Data protection for SMEs: is it necessary to focus in the times of COVID 19

Recently most of the newspapers covered items on how fake PM Cares UPI ids are trying to divert funds meant for COVID support. Others reported a spike in COVID related updates and messages laced with malicious links.

Internationally a spike in email-based cyberattacks was noted between February and March 2020. A number of these appeared to be related to Covid-19 information, but were later found to be either phishing emails or those containing malware/ransomware.

India seems to board the same ship with a rise in emails related to Covid-19. Most of these contain attachments on updates, charity, research, etc. With a State imposed complete lockdown and employees working from home, keeping a track of security aspect is becoming challenging. Even more for the SMEs which have focussed primarily on their business and customers keeping the data protection on the sidelines or as an item to be addressed later.

Cyber Crime has fast turned into one of the highest growing forms of criminal activity. If that was worrying enough, Accenture predicts that data breaches are set to cost businesses USD 5.2 trillion worldwide and this may only increase with COVID related spread being witnessed. According to a 2019 study by Accenture, 43% of cyberattacks worldwide are aimed at SMEs and given the number of Small and Medium businesses in India (6 crore SMEs that account for 30% of the GDP as per recent CII statistics), the threat can’t be ignored

This segment is equally or more under threat from data breaches. It’s not as though there’s something inherently attractive about SMEs to cyber criminals; rather it is the ease of breaking in that makes SMEs getting hit most.

Data breaches can be costly. While, it is safe to assume that any conscious enterprises would generally have the structure, resources and expertise to secure data and/or initiate recovery, but that may not be true for most of the smaller businesses. The preparedness here is conspicuous by absence and the spread is increasing. According to the information tracked by the Computer Emergency Response Team – India, over 3.94 lakh cyber security incidents were reported in 2019.

The Curious Case of Data Breaches :

Several SMEs feel that their information might not be useful to cyber criminals and hence they don’t require to be prepared, but that’s not true. Businesses, even though they are small in size, possess large volumes of personal and client data that can be used to commit fraud.

For years now, these businesses have data about customers, clients, vendors and prospects. As technologies like the Internet of Things and Artificial Intelligence continue to develop, companies have begun capturing and analysing more data. The problem is aptly summed up by Andrey Dankevich, Solution Business Lead, Kaspersky who says

“Smaller companies are often focused on how to make their business work and grow — just like they should be. They may not have cybersecurity among their top priorities, however, the cost for overlooking the problem will only grow. Why? Because malware doesn’t distinguish between its victims and because even very small organizations have something to lose, such as sensitive data.”

Kaspersky conducted a survey in 2019 and uncovered that over a third of small businesses witnessed data breaches that year. The survey said that while the data breaches threaten small companies with painful consequences, the security measures taken by them to prevent such incidents are often insufficient.

It’s not that cyber criminals use any special techniques to attack SMEs. Some of the most common methods include phishing attacks, ransomeware, brute-force password attacks etc. Besides, there are always those insiders having access to data who can wreck havoc.

Currently, there is low awareness amongst SMEs regarding cybersecurity, since they feel it is a costly proposition and they have not yet arrived at the stage where this form of security becomes necessity. What they fail to understand is that the cost is preventive in nature and is intended to save from a higher salvage cost of data breach.

Preventing data breaches :

To begin with, it is important to develop a basic data security plan that not only safeguards data but also includes a strategy to handle the situation in case of a breach. One may argue that events like COVID would always fall under the extreme category for which no organisation can prepare in advance. However small steps like review of the basics and putting in place small checks go a long way. In addition, the following may also help:

 Secure wireless networks :
Cyber criminals often plant ransomware and other malware on organisations’ systems, if the wireless networks are unsecured. To prevent this, one should use only WPA2, which uses AES-based encryption and provides better security than WPA. Strength of network can be tested using wireless network penetration tests.

• Software updates :
Regular updates help mitigate the risks. One should not ignore the update notifications.

• Control access :
Should only be granted on a need-to-know basis. A policy around this is a must.

• Data Back ups :
Often hyped but still essential. Regular backups with geographically distributed multiple copies wherever possible.

• Staff training :
Human error is one of the leading causes of data breaches hence it is essential to train staff members to recognise potential threats and get them into the habit of exercising good data protection practices.

• Strong data security policies :
A small business needs to reflect upon its own policies to see whether data security is imbibed into their work culture. Without a security policy, most businesses end up vulnerable to attacks and most of them fail to contain breaches due to non-existent post-breach policies. Establish a data storage policy that becomes the rule book to be followed by all employees.

The bottom line :

Now for many of us, this may not sound like business related capabilities, which may be found inhouse and considering the steep the cost of hiring an expert may not make business sense. However, SMEs can choose to rely on a shared service provider which addresses mitigation of risk at reasonable costs and quality.
In an era, where data is money and cyber crime is a real threat, small businesses need to understand that the cost of data breaches is higher than the cost of implementing security systems. Cyber attacks usually have a catastrophic effect on small businesses operating on a lean infrastructure. It’s important to put some time and effort into ensuring the safety of data. Now with the introduction of The Personal Data Protection Bill, 2019, Government is on its way to make data protection mandatory hence sooner the businesses evolve, better it is.

Nirav Maniar is a Fellow Chartered Accountant and a certified registered valuer registered with The Insolvency and Bankruptcy Board of India having more than 20 years of work experience. He is an alumni of Deloitte Haskin & Sells (a member firm of Deloitte Touche Tohmatsu), he has been engaged in setting up new practices and finding new business areas, setting them up and making them profitable

” Nirav is a tech enthusiast, he co founded Promaynov Advisory Services Pvt Ltd in 2013 with an intent to work in the areas of People and technology.

He brings in his experience of starting new businesses with the innovative mix of his knowledge on accounting, tax, legal and technology which has proved valuable for Companies of all sizes”

Leave a Reply