"It's Just 'A Fire in the Next Neighborhood'... With Payroll Pressures, Security Keeps Getting Delayed [Concealment 8]"

ChatGPT Development

'No. 1: Poor sales performance, No. 2: Rising raw material costs, No. 3: Increasing labor costs.'

The "May 2025 Business Outlook Survey" conducted by the Ministry of SMEs and Startups reveals just how little company leaders are aware of cybersecurity issues. Not a single respondent mentioned concerns such as "the cost of security products" or "lack of security systems." The CEO of a small manufacturing company that suffered a ransomware attack last year said, "Until we were hit, I thought there were at least ten other reasons besides hacking that could ruin us." He added, "Problems like 'not being able to pay salaries' or 'failing to repay loans' were immediate concerns, so security investments kept getting pushed to the bottom of the list."

Park Seungae, CEO of JiranJigyoSoft, an information security company, said, "SMEs and mid-sized companies tend to see ransomware prevention like long-term care insurance for dementia. Since implementing a security system can cost tens of millions of won, they cite financial burden as the main reason for not taking action." She added, "Ransomware feels like something that would never happen to you unless you actually experience it. Even when they hear about another company being hit, they treat it like 'a fire broke out in the next neighborhood?what a shame,' and move on."

There are ways to establish basic security systems without spending large sums of money. The Korea Internet & Security Agency (KISA), under the Ministry of Science and ICT, provides free security solutions to SMEs. However, many companies are not even aware of these services, resulting in low usage rates. For example, only 352 companies applied last year for the "My Server Caretaker" service, which inspects company servers free of charge. This is just 0.004% of the 8.04 million SMEs in Korea (according to the 2024 SME Basic Statistics, based on 2022 data). The service offers remote checks for password strength, signs of intrusion, and critical vulnerabilities, as well as self-diagnosis tools, but very few companies have ever used it.

The "Cloud-Based Security Service (SECaaS)," which costs just 500,000 won per year, was also adopted by only about 0.007% of all SMEs (607 companies). This system enables companies to use security features such as firewalls, malware detection, and DDoS (Distributed Denial of Service) attack defense without the need for dedicated personnel or equipment. Park Jinwan, Head of the SME Information Security Team at KISA, said, "Only a small number of companies whose CEOs are strongly committed to strengthening security are even aware of these services and actively apply for them."

Park Jinwan, Head of the SME Information Security Team at Korea Internet & Security Agency (KISA), is being interviewed by Asia Economy on the 22nd at the KISA Seoul Office in Garak-dong, Seoul. Photo by Yoon Dongju

The Ministry of Economy and Finance is actually cutting the SME security budget every year, citing "low usage rates" as the reason. The budget for SECaaS was 10 billion won in 2023, but dropped by 40% to 5.8 billion won last year. This year, it was slashed by more than half again, down to just 2.3 billion won. For the My Server Caretaker program, budget limitations mean that only the first 350 companies each year can receive the service, both last year and this year. Lee Won-tae, former president of KISA, pointed out, "Cutting the budget this drastically is no different from giving up on SME security altogether."

With insufficient funding, the scale of related projects has shrunk, and companies are caught in a vicious cycle where they cannot access the services. Park emphasized, "Even though there are government support channels in the security sector, the lack of promotion means companies are simply unaware and therefore cannot apply. In particular, partner companies of large corporations need to pay even more attention to security, as attackers can penetrate the main corporate network by moving through these partners’ systems."

KISA recommends that SMEs start by participating in "cyber simulation training." This allows them to experience real-world cyber threats such as phishing emails, DDoS attacks, and simulated intrusions. Regular training for all companies, including large enterprises, is held twice a year, each session lasting about ten days. SMEs can participate in ongoing training throughout the year. Park said, "Starting this year, we are recommending security solutions to companies that have undergone cyber simulation training to help address their vulnerabilities. For example, if someone falls victim to a phishing email, we suggest a 'hacking diagnosis tool,' and if a server goes down due to a DDoS attack, we connect them with a 'cyber shelter' service."

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.