The Edge SME Forum 2017: Small companies not under the radar for cyberattacks

This article first appeared in Enterprise, The Edge Malaysia Weekly, on July 24, 2017 - July 30, 2017.
-A +A

The devastation caused by the WannaCry ransomware attack in May will not be forgotten anytime soon. It resulted in billions of dollars in losses and serves as a cautionary tale that every networked device is a potential target of cyberattack.

As businesses gear up to embrace Industry 4.0, they should also be looking at protecting themselves, says Stanley Wong, regional head of financial lines at Chubb Asia Pacific Pte Ltd, who was addressing a 500-strong crowd at The Edge SME Forum 2017 in Kuala Lumpur recently.

Wong says a common misconception among small and medium enterprises (SMEs) is that their operations are too small to be noticed by predators and, hence, do not need cyber protection. “In my opinion, the only way you can avoid cyberthreats is if you don’t have a computer, don’t use a mobile phone, or don’t own a smart TV.”

The targets of cyberattacks are not only IT or large companies. “The statistics show that healthcare is one of the sectors most affected by cyberattacks because of the kind of data it has. Hospitals have all your details stored, including your credit card information,” says Wong. 

According to Chubb’s global claims data, compiled over the past 10 years, the cyberattacks on the healthcare industry made up 30% of the total claims filed as at October 2015. This was followed by professional services (14%), technology (11%), retail (9%) and financial institutions (7%). 

Evidently, the cyberattackers are ruthless when it comes to breaching private data, and no sector is safe, stresses Wong. “One of our clients was affected by the WannaCry ransomware and the attacker demanded US$300 worth of bitcoins. It may not seem like much, considering the kind of information you may lose if you do not make payment, but how many companies in Malaysia actually trade in bitcoin? How many even know anything about the cryptocurrency for that matter?” 

A study conducted by security products and solutions provider Symantec Corp found that last year’s cyberattacks involved a multimillion-dollar virtual bank heist, overt attempts to disrupt the US electoral process by state-sponsored groups and some of the biggest distributed-denial-of-service (DDoS) attacks on record, powered by a botnet of Internet of Things (IoT) devices.

According to the 2017 Internet Security Threat Report (ISTR), ransomware is one of the common threats plaguing businesses and consumers, with indiscriminate campaigns producing massive volumes of malicious email. “Attackers are demanding more and more from victims. The average ransom demand last year was US$1,077 compared with US$294 in 2015,” it says.

Referring to the 2016 ISTR report, Wong points out that the number of attacks on small companies with fewer than 250 employees rose from 18% in 2011 to a whopping 43% in 2015. Meanwhile, attacks on large enterprises with more than 2,500 employees decreased from 50% in 2011 to 35% in 2015. 

Wong says the US appears to be most targeted country because its legislation requires that consumers be notified when such breaches take place. In other regions, cyberattacks sometimes go unreported.

This is where cyberinsurance is crucial, he says. The WannaCry ransomware attack, for example, hit over 200,000 computers and crippled government and private infrastructure in more than 150 countries. The losses are believed to be in the billions of dollars.

“At least big companies can afford to pay and have their own teams to keep tabs of breaches. The same cannot be said of small companies. If you have some form of software installed that offers protection, you need to make sure that it is continually updated so that your network systems are safe. What if one employee forgets to update it? You are the one exposed, not the software provider,” says Wong.

Cyberinsurance policies reimburse a company for immediate cleanup costs such as hiring a forensics firm and notifying customers, he adds. Some also cover legal fees and the cost of hiring a crisis management firm. In the event of a ransomware attack, the ransom is paid in full while investigations are underway.