CYBERCRIMINALS are employing various methods to attack small- and medium-sized enterprises (SMEs) and infiltrate their corporate networks,  cybersecurity firm Kaspersky said on Monday.

Bad actors primarily employ threats through exploits, trojans, and backdoors, putting the data and finances of SMEs at risk, Kaspersky said in its report.

At the same time, it highlighted the prevalence of potentially unwanted applications or those labeled by the company as “not-a-virus,” which need to be addressed, although they do not exhibit malicious behavior.

“Four in ten employers admitted that a cybersecurity incident would be a major crisis for their business, superseded only by a slump in sales or a natural disaster,” said Yeo Siang Tiong, general manager for Southeast Asia at Kaspersky, citing the company’s cyber-resilience report.

“A cybersecurity crisis would also be the second most difficult type of crisis to deal with after a dramatic drop in sales if judged by the results of the survey,” he added.

Data from Kaspersky showed a 325% increase in the number of unique hits across SMEs in the Philippines in the first half of the year, totaling 1,847, up from 434 in the same period last year.

It also revealed that 196 SME employees encountered malware or unwanted software disguised as legitimate business applications from January to June. This figure grew from 76 in the same period in 2022.

Exploits were seen as the biggest threat to SMEs in the first half of the year, Kaspersky said. These refer to malicious and unwanted software that take advantage of security vulnerabilities and cause applications to crash even without user action.

Trojans followed the list, which is known to enter the system and wreak havoc on network data and performance, among other malicious activities.

Backdoors ranked third, pertaining to extremely dangerous malware that provides cybercriminals complete access to confidential network data, which they can then harvest without user knowledge.

“Cybercriminals attempt to deliver this and other malware and unwanted software to employees’ devices by using any means necessary, such as vulnerability exploitation, phishing e-mails, and fake text messages,” Kaspersky said.

“Even something totally unrelated to business, such as a YouTube link, may be used to target SMEs, as their employees often use the same devices for work and personal matters. If the user clicks the link, malicious code is uploaded into the system.”

To curb the growth in cyber threats, Kaspersky suggested providing staff with basic cybersecurity hygiene training, including conducting a simulated phishing attack to practice recognition.

“Set up a policy to control access to corporate assets, such as e-mail boxes, shared folders, and online documents,” it said, alongside clear guidelines on employees’ minimum access to services and resources, as well as regular backups of corporate data.

Strong passwords and multi-factor authentication for all digital services must also be observed among employees, Kaspersky noted. Security solutions and comprehensive defensive frameworks can also be sought through professional services, it added. — Miguel Hanz L. Antivola