Singapore SMEs and start-ups risk massive loss

In late 2014 the Infocomm Development Authority (IDA) announced the launch of the Infocomm Security Starter Kit to help businesses, especially SMEs, to adopt a wider range of information security measures.

While this was widely received as a positive move, there are still concerns that Singaporean businesses are not treating cyber risk seriously. And this is a real concern, given that small businesses often have much more to lose from a major cyber attack.

Media outlets recently announced that a successful cyber-attack had cost a number of large banks an eye-watering US$1 billion. The scale and brazen nature of this attack comes on the back of a call to action by the US authorities, and numerous other high profile incidents both internationally and in Singapore.

Cyber security is hot right now. The risks and cost of a successful cyber-attack are well understood, and no doubt a large number of financial institutions are popping down to Challenger to buy the latest McAfee security suite. But are the banks really the ones with the most risk when it comes to an attack?

A billion dollars sounds like a lot of money…it is a lot of money. But for large, multinational organisations, this number is – and it's not an easy thing to say - insignificant. A part-share of a billion dollar loss will not bring down a major bank. The loss will probably barely register on the share price.

These losses will, perhaps, even be covered by insurance – which large MNCs understand the need for. A billion dollar loss could even be considered insignificant when compared to the theft of a line of code being developed by a local start-up or Small and Medium Enterprise (SME). It's a matter of scale.

What's an idea worth?

As the Singaporean Government encourages innovation and start-up culture, local SMEs and investors need to take another look at their exposure to risk. In the highly competitive 'knowledge economy', businesses need to ask themselves what their ideas are worth and what are the real risks they face?

Biotech, R&D, App development, software coding are all areas where company value is measured in ideas, rather than real-estate value, manufacturing plants, or dollars in the bank. One line of 'disruptive' coding might be worth the entire value of the company.

And yet SMEs generally take an 'it couldn't happen here' approach to risk management, hacking, and data theft. Realistically though, it is happening - all the time. So what should Singaporean SMEs be doing? And what should investors be looking for when it comes to cyber risk management?

What can you do?

Firstly, SME owners and investors need to be aware of cyber risk and should seek to understand the impact and solutions needed for strong levels of security. Operationally, companies need to set up specific lines of defence:

Policy and regulation: Even in small businesses, companies need to introduce policies on how employees use data, how it is collected, and by what means it is transmitted. Many hacks and data losses come from within businesses.

IT Operations: IT departments and contractors need to put in place best-practice security, encryption, and fire walls. Additionally, they should introduce security testing.

This can be done by hacking your own system and assessing what data would be of interest to a hacker. How would they get into your system? How would you know they had gotten in? IT departments should have clear deliverables and KPIs based around security preparation and performance.

Crisis management: No system is 100% secure. If a breach did occur, how would you respond operationally? What role would specific and general staff have? Your policies and approach to media and client enquiries should be well defined.

Financial protection: What losses can your P&L insurance coverage stand? What cover does your existing insurance provide?

Cyber risk is usually a third-party cost under a public liability policy. But what about first-party costs to your business? What will the cost of reinstatement, data loss, and loss of profits be? Are you prepared for these unexpected costs?

With such high-profile incidents, businesses can no longer plead innocence when it comes to cyber risk. You have been warned, and the threat is very real.

Will daylight robbery change the world?

If a hacker can, metaphorically, walk into a bank and steal thousands, hundreds, millions, and billions of dollars, then it is fair to say all businesses are at risk. After all, banks generally invest heavily in data security.

But small business owners, especially ones who are pushing 'innovation' as an investment pitch, should also consider just how much they have to lose from a successful cyber-attack.

A billion dollars is nothing to a large bank when compared to an SME who loses everything. The bandits are out there, and they can succeed.

SMEs, and investors, need to ask how they can minimise the risk of an attack, but also how they can protect their investment if such an attack is successful.