The Case of Cyber Insecurity
The Case of Cyber Insecurity
Why are SMEs nonchalant about the threat? Local players share their take.
When it comes to cyber-attacks, being small doesn’t mean you're out of sight. In fact, recent news on cyber threats reflect a staggering reality for Small and Medium Enterprises (SMEs) – 56% Singaporean SMEs experienced a cyberattack in 2018.
Despite the warnings, SMEs do not seem to be wavered. 22% of those who had an attack took no action to eliminate future risks.
"People will think: 'Why do we have fire drills when we never encounter fires? It's the same for cybersecurity. People will always feel it will never happen to them, or it will never happen to their company," said Mr Erman Tan, president of the Singapore Human Resources Institute (SHRI). Why the nonchalance? We discuss with five business owners to understand more.
Intangible results VS tangible costs
Because cybersecurity is a preventive and predictive measure that doesn’t show tangible results, people get complacent.
Alvin Poh, Co-founder and ex-CEO of Singapore's top web host, Vodien, said, "People tend to have a false sense of overconfidence that nothing will happen to them. Those who are not running tech businesses may feel that cybersecurity is not relevant. They typically don't panic and worry until a cyber-attack really happens."
"Cybersecurity is unpredictable. Businesses, especially SMEs, may not see the need to devote money and resources to something they do not encounter every day. Hence, daily operations and other tangible business functions tend to take precedence," said Fanny See, Co-founder and COO of proof-of-delivery and vehicle tracking app Detrack.
Stuart Thornton, CEO of Singapore-based payments startup hoolah, shared the same thought. He said, "A lot of SMEs consider cybersecurity as an added cost to their business and weigh this against the other elements required to grow and maintain the company. As a result, they tend to underinvest in a critical element for the success of the company's sustained growth."
SMEs make up the majority of the customer base of logistics provider Ninja Van, whose Co-founder and CTO, Shaun Chong added, "This is usually the case because SMEs tend to focus on their core business. Cybersecurity is usually an afterthought and often only when they have been hit by an attack. Cyber-attacks are becoming more sophisticated, and this could mean the loss of significant business if you don’t look into it."
Small business, big victims
Not all companies are affected by malicious attacks in the same extent. SMEs face greater threats, risks and challenges because they often lack the resources, including technology and knowledge, to promote resilience.
"Many SMEs have an inaccurate understanding of cybersecurity. Most of them believe that their systems are already updated with the latest anti-virus software and firewalls. Other SMEs believe that the likelihood of data breach incidents happening to them is low as they are too small to be considered by hackers," said Salim M Amin, Principal Partner and Director, Avallis Financial, one of Singapore’s first insurance brokers that covers cyber-attacks.
"To put things in perspective, of the number of ransomware cases reported to cyber risk insurers in 2018, 71% of the attacks were on SMEs. They are less likely to implement more secured backup systems, hence resulting in a higher likelihood of their systems being compromised during such attacks. Ultimately, they may have to accede to paying ransom to restore their data/system in order to resume their business activities. This has put cyber insurance an important concern for SMEs when evaluating their insurance needs."
Fanny agreed that SMEs need to place even more emphasis on cybersecurity. She said, "Cyber threats are disasters that can happen anytime, and when it strikes, the impact on the business – especially one that lacks the resources and infrastructure to handle such attacks – will be unimaginable. In many cyber-attack cases, the affected SME may never recover."
More than money on the line
With an accumulation of confidential data in the online sphere, the aftermath of a cyber-attack stretches beyond the monetary consequences. The major sacrifice would be business reputation and clients' trust. "High ethical standards are important to customers and negative publicity around a poorly handled data breach can ruin a business' reputation in an instant. Therefore, acquiring a holistic approach to risk mitigation is more than just financial," Salim explained.
As Shaun puts it, "In today’s data driven economy, our data is our business. We have to do everything to protect it." He added, "We serve millions of parcels every month across six countries in Southeast Asia and hold a large database of sensitive personally identifiable information (PII) such as addresses and phone numbers. We have a responsibility to stay resilient."
Businesses handling online payments need to take even more care with the data on hand. Stuart commented, "With payments as the core of our business, and as a relatively new start-up, one of the most important elements we need to deliver is trust. We need to religiously protect important financial and personal data of both merchants and consumers to safeguard our community from fraud, downtime and data loss."
"Data leakage is a major concern. Our clients entrust us with their data. Hence, it is our responsibility to ensure that the data is secured to the best of our abilities. Any potential data breach will risk leaking customer’s confidential information and make us lose the trust of our clients," said Fanny.
Business operation downtime is another repercussion of cyber-attacks that can lead to a loss in revenue, and a greater effect on the company's reputation that can take a long time to recover.
