Importance of Cybersecurity for SMEs

Cybersecurity is now an integral part of business models – or should be.

As Singapore’s economy becomes increasingly digitalised, it is important for businesses here to develop their cybersecurity defences. This is especially important for small and medium enterprises (SMEs), which currently account for 99 per cent of the nation’s enterprises, two-thirds of our workforce, and almost 50 per cent of the nation’s Gross Domestic Product.

Already, Business-to-Consumer and Business-to-Business are conducted mainly through digital transactions. This includes making online payments through credit cards and other forms of smartphone payment. For businesses, a data breach may result in high legal costs and a loss of brand reputation.

According to the 2016 Internet Security Threat Report by cybersecurity company Symantec, small businesses accounted for 43 per cent of all phishing attacks globally. In addition, the IEEE Computer Society Digital Library’s report, Cybersecuring Small Businesses, argues that small businesses tend to be easy prey for cybercriminals due to their unprotected networks. By targeting smaller businesses, cybercriminals can easily exploit their security gaps to gain access to their customer data and also that of the larger corporations that these small businesses work with.

Challenges that SMEs faced in Cybersecurity adoption

Increasingly, the cybersecurity infrastructure of a company is assessed as part of their overall risk portfolio. Good cybersecurity infrastructure reassures customers and maintains customer loyalty.

Yet, while SMEs are aware of cyber threats, they have not done much to protect themselves. One of the problems they face is a lack of expertise within their organisations. As observed by Minister for Communications and Information Yaacob Ibrahim in Budget 2016, small companies do not have the necessary IT capabilities or knowledge to enforce cybersecurity practices in their businesses. He added that, in 2016, there were still 15,000 vacancies in the information and communications technology (ICT) sector, unchanged from 2014. In 2012, data from the Economic Development Board (EDB) showed that only 0.8 per cent of Singapore’s 144,300 ICT workers were IT security specialists.

This lack of IT expertise in turn reflects the companies’ priorities, with cost being naturally one of their greatest concerns. For SMEs struggling to stay afloat amidst greater local and global challenges, the cost of adopting cybersecurity best practices would add to their financial stress.

Current government initiatives to help SMEs with Cybersecurity adoption

The government has taken measures to help SMEs protect themselves from cyberattacks. Existing cybersecurity frameworks for businesses aim to raise awareness as well as educate the workforce on keeping their network secured. Some of the programmes introduced are the Employee Cybersecurity Kit, and an awareness programme that educates and sensitises C-suite executives to potential cyber threats.  However, these measures may not solve the most pressing issue at hand.

A study by the National Cyber Security Alliance in the United States estimated that 60 per cent of businesses ceased operations within six months of a cyber breach. What companies need urgently is short-term help to tide them over the lack of cybersecurity defences, while they build up their long-term capabilities.

Action plan to improve cybersecurity among SMEs

One form of short-term help is cyber insurance for all-rounded protection for smaller businesses.

A single cyberattack on a typical SME in the US with about 100 employees costs US$3.5 million (S$4.7 million) on average, with costs spread between legal suits or remediation efforts, noted Bill Chang, Singtel’s chief executive officer. While no comparable information is publicly available for local SMEs, a cyberattack could similarly be a fatal blow.

Insurance companies do offer cyber insurance coverage, which could include investigation expenses, legal and public-relations costs, business income loss and Internet media liability coverage. Coverage protects SMEs from financial stress, and buy them time to recover from the aftermath of a cyberattack.

However, this market is still underdeveloped internationally. There is low subscription for it in Singapore as well, and this is probably due to the lack of awareness and high premium prices.

The government and businesses need to realise the importance of cyber insurance as a short-term protection for businesses. The government should play an active role in making cybersecurity insurance more accessible to SMEs – by pushing down the premiums or offering subsidies and grants to businesses buying cyber insurance – but for a limited period, so that SMEs would hopefully still be motivated to find their own sustainable solutions for the long term.

Other short-term help includes making sure more cybersecurity health clinics are made accessible to SMEs, e.g. Singapore Computer Emergency Response Team (SingCERT), which responds to cyber security incident by providing technical assistance and coordinates responses to security breaches. This could help SMEs find and eliminate security bugs in their system.

As Singapore moves towards its Smart Nation goals, cyber threats will multiply. Cyberattacks could have a crippling effect on our economy if we do not have strong cybersecurity defences.

The government needs to embrace a two-pronged approach towards better adoption of cybersecurity in SMEs, which includes developing their short-term capabilities to counteract a cyberattack, and their long-term strategy to build up future IT capabilities.  But a vibrant private sector with sustainable enterprises must ultimately level up and pull its own weight.

However, it is hard to see how companies could be jolted out of their complacency without their witnessing a major cyber breach with serious financial implications for companies in question. This could come sooner than expected.

Chua Mei Yun is a fourth-year undergraduate at the Singapore Management University, majoring in Economics. She was an intern at IPS from April to July 2017.

Top photo from IStock.