What are the real threats to Singaporean businesses?

When Singaporean businesses assess the risks they face, at both the domestic and regional level, a range of dramatic scenarios easily catch the imagination. Marauding rioters, catastrophic fires, and natural disasters are tangible threats to operations, supply chains, and a company's ability to sell its goods and services. While these events do occur, and are well covered by the media, are they really the biggest risk to local business?

Singapore, with its world-leading building standards and civil defense apparatus, doesn't suffer too many commercial building fires. But almost all local organisations will have insurance and contingency plans focussing on physical risk (business continuity plans and insurance coverage, for example). All of this effort and planning when, in reality, they are far more likely to have their business disrupted by a cyber-attack than their premises burning down.

It is not just businesses that are at risk of a cyber-attack. Governments are under threat too. The recent hack of the SingPass system shows just how vulnerable even the best systems can be. No matter the cyber-security resources invested, holes in computer systems can, and will, be found. The question for local businesses has moved from ‘is there a threat?’ to ‘how do we deal with this risk?’ And the stakes are becoming increasingly high.

The increasing frequency of high profile attacks shows just how vulnerable private and government systems can be. Even an access point as important as SingPass is not 100% secure. When it comes to cyber-security it is important to remember – no system is immune.

Cyber-security is something that needs to be taken seriously in Asia. It is encouraging to see governments all over the world being increasingly open about these sorts of incidents. While commercial institutions may have more to lose financially in a major cyber-attack, they are also less likely to openly disclose such incidents. A culture of silence does nothing to improve overall security standards.

It is only right that those who are in possession of sensitive personal and commercial data have an obligation to put in place appropriate security systems. There is now a growing feeling that tighter cyber-security regulations are needed.

The penalties for committing cyber-crime are becoming more serious and, all around the world, liability for breaches of cyber-security is moving from IT teams to senior management and directors. Businesses that treat cyber-security as an ‘incidental risk’ are exposing themselves to severe penalties.

In Singapore, the upcoming implementation of the Personal Data Protection Act (PDPA) is the first major piece of cyber-security legislation to be put in place. A successful attack which brings down systems and exposes personal data now exposes companies to a wide range of costs.

Companies need to protect themselves from the fallout of a successful attack – including suitable insurance coverage, the costs of forensic expenses, voluntary notification costs, legal and PR expenses, and more importantly, loss of income and extra expenses incurred for data restoration. Almost every current survey of board members’ concerns has cyber-risk right up there at the top of the list, but are management being sufficiently pro-active?

After very public incidents like the SingPass attack, there is no longer an excuse for businesses to not have comprehensive contingency measures and coverage in place.