ALERT: Stay vigilant and exercise caution against online scams. Never share confidential information, passwords, OTPs and bank details over calls, emails or SMSes.

Today we continue with Part 2 of our 3-part blog series on cloud security, in collaboration with our cybersecurity partner Blackpanda for MyRepublic Ignite.

5 Challenges SMEs face with their Cloud Security

Cloud security is one of the most important issues to consider when moving to the cloud. Despite the many benefits of cloud computing, security concerns remain a top inhibitor of adoption.

In addition to traditional cyber security threats, COVID-19 has introduced some fresh problems over the past few years. For many SMEs, 2022 has been a particularly disruptive year due to the widespread adoption of permanent hybrid and remote work arrangements, as well as rapid infrastructure development.

Microsoft Singapore reports in its joint ‘2020 SME Digital Transformation Study’ with the Association of Small & Medium Enterprises (ASME) that even though 83% of Singapore’s SMEs had digital transformation strategies in place, more than half (54%) said that COVID-19 delays had an impact on their digitalization efforts. Additionally, just 2 in 5 SMEs believe their efforts to implement digital transformation have been successful, despite the greater adoption rate.

In another study released by Microsoft and IDC Asia Pacific, it was found that 73% of Singapore organisations, both mid-sized and large-sized, have sped up their digitalisation in reaction to the pandemic. In contrast, the ASME-Microsoft study discovered that only 30% of SMEs claimed that COVID-19 forced them to digitalise, with the majority citing delays in their plans. Additionally, more than 80% of SMEs said that COVID-19’s global border control restrictions have caused them to postpone their plans for internationalisation (overseas expansion).

Figure 1 Source: 2020 SME Digital Transformation Study by Microsoft Singapore and the Association of Small & Medium Enterprises (ASME)

The study found that most participants were unaware of government programmes and initiatives that are accessible to SMEs, including the Productivity Solutions Grant and the Start Digital Pack. Nevertheless, it was discovered that more than 3 in 5 SMEs would be eager to make use of these subsidies and schemes to assist digital transformation in the upcoming year, despite the low levels of knowledge of such initiatives. Larger enterprises also frequently benefit from current government assistance, with medium and medium-large corporations reporting that they are more likely to find government assistance valuable (60% and 73% respectively).

Here are the top five cloud security issues that SMEs have had to deal with in 2022 as we draw to a close.

1. Inadequate staff training and awareness

Staff members are frequently a small business’ greatest asset, but they may also be its weakest defence. This is hardly surprising considering the difficulties SMEs have had in implementing efficient security training. According to Blackpanda’s November 2022 report on Digital Forensics and Incident Response (DFIR) statistics, less than 30% of SMEs indicate that they offer data safety and best practices training, proving that promoting security training and awareness continues to be difficult for SMEs.

Since most successful attacks use social engineering, the transition to remote working has further underlined the urgent need for SMEs to train personnel in secure home-working practices. In 2023 and
beyond, SMEs are anticipated to continue to fall short in terms of giving staff members access to sufficient security training materials.

Figure 2 Source: 2020 SME Digital Transformation Study by Microsoft Singapore and the Association of Small & Medium Enterprises (ASME)

2. Rise in sophisticated ransomware attacks

This year, the encryption-based software known as ransomware continued to terrorise businesses, and attacks are expected to rise even further. Smaller firms are also more likely than larger firms to pay ransoms to have their data decrypted because they often do not back up their data. However, Ransomware 2.0, as this new wave of attacks has been dubbed, has rendered the backup of data useless because it not only encrypts the data but also threatens to make it public if the ransom is not paid.

Blackpanda’s report also indicates that ransomware continues to be a particular problem for smaller businesses compared to their larger counterparts, with 60% of assaults occurring against organisations with fewer than 100 employees.

Although it’s unclear whether the prevalence of Ransomware 2.0 attacks will change the willingness
of companies to pay, protecting against this kind of attack should be a top priority for all SMEs.

