Lack of awareness on cybersecurity
Calyn Yap 
SMEs are aware of cyberattacks to a certain level, but need guidance on how to protect themselves, says Wan Murdani

ALTHOUGH cybersecurity is a crucial concern to the continued operations of any business organisation, there is still a lack of awareness among SMEs of cyberthreats’ impact.

According to Isaca’s – previously known as the Information Systems Audit and Control Association – third annual State of Cyber Security 2017 study, four in five industry players believe that their enterprises will experience a cyberattack this year. In addition, 53% of enterprises experienced more attacks this year compared to last year.

Malaysia Digital Economy Corporation (MDEC) enabling ecosystem director Wan Murdani Wan Mohamad believes that the number of cyberattacks could actually be higher than Cybersecurity Malaysia’s Malaysia Computer Emergency Response Team’s reported 10,000 over incidents, as many companies do not report these incidents.

“It shows SMEs are impacted by these attacks and raise a certain level of awareness, but the missing link is they need guidance from the government and industry on how to protect themselves. Awareness is still key,” says Wan Murdani, noting that SMEs typically do not see IT or cybersecurity as an essential investment.

Isaca director Leonard Ong agrees with Wan Murdani that SMEs are especially vulnerable.

“Cyberspace has no boundaries and there’s no difference between large and small companies, because cybercriminals target companies of any size. If you think about SMEs, the risks are actually higher because they’re less protected and need more protection,” says Ong.

The impact of cyberattacks on small companies is bigger compared to large companies. This is due to the differences in the scale of the companies as SMEs usually have less resources to deal with the aftermath and sustain their businesses in the event of a cyberattack.

Wan Murdani points to the recent news on courier service provider FedEx’s TNT division as an example. TNT was one of several companies to have its computer systems disrupted by the NotPetya ransomware in June, which is estimated to have cost the division US$300 mil (RM1.23 bil).

“TNT lost at least US$300 mil due to the ransomware attack and can continue to operate even after that. But that’s big money for SMEs and they might not be able to survive [such an attack].

“They must think of cybersecurity as the cost of defence and protection, as a part of doing business,” Wan Murdani says.


Cybersecurity skills gap

Ensuring that businesses continue to operate become a major concern, with the ever-present threat of cyberattacks. Hence, Ong advises companies to focus on business continuity to reduce risks and corporate losses by investing in cybersecurity.

Moreover, investing in cybersecurity will also be in the SMEs’ best interests, as they also have to comply with regulations such as the Personal Data Protection Act.

Isaca’s study also points to the persistent cybersecurity skills gap and the difficulty of finding qualified candidates to fill cybersecurity positions as core challenges for businesses. The study shows that approximately 55% of organisations have indicated open positions for cybersecurity and information security, which will take at least three months to fill. Another 32% say that it will take six months or more to fill the vacant positions. Interestingly, more than one in five organisations get fewer than five applicants for such positions.

This is despite the fact that close to 70% of hiring enterprises require a security certification for cybersecurity positions, but 37% say fewer than one in four candidates are qualified.

Isaca Malaysia chapter president Kenneth Ho adds that the cybersecurity talent base also needs to be adequately equipped. “Although technical and administrative controls are essential in mitigating cyberattacks, we find that the human factor is often the greatest defence.

“It is imperative for organisations in Malaysia, especially SMEs, to look at cybersecurity as a business concern and ensure that the workforce and talent base is adequately equipped now, and growing, with the right skills.”

Against this backdrop, Isaca and MDEC have recently announced a partnership that will focus on improving leadership competencies and workforce skills in technology governance, information and cybersecurity.

This article first appeared in Focus Malaysia Issue 256.