By Shalini Upadhyay -Entrepreneur, Management Consulting, and Sreejith Alathur-Faculty, Indian Institute of Management Kozhikode
A continuous Tom & Jerry game is going on in cyberspace today, with hackers and cyber security specialists outpacing each other in sophistication and stealth while tapping into the latest features that technology has on offer. No sooner is a vulnerability spotted and fixed, yet another new one is exposed with another security breach, usually leaving attackers a step ahead in the race. With innumerable entry and end points available in the widened attack surface of digitally transformed platform-savvy businesses of today, organisations across the spectrum are struggling to improve their cyber resilience to counter these evolving threats.
However, one business actor missing in this frenzy is the MSME (Micro Small & Medium enterprise), which, ironically is the most vulnerable and the least prepared of all. Cybersecurity is broadly defined as the art of protecting networks, devices, and data from unauthorized access or criminal use, and the practice of ensuring confidentiality, integrity and availability of information (CISA 2021). Though cyber breaches in large organisations routinely grab media headlines, their smaller business counterparts’ face-off with cyber incidents often gets overlooked.
Small businesses and computers often become collateral damage of large-scale cyberattacks (Tam et al., 2021). A double-blinded study(CISCO 2021) of 3700 business/IT leaders of SMEs in Asia Pacific in 2021 indicated three-fourths (74%) of Indian businesses as having experienced a cyber incident in the past 12 months, with 62% of them confirming a disruption in their operations. While it’s true that all institutions stand to suffer financial blows, halted operations and reputation damage in the aftermath of a serious cyber incident; for a small business, any laxity in cyber security can be potentially lethal. A startling 84% of respondents from India acknowledge their fears that a major incident could spell the end of their organization. This puts us in a uniquely unenviable position as far as SMEs’ confidence in combating cyber risks is concerned.
The fears are well founded. As per the Global State of Cybersecurity report 2019, SMBs across the globe report that cyberattacks are becoming more targetted, more severe, and more sophisticated (Ponemon Institute, 2019). Cyber threats are infamously egalitarian and do not discriminate by organization size. Small businesses are lucrative soft targets for cyber criminals, as these companies are now using, producing and storing large troves of data, and they do so with immature defences(Chidukwani 2022). For small businesses, overarching revenue growth goals routinely crowd out time and capital investments into IT protection. Information security is often viewed as an overlay on top of other tasks and responsibilities(Saban et al., 2021). And even where due priority is accorded to cyber risk management, a gaping lack of resources needed to kick-start the process, thwarts the deal.
Small enterprises are less likely to have dedicated IT staff, let alone afford cyber security specialists. Security solutions are usually considered too expensive(Chidukwani 2022) and their technical features come across as overwhelmingly complex to be handled in-house. As a consequence, there is a tendency to rely heavily on external IT vendors that provide sub-optimal support without customized care(Benz 2020). Fear-driven, some business owners take up the reactive route. Instead of a unified threat solution, they continue to buy off-the-shelf security products in response to recent emerging threats, leaving may leakages unplugged and ineffective protection.
These human, financial, and technical resource constraints create a puzzling gap between the cyber security awareness of small business leaders and their commensurate commitment to address the risk. Alongside the well-known construct of the ‘digital divide”, academic literature now also acknowledges a ‘security divide’, what with lagging investments in cybersecurity solutions coupled with increasing cyber incidents at SMEs (Heidt et al., 2019).
Research indicates that there is likely a justification or threat rationalization going on in SME business leaders, downplaying their risk without giving it any serious consideration (Renaud 2016). A survey conducted on small businesses in the US and another one in Scotland (Renaud and Weir 2016) revealed that there is a tendency to underestimate cyber risk and not even implement a basic small subset of known precautions.
Optimism bias also plays a role in downplaying the risk as owners at times feel invincible either in ignorance or in overconfidence. Others seem to believe that they are too small a fry with no ‘valuable’ or ‘critical’ data to draw any attacker’s attention. With lax data privacy culture in India, this effect is likely to be stronger. This is at best, a misguided perception. Many small companies are suppliers to large partner organizations, and there is evidence that these attacks on small businesses serve as conduits for attackers to hack into the systems of large organisations, thereby compromising the entire value chain (Timms,2017; Saban et al., 2017; Sadok et al., 2020).
