Cybersecurity: Why are SMEs holding back?

I am continually impressed by the level of public discourse in Singapore about cybersecurity. I do wonder, however, if people are talking more about it than actually becoming part of the solution.

Cybersecurity is a global problem that no one has managed to solve and the problem is worsening alongside increasing digital innovation. Recently, hackers stole 1.5 million SingHealth patient records, including personal health records of PM Lee Hsien Loong. As the PM stated in his Facebook post, despite knowing the risk of digitalising health records, he nevertheless decided to push forward, as failing to adopt digital technology would hold Singapore back.

Around the same time, Australians were having a robust debate about digitising their health records. Unsurprisingly, the message from the Australian PM Malcolm Turnbull, was similar to that of PM Lee – digitisation must continue. As in Singapore, the key concern for Australians is that sensitive health records could fall into the wrong hands when digitised. Australian security experts have highlighted the risk of 900,000 health professionals having access to this data, as their PCs are likely to be weak entry points into the national database.

Governments around the world have been urging businesses to join the digital revolution or risk being left behind, while increasing cybersecurity and privacy regulations. The above stories are seemingly about government cybersecurity, but SMEs are significant stakeholders in national economies and need to be part of cybersecurity solutions. So why are SMEs not actively tackling cybersecurity? In my opinion, this is attributed to the lack of deep understanding and the cost of cybersecurity solutions.

Above all, cybersecurity is a human problem. Social engineering (tricking people into divulging private information) is one of the most successful tools used by cyber criminals. The post-incident analysis of major cybersecurity incidents often uncovers human errors, or failures to follow basic processes, as the root causes. Cybersecurity awareness and best-practice training should be compulsory for all users of digital technology. SMEs must understand the cybersecurity risks to their businesses and the potential impacts of a major breach. They must educate themselves and their employees.

Technology has a key role to play in the defence against cyber threats. However, from a purely technical viewpoint, cybersecurity can be difficult to understand, track and manage. Experienced cybersecurity professionals can help simplify this complex issue by providing security architecture and strategies,which can drastically reduce risks. Large corporations in the finance and technology sectors were the first to understand cyber risk and have invested heavily on cybersecurity to protect their digital assets. They spend on the best technology and the best talent. For the individual PC/laptop and smartphone user, a base level protection is anti-virus software on all devices. Free software options are available, but these may not be reliable and the cost of a full-price AV software across multiple devices is expensive.

The SME sector represents a broad range of organisations in terms of size, use and reliance on technology. Research findings show that SMEs spend way below recommended levels globally. Hence, as bigger businesses equips themselves with increasingly sophisticated cybersecurity protection, cyber criminals have turned their focus on lesser-prepared SMEs. SMEs are facing a tidal wave of cyber-crime and need help to repel cybersecurity threats. But a risk-based, structured cybersecurity solution is simply too expensive for most SMEs, and this must be recognised. In terms of magnitude, impact and urgency, cybersecurity is a significant problem for modern economies and societies.

Government schemes to assist with the training of SMEs, bundled with professional security assessments of IT systems before they digitise their businesses, could help reduce future occurrences of data breaches. SMEs are primarily concerned with cashflow and do not have extra money to train staff or pay for cybersecurity consulting.

In Singapore, the government has taken major, commendable initiatives, including the setting up of the Cyber Security Agency of Singapore. There are also numerous subsidies and grants available to SMEs to modernise and improve productivity. However, these grants are not addressing the widening cybersecurity gap faced by SMEs. Cybersecurity problems cannot be solved solely by purchasing technology, without first assessing its suitability. Industry analysts are hopeful that specific cybersecurity assistance grants will soon be available to enable SMEs to become educated and to engage consultants to assist with cybersecurity assessment and policy formulation – a key requirement for any successful cybersecurity initiative.

In the meantime, SMEs who are concerned about their cybersecurity should engage a consultant to do a cybersecurity health check of their systems. Many cybersecurity consultants offer these initial assessments free of charge. Cybersecurity is not a problem that will go away if you ignore it. At a minimum, SMEs need to understand their cyber risks even if they are prepared to accept those risk, until they are ready to take further action.

Mamoon Reza, Cybersecurity Consultant and Director, Certigo