- In this post-Covid-19 world, remote working has become the new normal for businesses.
- An organisation’s data is essential for its daily operations, decision-making and business growth. Such data can also be monetised and valued in a digital economy.
- A company’s data is constantly being targeted by malicious actors through data breaches, ransomware, intelligence work and espionage. Data has thus become an important asset that Singapore SMEs need to protect and leverage as they gain foothold in the regional market.
- When it comes to data protection for SMEs, raising staff competencies and awareness through trainings, briefings and audits should be an ongoing and sustainable process.
- SMEs and their information security personnel – including contractors and vendors, are required to ensure and demonstrate compliance with Singapore’s Personal Data Protection Act (PDPA). This would require organisations to consider the authentication of users before allowing them to access company and personal data.
The COVID-19 pandemic has exponentially accelerated digital adoption for small and medium-sized enterprises (SMEs). The need for remote working has compelled the business community to take up more digital tools and virtual platforms as they adapt to a new normal.
This new normal is expected to continue in the long run, given the infectious nature of COVID-19 and with no vaccine as of yet. Given the disruptive and unpredictable nature of a global pandemic, it is imperative that organisations employ business continuity plans for the foreseeable future.
SMEs worldwide have demonstrated strengths in being creative, nimble and responsive to business conditions as compared to larger corporations. The attributes of being small and lean have pushed many successful SMEs to be more resourceful, thus strengthening their highly versatile team as business conditions evolve.
Scalability and sustainability are important considerations of SME owners with strategic vision, and increasingly, data has become an important asset that Singapore SMEs need to protect and leverage as they gain foothold in the regional market.
Businesses deal with inherent risks and external threats constantly. The same should apply to risks related to information and cybersecurity. Rather than being handicapped by risks, individuals and organisations can manage them appropriately to prevent threats and minimise impact when risks are realised.
Data protection for SMEs: How SMEs should prepare for the worst
An organisation’s data is essential for its daily operations, decision-making and business growth. Such data can also be monetised and valued in a digital economy. It is no wonder that company data is constantly being targeted by malicious actors through data breaches, ransomware, intelligence work and espionage.
In the cybersecurity community, we are keenly aware of the possibility of data breaches as organisations have to prioritise their resources and controls in a sustainable manner. SMEs are used to reacting to business opportunities depending on market demands.
This is especially so during uncertain times and as such, could result in lapses in an organisation’s cybersecurity practices. These practices include:
Policies set the tone of an organisation’s directions and outcomes when it comes to risk management.
Take for example, under procurement policies, it should be recommended that supplier due diligence be carried out to ensure that contractual clauses and supplier performance measures are in place.
Some of these measures include having qualified and experienced project team to support customers’ requirements, being ISO-certified in relevant processes, and having proper documented processes that are verified by third-party auditors.
SMEs should also review their roles, responsibilities and liabilities when it comes to customer-based service level agreements.
Conduct a thorough cybersecurity audit
Conduct a thorough cybersecurity audit to ensure that you have the right tools for your business. Consider a layered stack of security tools that can be integrated together for a seamless and comprehensive set of protections.
If that seems overwhelming, consider working with a managed service provider (MSP) to help ensure a proper security solution without having to research and manage it yourself.
Competencies of data users within organisation and their supply chain through audit, briefing and training
As cited in incident reports of data breaches, cybersecurity incidents usually happen when staff in the organisation are unaware of what they need to do to minimise security risks.
Raising staff competencies and awareness through trainings, briefings and audits should be an ongoing and sustainable process as threats are constantly evolving.
This also helps staff involved in procuring services or solutions from vendors to be vigilant in assessing and monitoring suppliers’ and supply chain partners’ competencies and accountability in minimising security risks.
Standard operating procedures such as data classification and incident response management
Incident response management would require exercises or drills to be carried out so as to ensure that every stakeholder including suppliers, takes ownership of their roles and responsibilities.
Most SMEs in Singapore do not have such standard operating procedures; while some may have it documented but not tested. Without testing or drills, companies would not know if their incident response is managed in an appropriate manner.
On the other hand, data classification allows SMEs to identify the types of data that require higher levels of protection or safeguards as they are sensitive and critical to their daily operations.
Tried-and-tested workflows in ensuring confidentiality, integrity and availability of companies’ critical data in a realistic and practical manner
With accountability being a fundamental principle of Singapore’s Personal Data Protection Act (PDPA), SMEs and their information security personnel – including contractors and vendors, are required to ensure and demonstrate compliance with the PDPA. This would require organisations to consider the authentication of users before allowing them to access company and personal data.
SMEs are strongly encouraged to conduct a robust risk assessment of their information security measures in both physical and cyber aspects. Once they have clarity of what is at stake, they can then prioritise the necessary resources and controls required for proper cybersecurity management; in accordance to their risk appetite.
In order for robust cybersecurity practices to be implemented and for them to remain effective, it is essential that buy-in is obtained from an organisation’s personnel, including third parties, to ensure compliance.
Thus, it is important that practices be implementable, practical, and subject to testing and regular improvements across time when operating in a dynamic environment.
Not only that, it has also become increasingly necessary for information security professionals to strengthen their people and management skills as they advance to C-suite roles such as Chief Information Security Officers. Doing so would enable them to garner better buy-in from an organisation’s upper management.
Singapore is moving towards an exciting phase of digital transformation where SMEs are no longer limited by their size and resources in developing good business ideas. As technology companies expedite product launches ahead to maximise investment opportunities, it becomes harder to maintain a balance between convenience and security in a commercial setting.
User experience is important to gain technology adoption, but security cannot be an afterthought, especially when the data being stored, processed and shared across borders is a critical asset of the company.
As more SME business owners move towards a digital business model, it is important that they employ a more holistic view towards digitalisation and cybersecurity to account for any potential risks. When Singapore SMEs can protect and leverage their data properly, they can then establish their brands and legacies for resilience, sustainability and longevity.
This article originally appeared in the Entrepreneur's Digest print edition #92 and has been edited for clarity, brevity and for the relevance of this website.
About the Author
Yvonne Wong | Associate Director, DPO | Association of Information Security Professionals (AiSP)
Yvonne focuses on enhancing companies’ capacity building in governance, risk and compliance through risk management, privacy management and change management. She works with companies in managing business continuity and information security. She facilitates people competencies in SMEs through training.
Through years of consultancy experience, Yvonne is familiar with organisations’ operations, challenges, brand implementation, and capacity building for industries As the Associate Director in AiSP, she leads the Secretariat team to raise the professional standing of information security personnel in Singapore.