Tips for SMEs and Start-ups to Secure their Financial Data in the New Age

As we enter the 75^th year of India’s independence it is important to recognise the 6.3 crore plus SMEs who are the second largest employers of India after agriculture. They provide 80% of jobs with just 20% investment. They contribute around 31% to nations GDP and 45% of the overall exports and 34% of manufacturing output. SMEs including start-ups are India’s growth engine, and they are increasingly becoming more vulnerable to higher level of risk from digital frauds, ransomware attacks and stolen proprietary information as they increase their level of digitisation. Indians have lost over Rs. 1.25 lakh crore due to cyber fraud and this is only by far, what has been reported^[1]. India saw a 37% increase in data breaches, cyber-attacks during 2020^[2] as per these reports.
 

The COVID-19 pandemic has forced a number of SMEs and start-ups to speed-up their technology adoption and rethink on their use of technology. Data showed that the SMEs who did well during the pandemic added E-commerce channels or enabled a digital sales channel. They had to adopt digitisation in their operations and financials processes. However, this is exposing the businesses to new age threats which they are not aware of as they lack the resources or knowledge to understand and address risks, like
 

• Ransomware attacks: Where hackers on the internet take control or block access of the business to their systems until they are paid a large sum.

• Internal digital frauds: Where employees take disadvantage of weak or non-existing controls siphoning off funds. There have been cases of employee frauds like these in companies like Wipro. Which goes to show that even large companies are vulnerable. An SME with limited staff and knowledge can be exposed more so.

• External frauds: Where hackers can easily find weakness in digital sales channels to harm a company by placing fake orders, rerouting orders, faking reviews etc.

• Reliance on cloud and software: As a server is exposing them to risks they have never dealt with before.
  ​

Founders & promoters of SMEs & start-ups can take very simple steps to help them minimise the risks to a degree. These include
 

• Training: Which ensures that all their employees are aware of information security and cyber fraud related risks. They know what precautions to take and how to recognise potential threats. History has proven that employees have always been the weakest link when it comes to information security and this is a key step that organisations can take.
   

For SMEs this is also highly cost effective to implement.
 

• Access Control: This is when the company restricts access to an IT resource. This is basically like using a safe to secure the cash in the office. Just like cash is locked up or hidden access to information should also be controlled using access controls provided in the applications and software used.

The key principle, companies should apply when thinking about access control is, does someone need that access to do their job? If they don’t then they should not have the access.

Another key principle where a lot of SMEs stumble when it comes to information technology is segregation of duties. This is precisely about ensuring that one person does not have control on a full transaction and that there are checks and balances in place before funds or assets leave the company. A solid example of this is when goods receipt, purchase invoice recording and payments to a vendor cannot be all done by a single person.

European power and robotics firm ABB recorded a loss of USD 100 Million due to one such instance in the company. Also, the now infamous Satyam fraud happened due to this.

Basic security to be implemented includes:

• Firewall: which is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. A firewall typically establishes a barrier between a trusted network and an untrusted network, such as the Internet.

• Changing of default user names and passwords: Hackers take advantage of user names and passwords that come preconfigured with devices, such as Wi-Fi routers and laptops.

Change Management: Every change introduces risk and businesses need to make sure that when they change anything in the software or computer systems that they use, there is an understanding of the new risks and new controls are added.
 

Vendor Management: SMEs should ensure that they engage with the right vendors especially when it comes to technology vendors. This can be a challenge when it comes to SMEs as they have more cost pressures and look for low-cost options.
 

Product selection: Companies should ensure that they do a proper review of the software products they are implementing. They should not just go by recommendations from vendors.

When it comes to SaaS based products, they should ensure that the vendors have some basic security controls in place and check if the vendor has ISO27001 certification in place as this tells everyone that they take information security seriously.
 

Successful transition to digitisation cannot happen unless the business can navigate the technology waters confidently and the promoters feel confident of the technology being used. As per our experience if a promoter/founder attempting to implement a new system experience any of these frauds/issues they should not venture out and try to digitise again. This would be really harmful to their growth and the overall growth of the SME Sector in India.
 

As a result, it is really important for the promoters to think about the technology they are going to implement and the risks that change will bring before doing the implementation.
 

A detailed assessment can be taken using this link.

www.financialexpress.com/industry/technology/cyber-crimes-in-india-caused-rs-1-25-lakh-crore-loss-in-2019-official/2110242/ [1] 
www.theweek.in/news/biz-tech/2020/11/17/india-sees-37-increase-in-data-breaches-cyber-attacks-this-year.html [2]