What are the best cybersecurity practices for SMEs in the digital age?

As SMEs become more reliant on digital technologies, they face escalating cybersecurity threats, especially post-pandemic. To protect sensitive data, these businesses must adopt best practices, secure their information, and invest in employee training. By leveraging regional resources, SMEs can strengthen their defenses against cyberattacks and build stakeholder trust.

next idea
7–10 minutes
, , , , ,

As enterprises of all shapes and sizes grow more dependent on digital technologies, cybersecurity threats have increased exponentially. The pandemic took the world by storm and forced most companies to take their businesses online, increasing their risks of facing threats further.

Small and medium enterprises (SMEs) are just as susceptible to cybersecurity threats and incidents as their more sizeable counterparts.

Hence, SMEs need to understand the importance of cybersecurity and learn more about the best cybersecurity practices to safeguard their business operations and data from malicious attacks.

The need for cybersecurity practices for SMEs in Southeast Asia

While SMEs may come across as an unlikely target for cybersecurity incidents, they contribute to a significant fraction of reports of cybersecurity incidents. In 2020, during the first Movement Control Order (MCO), Malaysian SMEs experienced 838 cybersecurity attacks in less than one month. Similarly,  in 2022, Singaporean SMEs reported over 130 cases of ransomware. These statistics brought a sense of urgency for SMEs to protect their valuable and sensitive data from any breaches. However, companies in the SME sector face a variety of challenges that often set them back from prioritising their cybersecurity tech stack.

First and foremost, SMEs have limited resources, which leaves little room for new investments in new technology, personnel and upskilling programmes. Businesses may often prioritise the bottom line to survive, which means that they funnel their investments to operations and other departments that contribute to their sales. This makes it difficult for SMEs to consider updating their technology, even if to protect their sensitive data. On top of that, adopting new systems would necessitate new hires with better expertise in dealing with the new technology. Updating their tech stack with the right personnel to develop their cybersecurity system would be the best way forward, however, bridging this gap will stretch their limited resources further.

Next, leaders and management in SMEs often lack the buy-in to implement secure and comprehensive cybersecurity solutions. With the common misconception of cybersecurity risks in SMEs, many including those in management do not believe that their collected data are sensitive. This preconceived notion reduces their sense of urgency to consider or implement any defence against cyberattacks. Additionally, some decision-makers are also unable to see the financial implications of investing in cybersecurity for SMEs, noting a lack of information on its return on investment (ROI). On top of the disruption to day-to-day business operations, it can be a challenge to convince some leaders in the enterprise to implement these solutions.

Finally, another factor that significantly affects an enterprise’s cybersecurity is the lack of personnel training and awareness. One of the biggest challenges of cybersecurity for SMEs was during the pandemic lockdown, as the number of staff members working from home grew overnight. Many of them were not prepared with the right tools to ensure proper encryption of sensitive information during remote work. These introduced multiple vulnerabilities at once for SMEs, which may have caused the spike in cybersecurity incident reports. Furthermore, with a general lack of awareness of the importance of internet safety and cybersecurity, staff members are also prone to committing human error, which accounts for about 85 per cent of all data breaches

Best cybersecurity practices for SMEs

In order to alleviate the issue of cybersecurity attacks, the following are several best cybersecurity practices for SMEs to improve their defence against future threats.

  1. Securing sensitive data and customer information

The first and most crucial step in revamping cybersecurity for SMEs is to secure the organisation’s sensitive information. Companies that deal with personal information should prioritise implementing airtight data privacy measures – including but not limited to data encryption, access controls, and data minimisation – to minimise any chances of data breaches and boost the protection of sensitive data. 

Other than that, every organisation should develop a guideline of best practices and relevant security procedures for the handling of sensitive information that aligns with specifications stated by experts and authoritative bodies. In Malaysia, for instance, Cybersecurity Malaysia issued the “Information Security Guidelines for Small and Medium Enterprises” to guide Malaysian SMEs in their implementation of information security practices.

Then, to ensure that your enterprise is secure, SMEs are advised to conduct regular security audits and assessments throughout the year. This practice is highly recommended, with help from external cybersecurity experts, for companies to identify any potential vulnerabilities and verify that all possible blind spots are covered. As technology continues to develop over time, it is not uncommon to find new weaknesses in a system that is susceptible to new forms of attacks. With regular checkups and audits, SMEs will be able to avoid any unwanted surprises. 

