2019 was a watershed year. Liverpool won the Champions League, after arguably pulling off the most stunning comeback in sporting history. Hit TV series Game of Thrones came to an end after enthralling audiences for the best part of 8 years. A picture of a single egg became the most liked image on Instagram ever. And cybercrime, once again, left its mark on the world.
A report by consulting firm Accenture revealed that cybercrime could jeopardize US$5.2 trillion in global value over the next 5 years. Closer to home, our own research has shown that the average cyberattack cost an APJC-based business US$500,000. For businesses and consumers alike, there is no escaping the vice-like grip of a cyberattack.
So what if we were to throwback to some of the cybersecurity incidents that rocked Asia Pacific last year? What can SMBs learn to better plan their security measures for the year ahead?
1) Large Automobile Manufacturer Suffers Advanced Persistent Threat (APT) Attack
A large automobile manufacturer revealed that they had detected unauthorised access on servers and IT systems belonging to their subsidiaries, affecting phone and email services . Then, the organization’s headquarters was subsequently breached and the personal information of 3.1 million customers was leaked online, including names, addresses and occupations.
How did the hackers get in? Initial analysis of the earliest incident revealed that the breach was the result of an APT attack by a Southeast Asian group – essentially, perpetrators entering the system via common tactics such as phishing, and then waiting for the opportune moment to launch a ‘stealth operation’. In this particular instance, that meant using the initial breach to gain access to HQ.
This incident demonstrates that an organization, no matter its size, employee headcount or revenue, is only as strong as its weakest link. This same principle applies to SMBs as well. Be it a 3-man startup with international ambitions or a family business who are acting as suppliers to larger firms, no one is insulated from cyber threats. Organizations should note that cybersecurity isn’t so much about individual defensive strength as it is about the collective ecosystem. Everyone needs to be committed – because ultimately, their robustness is your robustness, and vice versa.
This attack also casts a spotlight on intellectual property. Note that no financial details or assets were reported stolen or missing during this episode. So the perpetrators were likely looking for something else – for example, an insider glimpse at R&D efforts. Young, innovative businesses may therefore wish to decouple valuable IP and critical data from the rest of the network.
2) Popular Messaging Service a Conduit to Install Spyware on Phones
A popular instant messaging service revealed that a vulnerability allowed hackers to inject commercial spyware on phones. The perpetrators used a number of ploys to attack their targets – including using text messages containing download links.
This scenario will be one that is all too familiar to many of us – hands up if you’ve received a spam message advertising online gambling services or emails from people who claim to be royalty and wish to bequeath their fortune to you in exchange for a processing fee!
Spam has withstood the test of time, and is one of the oldest, yet simplest ways that unsuspecting people get duped out of thousands of dollars, or unwittingly infect their devices with malicious viruses. Indeed, Talos revealed that 85 percent of all emails sent in November 2019 was spam.
Spam in the form of suspicious emails, has also crossed over into the realm of business. Ransomware is one of the most common cybersecurity concerns that SMBs face, according to Cisco research – and to top it off, SMBs will typically pay up in order to avoid downtime and disruption to their operations. Our CISO Benchmark report revealed that 42 percent of our respondents have had to deal with a cybersecurity incident that was a result of an employee opening a suspicious email.
The lesson here is education, education, education. SMBs should invest in ensuring that all their employees are trained in the basics of cyber hygiene – for example, how to identify a suspicious link or the importance of updating systems when new security patches are made available. In this day and age, no employee can afford to be cybersecurity-inept.
3) Large Cosmetics Retailer Suffers Data Breach
The third and final breach that SMBs can learn from last year is one where the personal details of about 3.7 million of a large cosmetics retailer’s customers across Asia Pacific were leaked online. No financial information was compromised, but other personal details – including login information, encrypted passwords, names, ethnicities, visual characteristics and so forth – were all found to have been breached, giving cybercriminals the tools to carry out social engineering or targeted phishing attacks. No vulnerability was found during investigation – and it was suspected that the breach could have been the result of an insider threat.
For SMBs, consider who and how many people should have authorization to access sensitive data. Training should be provided to these employees, so that they are aware of how to handle this information, and more importantly, the consequences for misuse.
Perhaps more important to note is how the cosmetics retailer reacted to the situation. They were able to identify and qualify the breach, confirm the information that was and wasn’t compromised, and quickly offer the public a roadmap for how the business was going to respond to the incident and improve its defences.
In today’s increasingly complex digital environment, it’s important that SMBs don’t consider cyberattacks as an ‘if’ but a ‘when’. The cosmetic retailer’s response clearly showed that the business was prepared for that inevitability with a remediation plan that ensured their reputation didn’t take too big of a hit to still remain as one of the world’s foremost beauty and skincare retailers today.
Cybersecurity cannot be a bolt-on to a digital strategy – it forms an integral part of how a business grows, large or small. So it needs to be treated not as a tick-box exercise in the hope that you’ve done enough to fly under the cybercriminal radar, but as a threat in waiting whose impact, with the correct planning and anticipation, can be minimized if not fully mitigated.
Don’t know where you stand on the scale?
Assess yourself using our SMB security checklist.