Mention cyber attacks in Singapore and the IHiS, Singtel and the Ministry of Defence (MINDEF) data breach incidents will come to mind. One might think that due to the size and amount of data that they hold, these large organisations will be prime targets for attackers.
However, that does not seem to be the case. A new study by networking company Cisco, which surveyed 3,700 small and medium businesses (SMBs) across Asia Pacific, has shown that a significant percentage of small companies are facing cyber attacks as well.
In the last 12 months, about 40% of SMBs in Singapore suffered a cyber incident. As a result of these incidents, 56% lost customer information to the hands of malicious actors.
Furthermore, these attacks have a tangible financial impact. More than half (51%) of SMBs in Singapore that suffered cyber incidents in the past 12 months said the financial impact of those incidents on the business was US$500,000 or more, with 11% claiming that the impact was at least US$1 million.
Understandably, SMBs are worried about such risks as they have been “digitalising rapidly over the last 18 months, driven by the need to leverage technology to survive and thrive in this challenging environment,” says Andy Lee, managing director for Cisco in Singapore and Brunei.
This increased digitalisation has led to an increase in the “attack surface” that can be exploited since SMBs may not have the financial muscle to employ the multiple layers of security that larger corporations have.
Malware attacks have been the most common way, with 79% of SMBs surveyed saying they have experienced such attacks in the past year.
See also: Fighting cyber crime with AI
Beyond the attack itself, disruptions caused by cyber incidents can have serious implications for SMBs. The majority (93%) of SMBs in Singapore said that downtime of more than an hour results in severe operational disruption, and 90% claimed it would result in loss of revenue.
Furthermore, over a third of SMBs (36%) cited that a downtime of more than a day would result in a permanent closure of their organisation.
In spite of these significant implications to business, only 8% of respondents in Singapore are confident of detecting a cyber incident within an hour. The number of those who are able to remediate a cyber incident within an hour is even lower at 5%.
The good news is that SMBs in Singapore are actively taking steps to understand and improve their cybersecurity posture.
Cisco found that most local SMBs have completed scenario planning and/or simulations for potential cybersecurity incidents (72%) in the past 12 months, and have cyber response (78%) and recovery plans (81%) in place.
82% of respondents who completed scenario planning and/or simulations uncovered weak points or issues in their cyber defences.
Of those that identified weaknesses, 94% said they had the right technologies in place, but lacked employees with the right skills to leverage them. A similar number found that they had too many technologies and struggled to integrate them.
The good news is that SMBs are increasing their cybersecurity budget. Across the board, 80% of SMBs in Singapore have increased their investment in cybersecurity since the start of the pandemic.
However, Juan Huat Koo, who is Cisco’s director for cybersecurity for the ASEAN region, points out that “cyber security is not just about investing money to buy solutions and blocking certain threats that come along your way.” Instead, he sees communication as key in helping SMBs strengthen their cybersecurity.
Similar to hackers, SMBs need to stay on top of evolving threats by communicating not only internally, but also externally.
“SMBs that are well-equipped to meet a security event [are those that] talk about the issue more frequently. Talking about cyber threats more frequently [can help them find] ways to respond to cyber attacks [swiftly and effectively] to mitigate their impacts,” Koo says.
In addition, he advises SMBs to find “a more holistic integrated platform approach” that can simplify cybersecurity in their IT environment. Koo observes that the “traditional method” of having one solution to address one cyber threat means that SMBs end up with a huge variety of cybersecurity solutions, which may not be able to integrate with each other and other IT systems effectively.
The report also recommended organisations to constantly train and educate employees from all departments, instead of just the IT department, on good cyber hygiene practices. This will ensure that everybody in the organisation practises the right thing to do when it comes to cybersecurity, given that the nature of connectivity does not just lie with the IT department.
Besides that, organisations should find the right technology partner that can help better secure their operations. “Gone are the days where cyber security is just about putting a firewall, or endpoint antivirus.”
Koo says. Instead, with the larger attack surface that digitalisation has brought to companies, they need a technology partner that can protect their networks end-to end, even with things like remote working and devices out of the office.
