During the Committee of Supply debate in February, Minister for Communications and Information Josephine Teo underscored the importance of digitalization, highlighting the importance of cybersecurity as part of national security.
Cybersecurity is an essential aspect of business survival that small -medium enterprises (SMEs) often ignore. They cannot afford to. With 40 percent of cyberattacks in Singapore targeting SMEs, all it takes is one successful cyberattack to jeopardize a company’s survival.
While it is understandable that cybersecurity can be a hefty investment for some SMEs, the government has taken the lead by empowering SMEs in a multi-pronged approach, including upskilling tech professionals and bridging the cybersecurity gap for SMEs.
These initiatives will take time to come to fruition, but in the meantime, businesses should take a proactive approach to ensure that their cybersecurity posture is in top form. This means bearing cybersecurity in mind throughout the life cycle of product development, and not merely as an afterthought.
SMEs at risk
SMEs often deal with limited funds and resources; thus, investing in a specialized cybersecurity department or hiring experts to run their cybersecurity systems may be at the bottom of the priority list. Especially after the onslaught of Covid-19, many SMEs are struggling to tide over the pandemic period and consequently, would not allocate funds to cybersecurity, prioritizing their survival first. Small companies may also assume, much to their detriment, that they are not attractive targets for cybercriminals due to their size.
The reality tells a different story. Cybercriminals are cognizant of these vulnerabilities, and they continually attempt to exploit these pitfalls opportunistically.
Case in point: a study by Cisco in 2021 shows that more than 93 percent of SMEs in Singapore revealed that cyberattacks have cost them at least an hour of downtime due to severe operational disruptions, which ultimately led to financial losses. In serious cases, 36 percent of SMEs that suffered more than a day in downtime saw the permanent closure of their business. This can be attributed to the fact that they are still in the early stages of their business and thus do not have sufficient cyberattack risk management strategies in place to guard them against such attacks and in the event that it happens, may not have adequate funds to cushion them from the blow.
On top of that, cyberattacks can also severely damage a company’s reputation in the long term, especially in highly publicized cases. In 2017, for instance, an attack compromised the personal data of 5,400 Singaporeans. This incident received widespread coverage in the media and many customers expressed their frustration and worry about the breach, causing AXA’s overall reputation to be affected as commentators have called the incident a “reputation debacle”. When customer trust is broken, they may choose to take their businesses elsewhere and this may consequently affect a company’s financial standing or even cause a company to fold.
One common window of opportunity for cybercriminals to compromise organizations is through software that was acquired years prior but were not regularly updated and patched, leading to vulnerabilities in it. Additionally, many SMEs use database technology, which are open source with tutorials recommending the use of standard ports readily available to the public online. This puts the entire database at risk of being compromised through a standard port on an open-source database.
Singapore is one of the most targeted regions for ransomware attacks in the world, and prevention is evidently better than cure—it may take years for a company to rebuild its reputation and recover from the attack, which will cost much more than if it had taken the necessary precautions to prevent the attack in the first place.
Sixty percent of startups fold within 6 months of a cyber-attack if they are not sufficiently prepared against them. This presents a very real problem in the world today, especially with many companies shifting their processes and services entirely digital.
Third-party risks
As there are growing business opportunities on the Internet of Things (IoT), everything is becoming more connected and can be easily accessed from the internet. This presents a major vulnerability – if a device or system can be easily accessed from the internet, it would mean that cybercriminals can also easily access those devices without consequence.
Most organizations work with at least one third-party vendor, which presents a key security vulnerability. Say, for example, if a company has got its cybersecurity defense systems in place but its third-party vendors don’t, data leaks could still occur. Third-party vendors are great avenues for cybercriminals to gain access to data and should not be taken lightly.
It is found that 98.3 percent of organizations worldwide work with at least one third-party vendor that has been breached in the last 2 years. Furthermore, the cost of a third-party incident could range from $0.5 to $1 billion, according to Deloitte. Data breaches will incur significant costs if they significantly impact reputation, compliance and financial position.
This is evident in the MyRepublic data breach incident in September 2021, where the personal information of about 80,000 customers was accessed illegally. The breach occurred on a third-party data storage platform that MyRepublic was working with. As a result, MyRepublic was made to pay a fine of $60,000 for failing to take necessary precautions to ensure their customer data was kept secure.
It goes without saying that companies should not just be mindful of their own cyber security posture, but also be resilient against indirect third-party risks.
Compliance with cybersecurity regulations
To counter the growing threat of cyberattacks on the country’s digital infrastructure, our government has established a few cybersecurity laws in the last decade, including the Personal Data Protection Act in 2012 and the Cybersecurity Act in 2018. Companies must also adhere to industry-specific guidelines and standards, such as the MAS Technology Risk Management Guidelines and the Telecommunication Cybersecurity Code of Practice. Regular cybersecurity audits can help companies assess their risk levels and strengthen their security posture. Failure to do so may potentially cost them more if an attack successfully occurs.
In July 2018, Singapore’s largest healthcare group, SingHealth suffered a massive loss of $250,000 when a data breach compromised the personal data of 1.5 million patients, including that of Prime Minister Lee Hsien Loong. The breach was due to a non-compliant IT vendor who failed to implement adequate security measures.
Protecting your company assets
It is often said that a chain is only as strong as its weakest link. For all the effort and passion that goes into building a business, leaders cannot afford to overlook laying the foundation of its security system.
Implementing the GRC framework in its cybersecurity strategy is therefore essential to businesses to manage an organization’s overall governance, enterprise risk management, and compliance requirements. Furthermore, it is recommended that organizations take a consolidated approach to cybersecurity and optimize the number of software vendors it partners with and screen them for cyber hygiene measures in place, further limiting their exposure to risks.
While not every household might have the means to hire security guards round-the-clock, security measures have fortunately become more advanced and more cost-efficient. In the same vein, SMEs now have a plethora of cybersecurity solutions to choose from. This is particularly important for SMEs looking to scale up their businesses. After all, it would be challenging to inspire confidence in investors who are increasingly wary of the cyber risks that might come along.
Before looking to expand your house and increase its capacity, don’t forget to ensure that the house is safe against opportunistic threats.
Pramodh Rai is the CEO and Co-founder of Cyber Sierra. Over the past decade, Pramodh has built and scaled technology products as well as teams for companies across the Asia Pacific. He has served as CTO at proptech company Hmlet (funded by Sequoia, Burda), early team member and CPO at fintech firm Funding Societies | Modalku (funded by Sequoia, Softbank). Pramodh is an active advisor and angel investor in startups globally. Pramodh started his career in Technology at Barclays Investment Bank, after graduating from Nanyang Technological University with degrees in Computer Science and Business.
TechNode Global INSIDER publishes contributions relevant to entrepreneurship and innovation. You may submit your own original or published contributions subject to editorial discretion.
Singapore insurtech provider Cyber Sierra raises $4.3M seed fund led by Leo Capital