Article from DLLC January 2023 Newsletter
Introduction
According to a Cyber Security Agency (CSA) report in 2021, the number of ransomware and phishing cases in Singapore increased by 54% in 2021 and affected mostly Small and Medium Enterprises (SMEs) from sectors such as Manufacturing and IT
Why did it affect mostly Small and Medium Enterprises?
- SMEs did not know how to better protect themselves in the digital domain.
- The general attitude of the SME was “it was not my problem and it is not going to affect my company”.
- Many SMEs cited that it added extra costs to the bottomline and there was generally not enough manpower to carry out cybersecurity management.
- SMEs did not have proper cybersecurity solutions and how to deal with it.
- SMEs did not know whom to turn to and many SMEs were unaware of the various cybersecurity threats that existed;
- When the threat arose or had occurred, even more companies did not know how to respond to it. They did not have an incident response plan or had trained their staff on how to deal with data breaches.
- It seems many SMEs, at least the smaller ones, are really not operationally ready to fight a cybersecurity threat or breach.
- SME owners are all aware that there is a risk but are not able to assess how big a risk it really is.
Shifting of Mindset
It is time for SME leaders to shift their mindset from cybersecurity being a risk to one of resilience. Therefore, managers must go with the mindset of “it’s not if, but when” in relation to cybersecurity incidents.
Urgency Needed
The urgency must be constantly identifying risk and implementing the appropriate mitigating controls as the key component of overall digital cybersecurity management.
What if SMEs are unable to implement the necessary controls or failed to take steps?
The real question is, what is your plan for readiness when faced with a risk due to not having any mitigating controls, inadequate mitigating controls or blind spots.
It simply means that SMEs must accept that cybersecurity breaches is a question of “when” and that there will always be a degree of uncertainty when managing security. Therefore, the SMEs and its leaders have to be resilient meaning “How Ready Are We?”
How to create a cybersecurity policy to protect your business and plan how you would respond if an accident occurred?
A Cybersecurity Policy (kept with all your HR Policies) sets out ..
a. The personal data or information assets and technology in your company that you need to protect;
b. The possible and potential threats to the personal data and your assets;
c. Rules, practices, controls and procedures for protecting your information assets and business; These rules are important because they help SMEs and their employees understand ..
a. what information can be shared and to whom
b. acceptable use of devices and online materials;
c. handling and saving sensitive materials;
d. being aware of threats and how to identify those threats;
When developing your cybersecurity policy consider, in addition to protecting your company’s personal data, the following steps:-
Step #1 Set Password Requirements
Your cybersecurity policy should explain
a. The need for strong passwords and how to create them;
b. How to store your passwords for your company correctly;
c. How often to update your passwords;
d. The need for different unique passwords for different logins;
e. How to keep your corporate singpass safe at all times;
Step #2 Have Guidelines on Email Security Measures
a. When do you share your work email address;
b. Opening email attachments only from trusted sources;
c. Having software to block junk, spam and scam emails;
d. When to delete suspicious content and reporting to the appropriate authorities;
Step #3 How to Handle Sensitive Data
a. Having clear Personal Data policies on when to share sensitive data;
b. How to store the personal data of employees, third parties and concerned persons;
c. Proper methods of destroying sensitive data beyond just deleting from devices;
Step #4 Rules on Use of Work Devices
- When and where should employees access their work devices away from the office;
- When and how to report a theft or loss of work device;
- What steps to take to block access when an office device is lost or stolen;
- The need to lock screens when computers and devices are left unattended;
- Restrictions on use of removable devices to prevent malware of trojans being installed;
- Need to scan all removable devices for viruses before connecting;
Step #5 Rules for Social Media and Internet Access
a. Each company may have different practices and opinions on what is fair;
b. What is appropriate business information to share on social media channels;
c. Guidelines on appropriate social media channels to access during work hours;
Step #6 Preparing for an Incident
In the event of a cybersecurity breach, have a plan to respond to minimise damage is critical. SMEs must know
a. How to respond to cyber security;
b. What steps to take;
c. The roles key management and staff should play in dealing with a cyber attack.
d. Prepare a cyber security incident response plan and contain the breach;
e. Take preventive steps to check if your company’s devices have been compromised;
Step #7 Keep your Cybersecurity Policy Up-To-Date
Without doubt, SMEs must constantly review their policy and take a conscious effort to train all the employees on existing policies and updated policies so that incidents can be limited.
In the event of a cyber attack, at least the above 7 steps in your policy would limit the damage to your company. SMEs would be able to minimise damage to their information data and assets if it had trained staff to deal with an attack with properly written and executed Incident Response Plan.
Concluding Comments
With the increased threat of ransomware and phishing affecting SMEs, it is critical that SMEs must have a mindset change that cyber attacks is not a question of if but when. There must be this attitude of “resilience” so that proper steps can be taken to protect against cyber attacks.
Let Us Help You
Please enter your details below and we will get back to you in 1-2 working days.
