Cybersecurity & SMEs: Small business are the big victims

As the digital world permeates an increasingly large part of our lives, cyberthreats start to grow in both impact and frequency. The global trend of the cyber landscape is such that attacks are becoming less profit-motivated. Rather, they aim to cause widespread disruption.

As such, cyberattacks are by now a recognised threat to both organisations and individuals. But most of the time, attacks on information systems of the larger and more well-known corporations tend to dominate the headlines. For instance, the latest major cyberattack that occurred in Singapore was that on SingHealth in June 2018. The personal information of about 1.5 million people, including that of Prime Minister Lee Hsien Loong, was stolen.

In 2017, the National University of Singapore (NUS) and Nanyang Technological University (NTU) were the victims of similar attacks targeted at stealing sensitive data as well.

A big problem that SMEs are not doing enough about

Attacks on reputable institutions are just the tip of the iceberg. What most people tend to overlook is the whole host of smaller-scale attacks that are wreaking havoc on small businesses on a daily basis.

Almost 40 percent of cyberattacks in Singapore target small and medium enterprises (SMEs), according to the Cyber Security Agency of Singapore (CSA). Phishing attempts and ransomware were the most common methods used.

According to the Singapore Cyber Landscape 2017 publication, some 2,040 website defacements were detected in Singapore. Majority of them were websites of SMEs with businesses ranging from interior design to manufacturing.

In a survey conducted by Insurance specialist QBE, 491 SMEs across various industries in Singapore were polled. It was found that although 90 percent of respondents admitted to being aware of potential cyber risks, one in four still do not have any internal processes or policies to protect themselves. For smaller-sized SMEs, the figure hits one-third.

This was mainly due to the fact that SMEs believe they are too small to be targeted by cyber criminals as they don’t have anything worth stealing. Moreover, the misconception that cybersecurity is an issue for the IT department remains. Due to the lack of budget, expertise and technical capability to implement effective measures, many SMEs in Singapore continue to be ill-equipped in defending themselves from cyberattacks.

The vulnerability of SMEs

This is a worrying trend for Singapore in which SMEs make up 99 percent of businesses and employ over 70 percent of the workforce. SMEs occupy an important position in the economic value chain growth and are part of the digital economy. Moreover, they are the first link in Singapore’s business supply chain as the subcontractors and vendors of large enterprises, and even government agencies.

Many of these small firms provide services ranging from cleaning to marketing, human resources and content creation. They operate on a flexible-economy model that strays from the traditional nine-to-six office hour arrangement. Employees can work from home, a café, or on the go. This creates new security risks as many of them choose to work on personal laptops or smartphones, which do not offer the high-quality data encryption necessary for business transactions.

As more SMEs go digital in the Industry 4.0 environment, they may find themselves exposed to the ever-growing cyber threats, such as phishing attacks, defacements, and ransomware. For many SMEs running lean, being hacked would mean normal operations stop. This results in not only a loss of revenue, but also affects their business reputation. A malware attack could possibly be the beginning of the end for a small business. They could even face legal issues if personal data were to be stolen.

Managing cybersecurity as an SME

The first step that SMEs need to take to strengthen their defence is to be acutely aware of the cyber threats they are at risk of. That is, they need to know, in the context of their business, the likelihood that a given threat source will exercise a particular vulnerability and the resulting impact should that occur.

The companies also need to identify and understand their critical assets that require protection, and take steps to prevent and detect unauthorised access. Physical and software controls, such as multifactor authentication, can then be implemented to ensure that only the authorised personnel gain access. Administrator privileges also need to be restricted so that attackers will not have the opportunity to compromise the system.

But most importantly, besides having clearly defined roles and responsibilities on security, the right culture must be in place. There is a need for every individual to understand that cybersecurity concerns everyone – not just the IT department. Even if the IT systems are being managed by third-party vendors, organisations themselves need to ensure that vendors have clear plans in protecting the systems and data.

As the saying goes, human error is the weakest link in cybersecurity. It is when we take the responsibilities into our own hands and see ourselves as the first line of defence, that the IT systems can be sufficiently protected. In particular, SMEs need to take proactive steps to instil cyber-risk awareness in their staff. As Singapore pushes towards Smart Nation, the government has, through various Institutes of Higher Learning (IHLs), as well as Private Continuing Education Training (CET)s centre, offered higher subsided pricing for cybersecurity awareness courses. This has been done as part of an effort to ensure that Singaporean and PR employees are well-equipped and remain resilient against cyberattacks.

Tan Lay Ngan | Principal Lecturer & Consultant, Digital Strategy & Leadership Practice | Institute of Systems Science, National University of Singapore

Lay Ngan delivers courses and manages consulting projects on Managing Cybersecurity Risk and Data Governance. She was appointed by Singapore Information Technology Standards Committee as the Chairman of IT Governance Technical Committee. She has also worked with the International Joint Technical Standards Committee, with the aims of establishing Singapore as a practice-leader in effective IT Governance, directed to enhancing the business value of IT.