. Cyber insurance is an emerging sector for increasing resilience among businesses and is one solid step in shoring up the cyber defence. For an SME, an attack by ransomware may well spell the end of their business. However, as more and more SMEs are expanding their business horizons beyond Indian borders, data regulation measures like the EU's Global Data Protection Regulation make it logical for Indian SMEs to ensure themselves against cyber attacks to prevent not just loss of business but also reputation. It is a hard fact that the ratio of a number of experienced personnel compared to the demand for cybersecurity experts is skewed, however, the fact that the SME has cyber insurance may actually work as an incentive for an expert to build your security controls as some bit of the job has already been done. Many of the investors may also consider a boost in funding if provided with viable security controls plans. While budgetary allocations in the growth cycles can be of much debate, allocation to serious cybersecurity is no longer just an option for SMEs.