3. Lack of dedicated resources

While COVID-19 has tightened spending for many companies, a Kaspersky analysis shows that since 2021, the average SME’s IT budget has seen a small 3% growth in security spending. Blackpanda has witnessed this, with organisations increasingly willing to invest more to enhance their security level by purchasing firewalls, endpoint detection and response (EDR) solutions, email gateways, and so on.

However, the rising demand for cybersecurity professionals, who are in short supply and are commanding commensurate salaries, may mean that this is insufficient. Many SMEs simply lack the funds necessary to recruit personnel for specific cybersecurity jobs. In Blackpanda’s experience, less than 5% of SMEs have a full-time cybersecurity employee. Smaller companies are still at a disadvantage as a result, making them easy prey for cybercriminals who are well aware of the issues SMEs frequently encounter.

“When the pandemic struck, many SMEs in Singapore struggled to stay afloat as their businesses took a hit. Survival became a priority for these smaller companies as they grappled with rising costs and falling revenue, and naturally, digital transformation may have taken a backseat. When providing support to businesses impacted by COVID-19, it is important to consider the unique challenges faced by SMEs in order to identify areas where the government, corporates, or industry associations can support them in digitally transforming during this time.”

– Mr Vivek Chatrath
Small, Medium and Corporate Lead
Microsoft Singapore

4. Device administration shortcomings

Bring your own device (BYOD) is becoming more popular, and in some situations, remote workers are being compelled to switch to personal devices, which has made device administration a complete mess. A lot of SMEs have chosen cloud-based endpoint management solutions to fill the gap; nevertheless, endpoint management systems have inherent limits when remotely managing devices with different
operating systems.

The protection provided by their corporate network to office-based personnel has also been taken away by remote working, leaving them dependent on the fundamental security measures of their home office network. Many employees won’t have access to the sophisticated firewall and web proxy tools, leaving them more vulnerable to outside threats while using their devices in an office setting. We are likely to observe that many SMEs have not yet implemented a successful remote administration plan as 2023 approaches.

Figure 3 Awareness and adoption of digital transformation has increased significantly among SMEs [Source: 2020 SME Digital Transformation Study by Microsoft Singapore and the Association of Small & Medium Enterprises (ASME)]

5. Absent information management framework

The implementation of GDPR in 2021 ushered in a period of increased data awareness. However, GDPR implementation has been challenging, particularly for small and medium sized businesses. The ISO 27001 standard for information management and security, which is often regarded as the gold standard, is still out of reach for many smaller firms.

SMEs are confronted with significant challenges when implementing an information management strategy, including trying to identify information assets efficiently and keeping track of personnel access levels. Alternative programmes, such as the IASME Governance programme in the UK, have been developed to aid SMEs in improving their information management processes. Despite this, as we approach 2023, many SMEs will still face difficulties with information management and security.

“It is encouraging to see that majority of Singapore SMEs are aware of digital transformation and have adopted some form of digital technology since 2018. However, digital transformation calls for more than just updating technology or adopting a new platform – it is never about tech for tech’s sake. Success and value derived from digital transformation can only be achieved if these strategies are clearly aligned with SMEs’ business objectives. Factors such as workforce skills also play a pivotal role in ensuring the success of digital initiatives in any firm, hence the need for SMEs to build competencies in areas such as data analytics. As data from the study suggests, more guidance can be offered to SMEs to help them strategise, upskill and properly leverage government grants to harness the full suite of benefits from digital transformation.”

– Ms Irene Boey
Vice President
Membership & Training, ASME.

SMEs may be experiencing some unprecedented challenges as they take on digital transformation projects and new resourcing models. But the good news is that their awareness is trending up. Collectively, we can foster partnerships, share information and become a more cyber-resilient business community.

Come back to this space for the last feature in our 3-part blog series, in which we discuss cloud incident response strategy. Meanwhile, head on over to our white paper “Building a successful Cloud Security Strategy” for a deep dive into cloud security.