"As a cloud-based real-time delivery tracking solution, 24/7, 365 days uptime is critical to our business offering. Any potential threat that can cause server downtime will be extremely disruptive. Even when maintenance is being done, we have to design it to have zero downtime," said Fanny.
"The lack of exposure and education on how cyberattacks can occur and the implications is an important starting point to ensure that the full magnitude of the consequences is understood. If the worst-case scenario occurred, what would this mean? If the answer is that you would lose trust, and therefore reputation, customers and revenue (which is hard to earn back), in my opinion it’s a vital investment for all," said Stuart.
Proven strategies from the SME owners
Stuart holds firm to high standards on cybersecurity. He shared, "We have built our infrastructure with the same architecture as that of a banking institution. the importance of protecting consumer data and working to the guidelines of the payments industry is at the core, even if it means greater investment. Protecting our business and customers is paramount."
Alvin shared that a quick guide when coming up with a comprehensive security strategy is to ensure that it adheres to the three pillars of cybersecurity: confidentiality, integrity and availability.
"We had to put in strict policies to prevent leakage of confidential customer information, especially with social engineering on the rise. To do this, our staff were trained about the importance and taught what to do and what not to do with regards to customer information. Security policies were also in place so that access to customer information is limited to the absolute necessary."
"Information must be protected, especially from being modified by unauthorised parties. We ensured online transactions were secured and even encrypted. At a minimum, SSL (Secure Sockets Layer) were used. User Access Control policies were also in place so that information couldn’t be modified by anyone except those with proper access. Passwords were also a weak link, so we used private keys whenever we could instead, and used secured access protocols such as Secure Shell (SSH)."
"As a web hosting provider, we had the responsibility to ensure that our customers' websites are accessible. Downtime is costly to any business, so we put in measures to prevent against downtime. Hardware and software must be optimised and have redundancy to ensure uptime. There must also be multiple proper backups done on a regular basis so that in the case of data loss or corruption, a recent copy of data can be restored quickly."
Salim stressed on the need for cyber wellness education. "Approximately 75% of all data breaches are caused by human factor. Most cyber-attacks were designed to take advantage of human errors rather than flaws in software, whether it's clicking on malicious links or accepting fraudulent emails," he said.
"Companies are increasingly becoming subjected to cyber threats as employees fail to keep their data and system secured. Improper disposal of paper documents and equipment containing personal and important information, loss/missing/stolen electronic assets, mishaps due to rogue employee actions were also the cause of data compromises," he added. By educating staff on healthy cyber practices will lower the risks of cyber-attacks.
Shaun emphasised the importance of staying vigilant and responding to threats at the earliest. Ninja Van currently uses automated security tools and managed services to detect potential malicious attacks quickly.
Find help to get started
Even if SMEs know the urgency of building their cyber defences, they may not have the capabilities or understanding to get started. To overcome the knowledge gap and inertia, many of the SMEs brought up the option to find a cybersecurity partner instead of building in-house resources.
"This is an education and awareness issue. It's something that SMEs need to start to recognise and start handling by either learning about basic cybersecurity measures themselves or working with a cybersecurity partner," said Alvin.
Fanny's strategy is to look for robust cyber security solutions, perform regular penetration tests and implement up-todate security measures. Internally, her team has built failovers and monitoring robots to minimise the risk of cyber threats. With the help of a cybersecurity partner, her company has also implemented an endpoint threat response platform powered by artificial intelligence (AI) that remotely kills off any malicious malware and unauthorised malicious activities on the work stations.
Cybersecurity – a long drawn battle
Cyber threats only get more advanced. A conscious and sustained effort in education, training and drills will help companies remain vigilant in this long journey.
"Cybersecurity isn't something you buy off the shelf and forget. It is something that needs to be constantly reviewed. Keeping up to date is vital in ensuring we anticipate the evolution of cyber threats. We attend briefings on this topic regularly to understand new trends and changes in the cyber landscape. Similar to protecting a nation, we are always on standby mode for an attack and have set up SOPs along with the requisite alerts and system monitoring to ensure we're fully prepared for when it does happen," said Stuart.
"No single strategy is totally failproof, and the process of embarking on the search, testing, evaluation and finally implementation have been time-consuming, resource intensive and expensive," said Fanny. "However, all businesses who want to be equipped for the new digital economy will need to treat cybersecurity as an integral part of their business structure. This journey will not be easy, but it is one that we need to take."
Shaun added, "Cybersecurity will continue to be a priority for all businesses looking to join the digital economy. With the increasing threat landscape coupled with the shortage of skills in cybersecurity, it is a problem that we will have to tackle."
SME Insights: How to create a millennial ready workplace
Millennials are altering the way businesses run. They have a reputation for being job-hoppers. Read on to find out how to be ready to embrace this new generation.
SME Roundtable - What's the hype about going digital?
5 local small, medium enterprises (SMEs) discuss about the good and ugly of digitalisation.