An appreciation of basic data privacy for customer data is disregarded so much so that many SMEs fail to comply even with basic regulations such as Level-4 PCI-DSS (Payment card industry data security standard). On the other hand, companies may naively rely on their external cloud provider’s security systems to relieve themselves of their responsibility (Kurpjuhn 2015). For many ‘born-in-the-cloud’ companies, cloud-based initiatives are great at keeping costs under control, and for the inter-connectedness of business operations. The pandemic has forced organisations of all sizes to jump onto the platform bandwagon with an average of 5 platforms being used at one company. This makes cloud vulnerability a strong risk to reckon with. Of all fraud incidents in India in 2022,57% were platform frauds as platforms become an integral part of the way business is conducted (Hindu 2023).
There is well-documented evidence of security issues surrounding certain popular cloud services, particularly consumer-focussed and personal cloud platforms, including established names like Dropbox and iCloud (Kurpjuhn 2015). One look at the CERT-in website which daily flashes new vulnerabilities spotted, is enough to dispel this myth of safe cloud service providers. There are other issues too-most cloud providers (except Google) do not support the provision of a full testing environment to its clients for testing security solutions. This leaves many probable leaks undetected. Despite these issues, we see an ostrich policy being followed by entrepreneurs as they conveniently resort to risk compensation by passing on the security responsibility to the cloud provider.
In any case, even a well-fortified system is prone to human error or employee misuse. It is reported that the two topmost culprits of cyber disruption in SMEs are known vulnerabilities like Phishing/Social engineering with pre-texting (70%), and malware attacks (85%), both of which (CISCO 2021) can be dramatically improved with basic hygienic security practices at the workplace such as employee awareness on not clicking malicious links in email or social media sites or re-using compromised passwords.
However, for micro/solo businesses, it’s a tall ask to have formalized policy structures around employee use of external cloud services, personal devices, and VPN access. To add to poor security posture, the use of pirated or unlicensed software, sub-standard firewalls, sluggish patching, and lack of adequate back-up are rampant practices in these companies.
Ultimately, the aftermath of a cyber incident is irreparable at times- direct revenue loss to downtime or increasingly to ransom, loss of business-critical data, blacklisting by partners, tarnished reputation in the market, slapped legal penalties, victim compensation, stolen credentials, and the last blow- eroded customer trust. Lack of remediation and incident management skills results in repeat attacks and bigger blows.
Even those small businesses that do care about security and those that start implementing safety measures initially, become complacent over time showing their inconsistent commitment to security. After all, as with all risk, there is no immediate visible benefit or testable feedback available for all the effort and expense that goes into protecting oneself. As they generally tend to be more difficult to reach or respond to, academic literature and industry research are limited in the area of cyber risk for small companies. Despite the plethora of security solutions and a deluge of freely available advice on the internet, the sector remains under-served, the cyber threat remains under-appreciated and companies remain under-prepared.
Clearly, there’s work to be done. Security solution providers need to relook at product design simpler and DIY features that do not require high-end IT skills. Regulation needs to shape up with robust comprehensive cybersecurity laws. SMEs today have little incentive to report cyber incidents for various reasons including embarrassment and lack of faith in legal remediation systems. Cyber insurance needs a strong push to cover exposure.
Academic research needs to move fast to come up with actionable insights for small companies. To address skill shortages, educational institutions need to come up with updated and industry-relevant curricula on information security. Our SME community will have to be sensitised to dual aspects of the digitisation equation with security getting as much credit as efficiency. Advocating awareness, basic security training, and understanding incident response will go a long way to promote cyber-safe practices.
Government institutions and private industry bodies are already at it. CERT-in (Computer Emergency Response Team-India) under the Ministry of Electronics and IT is the nodal body set-up to strengthen the cybersecurity-related defense of the Indian internet domain, routinely issuing incident and vulnerability reports, among other initiatives. Nasscom-backed Data Security Council of India (DSCI) has come up with an Assessment Framework, Security Framework and Privacy Framework for SMEs and provides accreditation for professionals. (Placeholder1)It also conducts workshops on best practices, standards and related initiatives It organizes annual Best practices meets, specialist hackathons and issues monthly threat advisories. A cybersecurity e-book for SMEs was jointly released by the Institute of Electronics and Telecommunications and NGO CyberPeace.
For our juggernaut of 11 crore MSMEs, this is indeed the best of times as government has set an ambitious goal of taking the contribution of MSMEs to GDP to as high as 50% by 2025 (against ~30% currently) as India becomes a $5-trillion economy. Weak cybersecurity defences can dampen this growth promise and MSMEs can ill-afford to miss the bus this time. Perhaps, it’s also the time to change the narrative and reposition cybersecurity as a business benefit, not a fear-appeal, but a growth opportunity that attracts customers and business partners alike. Security is not a choice anymore, it’s a business imperative implying trust (Lloyd 2020). Size doesn’t matter when it comes to building a cyber-ready company; neither too small to be attacked nor too small to be defended.
