How Singapore SMEs can boost their cyber defence postures amid recent data breaches

The K Box data breach in September and recent incidents involving the leak of customer data by popular online shopping sites have led to a reassessment among Singapore SMEs of their cyber defence postures.

Their concern is borne out by results of a recent Singapore Business Federation Survey which found that 30% of our local enterprises had been a victim of a cyber attack, most of which took about one to three days to recover.

A 2013 IDA report revealed that although infocomm security adoption is rising among local SMEs, only 21% have in place an intrusion detection system to prevent data leakage.

Instead of scambling to boost their defence postures after a cyber attack, SMEs can proactively adopt four essential steps to reduce the risk of data breaches.

1. Install anti-malware software on company computers

Malware is a broad term that encompasses viruses, spyware, adware, trojans, worms, etc. Ensure that the software is up-to-date and trouble-free by installing the latest patches and updates.

2. Encrypt sensitive personal data "at rest" and "in transit"

Data encryption changes information on the computer into unreadable codes. Sensitive personal data (e.g., names and NRIC numbers) that are saved on the company's desktops, laptops, or any other local storage ("at rest") should be encrypted.

The scale of encryption (full disk encryption, file system-level encryption, etc.) depends on the sensitivity of the data concerned. Use encryption keys (which "unlock" the encrypted drive) of longer lengths to ensure greater protection against brute-force attacks, which aim at cracking the encryption password.

Data "in transit" refers to data that moves across public or unsecured networks such as the Internet or private networks such as the company's Local Area Network ("LAN"). Protocols such as Secure Socket Layer ("SSL"), Transport Layer Security ("TLS"), or Internet Protocol Security ("IPSec") help encrypt personal data sent to or from external networks.

SMEs should also implement Virtual Private Networks ("VPN") to prevent unauthorised access to the organisation's system when their employees require access in public areas. Passwords should be complex and changed regularly, but relying on usernames and passwords alone to secure VPN access is not enough. Organisations should also implement two-factor authentication ("2FA") for VPN access.

3. Put in place stringent processes to track the collection, storage, use, and disposal of personal data

This entails assigning access rights according to strictly defined roles with no overlap in duties, e.g., an executive cannot grant access rights to himself/herself. A good example of an organisation with a stringent personal data storage framework in place is IT retail chain Challenger, which, according to a local news report, stores its members' sensitive data in a server locked in a room accessible only via fingerprint scanning.

4. Get external help to audit your defence posture – for free

The Infocomm Security Starter Kit (ISSK) was launched by the IDA to promote the adoption of infocomm security measures among organisations, especially SMEs. SMEs can make use of the online self-help tool to assess their IT security plans, IT infrastructure setup, as well as security policies and governance. SMEs can approach the SME Infocomm Resource Centre (SIRC) for more information.

As the threat of data breaches becomes more real and pressing each day, SMEs can no longer rely on third-party contractors or their IT departments alone to mitigate the risks, especially when consumer confidence is at stake. Cyber security should be a management-level priority involving senior management at every level of the decision-making process.