This article can also be found in the Premium Editorial Download:

Small and medium-sized enterprises (SMEs) have become the preferred targets for cyber criminals.

Not only are they often easy targets, but they offer a stepping stone to larger, more lucrative corporate and government targets.

According to Bill Chang, CEO group enterprise at Singapore Telecommunications giant Singtel, SMEs are “an entry point into the large organisations that are part of their supply chain.”

The figures back this up. Smaller companies have been experiencing a steady increase in attacks in the past five years, according to Symantec’s 2016 Internet Security Report.

The report found that 43% of all attacks were targeted at small businesses with fewer than 250 employees in 2015.

“Every partner that plugs into an enterprise environment brings in a fresh set of vulnerabilities, which results in security lapses,” said Nikhil Batra, research manager, Telecommunications at IDC Asia-Pacific.

“Hackers and malware developers are constantly on the lookout for such partner ecosystems, where they can creep into a secure network through an unsecured partner.”

For example, in Thailand earlier in 2016, a third-party developer commissioned by the immigration police briefly leaked the personal details of 2,000 foreign nationals living in southern Thailand during the testing stages. The data contained the names, addresses, professions and passport numbers of the foreigners.

Cost of attacks costs less than you think While large enterprises have the resources and often place a priority on investing in shoring up their defenses, SME priorities can be very different. Most SMEs feel that they are too small to attract the interest of a hacker or are unaware how best to protect themselves. They also lack the IT staff to ensure that their systems and networks are protected. However, an SME owner’s assumption that the business is too insignificant to interest cyber criminals may have been true in the past, but that is no longer the case. The decreasing cost of compute power and growth of automation allows cyber criminals to mass produce attacks at a fraction of what it used to cost. “The cost of compute power has gone down and we can assume it will continue. The advantage goes to the attacker as it means they can launch greater and more sophisticated attacks at less cost,” said Mark McLaughlin, CEO at Palo Alto Networks. “When the cost of an attack goes down, the number of successful attacks will go up at an alarming and exponential rate.” Chang at Singtel said: “This is a major issue as large enterprises have funding and resources to build or leverage security service providers to increase their level of defenses, but SMEs either do not have the resources or do not bother.” A popular myth is that attackers have to force their way into organisations. In fact, most breaches occur when attackers trick people into letting them inside, said Alex Lei, regional director for Southeast Asia at FireEye. For instance, in January 2014, an employee of a contractor engaged by KB Kookmin Card, Lotte Card and NH NongHyup Card used a portable hard drive device to steal credit card data, according to prosecutors in South Korea. Some 20 million customers were reportedly affected by the firms’ data breach.

Asean is lagging in Southeast Asia An added challenge, said Lei, is that Asia as a whole is still playing catch up in the cyber security space and Southeast Asia is at the rear of the pack. “In 2015, the median time it took the typical Asia-Pacific organisation to know they had been compromised was 520 days – around 17 months. The global figure is only 146 days. In Europe, the Middle East and Africa, it’s 469 days, according to the 2016 Mandiant M-Trends Asia Pacific report,” he said. The problem is compounded by the fact that Southeast Asia is significantly more exposed to targeted attacks than the global average. “In the second half of 2015, 27% of the organisations we observed in Southeast Asia were exposed to at least one targeted attack. This is almost double the global average of 15%,” said Lei.