SMEs: The economic backbone of Singapore and prime target of cyberthreats

Digital transformation is a congruent topic that generates buzz among business leaders worldwide. Contributing to the hype are new tech tools that enable organizations to boost productivity and collect exponentially more data. But at the peak of technological advancement, small and medium-sized enterprises (SMEs) are reminded of elevated cyber risk. Data-rich SMEs are at the center of a cyberattack frenzy and the pressure to reinforce cybersecurity measures continues to mount. 

The same is especially true for SMEs based in Singapore. According to Tommy Foo, Senior Director, International Marketing APJ and MEA, Acronis, “Nearly 70% of Singapore’s labor force works for SMEs. These businesses contribute to more than 45% of the country’s nominal gross domestic product.” SMEs are an economic pillar for Singapore and the race to protect organizational and client data is critical to the country’s livelihood. 

Foo led an in-depth interview with IT security and business experts from startups to Fortune 100 companies at a recent event. Joined by a six-person panel of renowned IT security and SME business leaders, Foo and the panelists united to redefine the threat landscape, identify the security challenges of SMEs, explore industry insights and share their expertise in an era of digital transformation with a focus on Singaporean and Asian markets.  

Between strict budgets and a shortage of IT expertise, many SMEs are trepidatious about developing cybersecurity strategies and safeguarding their business resilience. In fact, SMEs are willing to take the risk and gamble that they will not be attacked. Conrad Chan, interview panelist and Product Portfolio Lead, M1 Limited, explained, “For most of the SMEs that we have interacted with and spoken to, some believe that being the victim of a cyberattack is as likely as striking the lottery — that the odds are slim. They do not know where to start and have few resources. Cashflow is a daily concern, and businesses worry about how much it costs to build up IT security infrastructure. But help is available to SMEs.” 

Limited resources are a resounding challenge that plagues SMEs as well as an overall lack of awareness that leads organizations to question the importance of reinforcing cybersecurity. On the panel, Dr. Aleks Farseev, Co-founder and CEO, SoMin.ai, added that people and businesses do not understand data protection and privacy in the context of their organizations’ systems. Farseev said, “We need to make sure that people actually understand what they're dealing with and when they examine their security infrastructure, they should have a mindset of asking themselves, ‘If I’m using this service, which is incredibly easy to use, then where does my data go and what is going to happen with it once it is processed? What are the possible consequences of my employees using this service?’ Once management is trained to ask these questions when vetting certain solutions to the company, they then become not just more efficient, but also, by design, much more secure, because they will adopt critical thinking around security.” 

Despite a lack of awareness, many SMEs also do not acknowledge the gravity of cyberattacks. Organizations are heedless of the financial, reputational and operational consequences that follow a breach. 

Turning a blind eye to the hidden dangers of ransomware could destroy businesses. According to Dennis Chung, Chief Security Officer, Microsoft, “Ignorance will kill your business. I’ve seen businesses affected by ransomware through phishing entry point techniques and subsequently paid the ransom. Paying is not just about getting your data back. You do not know who the other side is. You could be paying and funding terrorism. The money could travel to a sanctioned country, and you are indirectly violating regulations that would close your business.”  

Chung has leveraged over 16 years at Microsoft and the executive shared his firsthand experience working with organizations that had been affected by ransomware. Chung brings awareness to not only the financial impact of ransomware, but also the ethical uncertainty that ensues if a business chooses to pay the ransom. Ransomware gangs are often a part of larger, organized cybercrime and businesses that fulfill ransom demands unknowingly fuel nefarious behavior that perpetuates future attacks. 

Other panelists also agreed with Chung, including Kevin Reed, CISO, Acronis. “One of the largest issues is that it is difficult for businesses to understand and accept the increasing risk associated with phishing and other cybersecurity risks,” Reed began. “For average, non-tech-savvy people, it is extremely hard to comprehend ‘what is going on’ in an attack, so getting that knowledge front and center is a tremendous step toward enabling them to make informed decisions on what is relevant to their SME as an owner and as an employee.” 

Reed emphasized the uphill battle that cybersecurity leaders and SMEs are up against when it comes to breaking down and explaining security in a bit-sized way that is meaningful to business owners, executives and decision makers. Reed said that most victims are small and medium enterprises. The common misconception is that ransomware-affected businesses are large, multinational organizations, and this is simply untrue. 

Andy Choi, Deputy Director, IMDA, added that SMEs are overconfident about their current security measures. Choi said, “Looking at the adoption of all the solutions IMDA provides, security solutions are unfortunately one of the lowest among all the categories and I think that's because companies overestimate how safe they are.” 

The assumption that conventional security measures remain effective throughout the years is all too common. Instead, SMEs should frequently reexamine their security approaches and take proactive actions to reinforce protection. 

Developing security strategies for SMEs is not an afterthought but rather a journey that should work with a business’s digital transformation. As SMEs adopt tools and collect more data, business and IT leaders should question the potential cyber risks and vulnerabilities these solutions may introduce to IT infrastructure. The criticality of building robust, holistic security measures cannot be overstated for SMEs, and in particular, the need for improving cybersecurity and data protection measures is integral to Singapore SMEs — where the country’s economic growth and vitality of its workforce thrives on SMEs. The challenge of cybersecurity is indeed a conundrum, but with informed strategies and proactive measures, SMEs can navigate this digital era more securely.