Data privacy, protection trends & tips for SMEs

Cyber attacks are increasingly sophisticated and the impact can be felt across all industries in Singapore. According to a Singaporean Threat Report published in The Straits Times on 12 April 2019, almost all organisations and businesses polled in the survey have suffered close to four cyber attacks in the last year. Of the 250 company leaders and executives polled, only four percent said their organisations were not attacked. The organisations and businesses polled cut across sectors like finance, healthcare, government, retail, manufacturing and media.

All organisations possess valuable information assets, which may include intellectual property, financial payment information, client information, business partners’ information, personal data or other company confidential data. Cyber risks have being singled out with significant damage to an organisation’s brand and reputation. BDO has been monitoring the cybersecurity trends in 2019 and has highlighted some key trends for SMEs to take note. In addition, with increasing Personal Data Privacy Act (PDPA) enforcement actions, SMEs should also be more cognizant of their oversight responsibilities in safeguarding personal data collection and use.

What can I do to protect my organisation?

Cyber criminals exploit security gaps left open in the computer systems, networks and system foul-ups. They would also capitalise on human curiosity and weaknesses to infiltrate into the system. Below are 10 practical tips that SMEs can take away and adopt:

1) Security hygiene

Tip #1 - For a start, organisations should always purchase and download software from trusted sources and avoid using unfamiliar free and/ or pirated software.

Tip #2 - Keep all systems and devices up-to-date by applying the latest updates to the operating systems (OS) and applications, and automatically turns on security updates for all mobile devices or computers.

Tip #3 - Try to restrict untrusted devices to connect to the company network. These devices could be from business partners, contractors and even temporary employees like interns. If access is needed, either issue them a computer to work from or restrict their access to some systems and network segments only.

Tip #4 - Sign up with email protection services. Such services come with enhanced security protection, which protect corporate emails against modern phishing malwares or ransomware. Cyber criminals like to send malicious emails to organisations with familiar but spoofed domains.

Tip #5 - Ensure all computers and mobile devices used in the organisation have anti-virus/ malware tools. Put in some form of network defences like firewalls to block cyber-criminal infiltration.

2) Be vigilant and raise overall cybersecurity awareness

Tip #6 - Conduct cybersecurity awareness training and teach employees to be wary of suspicious emails or other communications that request sensitive information. Employees should report such cases to management immediately when in doubt.

Tip #7 - If an employee observes that his/ her computer is running exceptionally slow, alert the management or call in external help to check on the system.

Tip #8 - Subscribe to cybersecurity advisories and alerts that are provided for free by the Singapore Computer Emergency Response Team (SingCert), a unit of Cyber Security Agency (CSA) https://www. advisories-alerts

3) Data privacy protection

Tip #9 - Adopt a minimal data collection mindset. Collect only minimum personal data that is needed to transact. This could help save on the hefty fines should a data breach happen.

Tip #10 - Appoint a Data Protection Officer (DPO) in your organisation. The DPO should avail himself/ herself of the latest data privacy updates by PDPC and any other privacy laws changes in the region. Get a third party DPO if the organisation is required to track critical changes and updates to stay on the right side of the law.

In conclusion, data breaches happen because of either “system foul-ups” or “human slip-ups”. By adopting good security hygiene and better employee education, SMEs can prevent some of the cybersecurity incidents. If all fails, the least any organisation can do that will potentially save the business operations and confidential data is to backup all critical data.

Why should SMEs be concerned with data security and privacy protection?

Nation states and cyber criminals targeting personal data

Globally, 2018 has seen many cybersecurity incidents, leaking millions of personal data records where nation state actors have been implicated. Much has been said about cyber criminals targeting healthcare facilities for personal data to sell in the Darkweb (underground market for stolen data), but we have also seen state actors gaining access to these data records as part of cyber espionage.

Rise of business email compromise (BEC) attacks

Emails are compromised and used to get payments that are directed to the cyber criminals’ accounts instead of the organisation’s account. SMEs are mostly victimized via spoofed emails sent or received during these transactions, wherein attackers direct victims to send funds to falsified bank accounts.

Growth of spear-phishing email attacks

An increased number of spear-phishing email attacks targeting senior SME executives has been reported in the news. Spear-phishing is also used as an easy entry point to gain access to an end-user’s computer, which allows the hacker to move inside corporate networks and servers to steal confidential data.

Expansion of ransomware attacks

Over the past year, there has been a 350% increase in the number of ransomware attacks globally. Ransomwares like Wannacry and NotPetya are still being used by cyber criminals to target vulnerable unpatched SMEs’ computers to get ransom payments in digital currencies, like Bitcoins.

Increasingly complex cybersecurity regulatory landscape

Around the world, regulators at local and regional levels have been enacting new government regulations to protect consumers’ personal data. Organisations need better controls to safeguard consumers’ data collated from the web, mobile or even, at the store fronts. Hefty fines have been levied by the PDPC in the past year to remind organisations to handle personal data with care.

Gerald Tang | Data Privacy Lead | Technology Risk Advisory | BDO LLP

Gerald leads various strategic partnership and new business engagements on data privacy and cyber security. His primary area of focus is in Personal Data Privacy (GDPR & PDPA), Cloud Consulting and Security Advisory. Gerald has a background founded in cloud and cyber security and is currently pursuing his data privacy compliance credentials for a Data Protection Officer (DPO). He has spent a number of years overseeing cloud and cybersecurity projects, including designing complex enterprise and hybrid cloud platforms for government and enterprises.