As SMEs begin to embrace the wave of technology transformation to change the way they do business, it will be critical to stay vigilant against the increased exposure and vulnerabilities that come with it. Cyber threats are not limited to just large organisations anymore. The Business Times reported in a poll that at about 56 percent of SMEs have been exposed to cyber error or attacks in Singapore during the previous year. However, despite more than half of those surveyed had been a target of these cyber incidents, nearly 63 percent of them felt they were less vulnerable to cyber incidents than large organisations, and only 44 percent of them improved cybersecurity measures after these incidents. This highlights the prevailing under-preparedness and awareness amongst small and medium enterprises towards data protection.
SMEs have a broader exposure for risk than larger organizations because of the lower financial ability to adopt more expensive, comprehensive cyber products. Phishing, Ransomware and Business Email Scams are common cyber incidents in Singapore, as reported by the Cyber Security Agency of Singapore (CSA). Nearly a third of SMEs in Singapore have been attacked by ransomware and phishing, with 20 percent of these having to close shop consequently. As per the 2017 CSA report out of more than 2040 website defacements identified in Singapore, the majority were of SMEs across various industries.
The evidence is out there. The impact is critical. So what are some of the ways small and medium enterprises can build up their protection against threatening cyber incidents?
Identity and Access Management
For an SME, its assets are critical to delivery and success. One should identify which of these assets and data files are crucial to keep operations running and require protection from cyber incidents. Identity and access tools can be installed to increase security against unauthorized access to these assets. Multifactor authentication and administrator privileges are an excellent way to limit access and put in barriers for cyber attackers.
NEVIS Security Suite of AdNovum, Singapore based Identity and Access Management company, provides high-level security measures against cyber attacks. For more than 30yrs they have protecting millions of digital identities for various government organisations and leading Financial Institutes. And, so far reported zero-outage for Singapore – based projects.
System Back-up Solutions
Incidents such as ransomware attacks take your files hostage in exchange for payment. Cyber attackers encrypt the data and threaten release only when payments done. However, it is essential to note that paying the ransom still does not guarantee that your files get returned. Therefore, investment in system back-up solutions is critical to ensure such incidents do not cripple the business. It estimates that each hour of downtime and system failure can cost enterprises to at least S$20,000 in Singapore.
There are many providers in the market to choose from. For example, Singtel provides the Business Backup Suite product to store a copy of your data from physical workspaces and servers in highly secure data centers. These data centers are SSAE 16, and MTCS-Singapore certified, and Tier IV designed. The Business Backup Suite will recover and restore with zero lead time in the event of a data compromise/incident.
In addition to Ransomware, Spear Phishing is also prevalent. Attacks are disguised in email attachments, enticing the reader in the organization to open the attachment. A personal email send to the reader with an attachment that links to a site that steals information. Spear phishing emails could be sent to employees of small and medium enterprises to take financial details, transfer funds, or remotely wipe workstations. One way to protect against Spear Phishing is by installing robust email security solutions that include anti-virus and anti-spam solutions that can block these before damaging the organization’s networks, and solutions that scan email content for such attachments.
Connectivity Global, a Singapore based company which provides protection against Spear Phishing Emails and Mallware attacks. Their hero product, Receive GUARD has proven track record in providing such solutions.
With the growing adoption of smartphones and portable devices to do business work such as to check emails or financial transactions on the go, these devices are additional cyber incident targets to consider protection for during the operations of the small and medium enterprises. Attacks are not just limited to computer devices anymore. These portable devices lack the high-quality data encryption features necessary to conduct business, leaving them vulnerable to attack.
Mobile malware can infect when checking email on smartphones or is usually disguised as mobile apps that are designed to appeal to users, generally as mobile games. Mobile gaming is rapidly gaining popularity. Upon download, the malware infects the data on the phone, allowing the attackers to steal information and transfer funds.
SMEs must introduce policies on using smartphones and portable device to conduct business work only. Giving employees a separate work phone that limits restrictions of what can be downloaded and automatically updates all the required protection and firewalls is a useful way to maintain protection against threats.
Resources and Grants
The Cyber Security Agency of Singapore works closely with Trade Associations and Chambers to provide resources and grants to its SME members to strengthen its cybersecurity preparedness. Infocomm Media Development Authority’s SMEs Go Digital Programme also integrates cybersecurity support in collaboration with the Cyber Security Agency of Singapore.
SMEs can seek specialist advice around cyber technologies from the SME Digital Tech Hub. The Cyber Security Agency separately also advises small and medium enterprises on pre-empting and preventing cyber incidents. Their Singapore Computer Emergency Response Team (SingCERT) further supports SMEs respond to cybersecurity incidents and can be contacted in the event of an incident to provide comprehensive ransomware resolution support.
Moreover, last but not least, perhaps the most integral part, underpinning cybersecurity incident protection involves an organization’s employees and an attitude of responsibility.
A Culture of Data Protection
An organization is only as strong as its culture. It is critical to inculcate a culture of data protection in your small and medium enterprise. It includes going beyond the IT department to ensuring all employees understand the vulnerability to cyber incidents and instilling a sense of responsibility towards data protection in all employees. Enterprise-wide cybersecurity training rollouts that educate employees on types of threats, response management, data storage, and access management can be extremely beneficial. These should be made mandatory as part of new employee onboarding as well as routine training updates.
Singapore government also offers subsidies for cybersecurity awareness courses available for Singaporean and PR employees in SMEs, as part of continuing education efforts. These are a great resource to tap on as well.
As technology use expands and Singapore moves towards its SMART Nation initiative, cybersecurity protection is an imminent responsibility to protect the future of small businesses. The levers described above are key to this.
In our next series, we will also explore in further detail the fast-growing expansion of cyber insurance in the market…