You are here

Shaping cyber secure SMEs

'Often, we see that cyber security is described as an IT issue. However, it is a business issue first and foremost as the impact of a cyber-attack is felt most keenly by the business,' says Daryl Pereira, Partner and Head of Cybersecurity Consulting at KPMG in Singapore.

Small and medium size enterprises (SMEs) could do more to shore up their cyber defences and such actions will not necessarily need very expensive investments, say observers.

But it is critical for SMEs to make cyber security a business priority and part of an ongoing journey. 

“If your company collects and stores personal data, creates intellectual property, or has any ‘secret ingredient’ that explains why your company has a competitive advantage, or has built up a good client base and market reputation, then any one of these factors puts you at risk of being targeted by cyber attackers,” said Daryl Pereira, Partner and Head of Cybersecurity Consulting at KPMG in Singapore. 

Cybersecurity has grabbed international headlines in recent years.

Market voices on:

Businesses of all sizes, including SMEs, are vulnerable to cyber-attacks.

Singapore’s Cyber Security Agency has noted that, increasingly, SMEs are being attacked and used as conduits to target larger companies, organisations or even governments. 

These cyber-attackers could range from criminals who steal online identities or corporate information for financial gain, hackers who break into systems to show off their skills, or even nation states. 

According to the International Monetary Fund’s 2019 Global Risks Perception Survey, “cyber-attacks” are the fifth most important global risk by likelihood over a 10-year horizon, just behind “massive data fraud and theft” in fourth spot.

“If the Board and C-suite fail to address the cyber threats to their business, then they will be ill-prepared when the inevitable cyber attack - whether it be as basic as ransomware or more complex as a deliberate intrusion and theft of sensitive data - occurs. The resulting financial loss or negative reputational impact could damage the business,” said Mr Pereira.

In KPMG’s view, truly securing a business from ever evolving cyber threats involves three key pillars of cyber security. 

First, management needs to understand what the crown jewels of the business are and protect these. They include specific sets of data and systems that form the core of the business operations and provide organisations with a competitive edge.

Next, making cyber security everyone’s business is a priority. 

“Often, we see that cyber security is described as an IT issue. However, it is a business issue first and foremost as the impact of a cyber-attack is felt most keenly by the business,” said Mr Pereira. 

KPMG said the approach for involving every employee in the cyber journey is to incorporate a more holistic and strategic view of cyber security to encompass six sub-domains: Leadership and governance; human factors; information risk management; business continuity and crisis management; operations and technology; and legal and compliance (See box).

Third, there is a need to invest in the right balance of people, process and technology to build a good cyber defence.

KPMG said a balanced cyber security programme recognises that cyber risk cannot be solved by technology alone. 

The most optimal sequence of investment is people, process and technology, in this order. 

Hiring the right people can more effectively identify and manage cyber risks in organisations. 

“The right people will help design and implement the right cyber processes. And once the right processes are designed, they will automate or augment these cyber security processes using technology tools to increase the efficiency and effectiveness of the cyber defence,” said Mr Pereira.

According to global accounting professional body CPA Australia, SMEs must also change their mindsets to ensure that cybersecurity is an important business concern. 

“This requires a combination of things but education is particularly important, and this must be from the top of the organisation down. Cyber security should be the business of all staff in a business,” said Paul Drum, General Manager for External Affairs at CPA Australia. 

The 10th edition of CPA Australia’s annual Small Business Survey, released earlier this year, found that the perceived threat of a cyber-attack on small businesses in Asia-Pacific declined in the latest survey from the previous year, with the exception of Mainland China. 

CPA Australia said this could be because there has not been a major global cybersecurity scare in recent times.

(Source: CPA Australia)

According to the survey, small businesses in Australia and New Zealand remain the least likely to expect a cyber-attack, while small businesses from Vietnam and Indonesia are again the most likely to expect a cyber-attack. The higher uptake of technology in those markets helps to explain that difference, said CPA Australia.

For Singapore, some 30.4% of small businesses believe they will somewhat likely or very likely suffer a cyber-attack in 2019, down from 35.4% in 2018. 

Citing data from the report, CPA Australia said the perceived likelihood of a cyber-attack has little influence over whether small businesses are regularly reviewing their cybersecurity measures. 

Businesses in all markets except Indonesia and Malaysia were more likely to state that they reviewed their cybersecurity in the past six months than expect an attack in 2019. 

For Singapore, the proportion of small businesses having reviewed their cybersecurity processes has increased to 34% this year, from 30.4% in 2018.

(Source: CPA Australia)

For SMEs, cost has often been cited as one constraint to embark on their cybersecurity journey.

But observers say there are some simple steps and practical tools that SMEs can adopt to shape their cybersecurity strategy without breaking their bank.

“At a basic level, security does not have to cost much. Effective hiring of cyber talent, either in-house or through an outsourced managed service, is the first step towards readiness,” said Mr Pereira. 

“Then implement the right process and tools in a judicious manner to create a baseline of good cyber hygiene. If every SME did this, their cyber risk exposure would be dramatically reduced,” he added.

CPA Australia’s Mr Drum said low cost options include ensuring passwords are regularly changed, that firewalls are regularly checked, that business work systems are used for business purposes and not private web surfing, and that staff are educated to enable them to more readily identify potential cyber threats. 

“Due to their typically stronger focus on technology, it is evident from CPA Australia’s survey that younger respondents are much more likely to expect a cyber-attack in 2019 and this heightened awareness in staff is also a very important tool in avoiding a business cyber-attack,” said Mr Drum.

Make cyber security everyone's business

The right approach would incorporate a more holistic and strategic view of cyber security to encompass six sub-domains:

1. Leadership and governance – What is the tone from the top and do management actively oversee and invest their time on cyber safety? For example, is there a cyber security programme to help the organisation increase their cyber readiness? Does this programme involve business leaders as well as IT and supporting functions such as risk, legal, compliance and finance?

2. Human factors - Scant regard is given to the fact that more than three quarters of cyber-attacks are perpetrated by human weaknesses. For example, spear-phishing emails are sent to staff who, having clicked on the attachment or malicious link, are accidental accomplices in the downloading of malware, such as key-loggers or ransomware, and stealth attacks, such as Trojans or viruses.

3. Information Risk Management – How does the organisation understand the pertinent cyber threats to their business, their data and their systems? For example, is there a standing committee or function that oversees and assesses cyber risk, and makes decisions on which cyber risks are acceptable and which need to have mitigation actions taken?

4. Business continuity and crisis management – How do you recover after a cyber attack? Do you have a defined cyber incident response plan, and have you tested and exercised this plan on a regular basis?

5. Operations & Technology – Have you understood the technology being used across your organisation, their inherent weaknesses, and implemented cyber tech tools to compensate for these weaknesses? For example, tools that increase protection, help with detection of cyber attacks, and enable the recovery of business operations in the event of a cyber attack.

6. Legal & Compliance – Do you understand and comply with the relevant laws cyber laws and privacy laws, or regulatory mandates pertinent to your sector?

(Source: KPMG Singapore)

This article is part of a series in collaboration with CPA Australia to share knowledge on accounting, business and finance issues.