MSMEs urged to bolster cybersecurity, contingency plans

MICRO, Small and Medium enterprises (MSMEs) must always stay vigilant with their cybersecurity measures, as they are more susceptible to attacks, said Shiva Bissessar, managing director and principal consultant of technological consulting firm Pinaka.

Pinaka’s technical lead Javed Samuel added that while the cybersecurity measures are crucial, businesses must also keep abreast of their technical suppliers’ contingency plans.

He cited the CDK Global ransomware attack, which led to a global system outage and forced car dealerships to seek alternative transaction methods.

Trinidad and Tobago was also affected with Ansa Motors and Massy Motors facing system issues. Bissessar emphasised that such incidents are not merely IT or IT security problems but “business strategy problems,” with the CDK Global attack representing a supply chain disruption..

“From a business strategy perspective, businesses in T&T need to be aware of the impacts to their operations which may come about from their supply chain being affected,” Bissessar said,

Samuel recommended that businesses consider having a backup technical supplier in the event of an outage or attack. “It ties into your business continuity plans. Your customers do not have a list of your suppliers, so it’s your responsibility to be aware of the third-party risk and have a plan in place,” Samuel said.

Bissessar said because of the reliance on technology in businesses, if there are no continuity plans in place, then they are “doomed for failure”.

“Reliance on a particular vendor for your supply chain comes about over years of time, building trust and restrictive procurement practices. So, you have concentrated risk in a pool of vendors that could be very critical to business operations.”

Focusing on MSMEs, Bissessar noted that their limited resources in technology make them more likely targets.

“Certain targeted attacks may go after MSMEs because they know they are less equipped to deal with these types of attacks. So, they do have up their defences, and become aware of the risks out there, they can no longer hide their head in the sand and say that they are small and are not being targeted. We have proven that for large entities in the Caribbean thinking that the first-world nations will take the fall out, the Caribbean does not have to worry about it,” he said.

“Slowly but surely, it’s being brought home. It’s no longer a first-world problem or a large entity problem, it’s a small entity problem as well,” Bissessar said.

Bissessar said part of this issue is there is no way to track the attacks or the repercussions because there is no mandate for reporting these issues. Samuel added that because reporting is not required, businesses would be aware of what is happening, which can lead to an increase in phishing attempts with attackers purporting themselves as the suppliers’ customer service representatives.

“As an MSME, if you get an e-mail that says ‘Click here to reset your account,’ you may go along and do so and not realise it’s a phishing scam. It’ll be a double whammy with you,” he said.

“My advice to small entities is to become aware of this (attacks and the effects), it is an issue that you need to grapple with at the organisation level, on a business strategy level. Your organisational structure needs to reflect a mature response to information security – you may need an information security manager or some function that is dedicated to this – because it is separate, a specialised area from IT. We need a more mature way to deal with these types of issues,” he said.