Cyber attacks on small and medium-sized enterprises (SMEs) have wider economic implications, as they are often easy targets for cyber criminals looking to hack into large corporations that these firms work with, speakers at the National Security Conference 2016 warned yesterday.
“No business is too small to be hacked and used in cyber attacks. In fact, small businesses offer a perfect cover for hackers,” said Dr Yaacob Ibrahim, Minister for Communications and Information and Minister-in-charge of Cyber Security, in his opening address.
He cited the example of Cate Machine and Welding, an American family business in rural Wisconsin that was commandeered by hackers to stage cyber attacks across the world, including a major Manhattan law firm, one of the world’s biggest airlines, a prominent university and other organisations in Thailand and Malaysia.
Mr Vincent Loy, PwC’s Asia-Pacific financial crime, cyber, data and analytics leader, said SMEs are easy targets due to their lack of expertise and preparation in dealing with cyber threats.
“Criminals know that SMEs are not very (well-equipped) in cyber security — they are thus perfect targets. The reason is that SMEs are connected to the whole ecosystem and criminals will go for the lowest hanging fruit … they will be used as an avenue or entry point to bigger companies,” said Mr Loy.
This is why SMEs should prioritise beefing up their security systems, even though such matters are usually accorded lower priority in the current uncertain economic conditions and slow growth, said Mr Teo Siong Seng, chairman of Singapore Business Federation, the conference organiser.
“As more businesses increase productivity by digitising data, automating processes and offering services online, they become more susceptible to risks online,” said Mr Teo in his welcome remarks.
“If companies are secure and resilient, that will add value. If I’m a customer, I would want to work with a company with proper cyber security, one which can prove to me that if there’s an attack, it can continue to operate,” he told reporters later on the sidelines of the event.
And as cyber threats continue to evolve, it is important that companies enhance their ability to recover from security breaches, the speakers said.
“Conventionally, the emphasis was on building defences. We are talking about robust systems that by definition means you can’t afford it to fail … But we’re moving to a stage where we have to think about resilient systems where you are going to fail despite your best efforts but outline how you are going to recover,” said Mr Devadas Krishnadas, chief executive of management consultancy Future-Moves Group.
Fellow panellist Tammie Tham, chairman of the CyberSecurity Chapter of Singapore infocomm Technology Federation, said it is a matter of when, not if, companies get compromised. “Not all cyber attacks originate externally … It can be compromises from within: A disgruntled employee who misuses data or an honest mistake by a long-time employee that corrupts your most valuable data. What will happen to your business? This will test your ability to recover in order to continue your business … and limit the damage arising from these compromises.”