  1. Employee training for cybersecurity awareness

Reducing cybersecurity risks requires awareness and skill. Hence, SMEs need to dedicate time and resources to appropriate employee training through upskilling programmes and awareness campaigns. All employees need to be armed with the right knowledge and understanding to be able to protect themselves and the company from simple generic threats without having to depend on a singular key personnel. 

One common cyber attack trend that needs to be addressed in employee training is a phishing attack. This tactic involves attempts to steal information and trick users into sharing their information via fraudulent emails, text messages, phone calls, and even websites. While their attempts cannot be stopped or controlled, these cybersecurity threats can be prevented by spreading awareness to stop users and employees from engaging in any suspicious activities.

Other than that, SME employees should also be trained on other basic and procedural security steps like how to set strong passwords, how to handle sensitive data, and common best cybersecurity practices for data protection when working remotely. These small and trivial steps make up the foundational knowledge to protect any organisation.

  1. Implementing robust cybersecurity measures and protocols

Currently, there are plenty of cybersecurity measures and solutions available on the market. To simplify the journey of digitalisation, always remember to start small and prioritise what is most important for your company first. Assess what software and solutions are recommended for your tech stack, and develop a schedule to roll out these solutions to avoid any further complications for your small team.

If you are unsure of where to start in your cybersecurity plan, government bodies and other experts often provide some insights and resources to help SMEs take the first step. For example, Singapore’s Cybersecurity Agency (CSA) released a certification scheme called the Cyber Essentials mark that can be used as a benchmark for the bare essentials of a secure and protected system. The Cyber Essentials mark outlines not just software protection recommendations, but also other essential measures including asset preparedness and maintenance and backup routines that every enterprise should consider implementing.

Source: Gobusiness.gov.sg

4. Accessing resources and support for SME cybersecurity in the region

Other than providing insights on cybersecurity, a lot of the same government bodies also offer resources and financial support to encourage the best cybersecurity practices in the country. In the Southeast Asian region, where different governments are similarly pushing for better cybersecurity for SMEs, resources and support have grown more accessible. 

In Singapore, the main government body associated with cybersecurity is the CSA. To promote the adoption of cybersecurity measures and protocols, the CSA offers support through grants, services, consultations and certifications – including the aforementioned Cyber Essentials mark. These efforts contribute to the end goal of developing a customised cybersecurity health plan that works for each company. 

Meanwhile, in Malaysia, alongside CyberSecurity Malaysia (CSM), the government organisation often worked with Malaysia’s Digital Economy Corporation (MDEC), SME Corp Malaysia, and the National Cyber Security Agency (NACSA) to provide appropriate support. These include development programmes (such as the MATRIX collaboration programme), awareness programmes, funding, and information on recent trends in cybersecurity incidents and trends.

  1. Staying informed about the latest cybersecurity trends and regulations

Cyber threats, much like the rest of technological developments, are rapidly evolving. Novel attack techniques are developing, increasing cyber threats on any state-of-the-art systems in due time. Hence, SMEs need to be able to keep up with updated guidelines and new developments both from government bodies and the community. 

Apart from receiving consultation and advice from experts in the field, SMEs should also dedicate their time to participate in information-sharing initiatives to enable knowledge transfers and information exchanges within the community. From emerging threats to new trends in cybersecurity attacks and effective best practices, it can be beneficial to receive information from the primary source. 

  1. Preparing for and responding to potential cyber threats

With systems and assets in place, SMEs must prepare a strategy to face any cybersecurity incidents. This is so that no time is wasted should any cyber attack occur and that any actions can be carried out swiftly. The response should include security measures and controls, a comprehensive incident response procedure as well as reliable recovery mechanisms.

On top of the initial response to any potential cyber threats, every company should also prepare a systematic data backup and recovery plan. This should include a routine data backup procedure to secure locations to prevent any data loss during a crisis. Finally, to ensure that the backup data is viable and available for recovery, conduct a regular run-through of the recovery plan periodically to verify all system functionality.

Cybersecurity should not be taken lightly by any organisation that deals with personal and sensitive data. Despite their limited resources, insufficient buy-in from management and a lack of understanding and awareness of the risks of cybersecurity attacks on SMEs, these enterprises have the potential to increase their protection against further attacks courtesy of help from various organisations. With these best cybersecurity practices outlined for SMEs, companies in the sector can focus on their growth and operational improvements while developing trust with their stakeholders to achieve more milestones in the near future.

Leave a comment

Trending