Some SMEs believe they are too small to be targeted by cyber criminals or any internal issues will not greatly impact them. How wrong they are, say cyber risk experts.

There has never been a time when companies and organisations have been more at risk of having their data made public or stolen, be it through a deliberate cyber attack from an external or internal party, or as a result of system or human error.

Small and medium enterprises (SMEs) are at the heart of Singapore’s economy says the Singapore Government. Employing less than 200 people, they make up 99% of enterprises, employ two-thirds of the workforce, and account for around half of Singapore’s GDP1 .

Clearly, SMEs are a hugely important part of Singapore’s economy. They are deeply interconnected with consumers and with organisations of all sizes, making their ability to protect themselves from cyber risks essential.

Screenshot 2019-01-25 at 12.55.48

In August and September 2018, property and casualty insurer Chubb, partnered with YouGov to conduct a survey among 300 SMEs in Singapore to gauge their attitude to cyber risks.

”We specifically wanted to know how vulnerable they believe they are; how they protect themselves and prepare for potential risks; and, if exposed, how they react. The results of our survey reveal a significant gap between the hard reality of cyber risk and how well small companies are prepared to deal with it,” said Chubb in a report.

StarHub’s ERM and insurance lead, Nigel Tay, says: ”SMEs are ‘easy pickings’. If I were a hacker looking to profit, my strategy would be to target a large number of SMEs with little or inexistent security measures (maybe with ransomware) vs targeting a larger MNC with established security protocols and defense mechanisms.”

Indiscriminate virus 

In May 2017, the WannaCry virus struck first in Europe before spreading across the globe. The virus was indiscriminate, says Chubb. It crippled SMEs as well as major companies, infecting more than 300,000 systems across 150 countries in a matter of days. This was followed by the more sinister malware, NotPetya, that brought several U.S. government departments and major companies to a halt, costing billions of dollars in damage and lost revenue.

These attacks highlighted our unpreparedness to deal with cyber incidents, and our dependency on technology to conduct commerce. However, it is not just data breaches, but data exposure which organisations need to heed – when data is stored and defended improperly, it can be accessed by anyone with even basic skills.

In Singapore, hotel chain Shangri-La International Hotel had to tell more than 4,300 of its rewards club members to change their passwords following a data breach in 2018. The hotel said illegal access to its mobile app gave hackers access to Golden Circle members’ names, membership numbers, login e-mail addresses, membership levels, number of points and upgrade conditions, according to the firm.

SingHealth, Singapore’s largest health group also experienced a serious cyber attack in 2018. Personal and healthcare information of 1.5 million people, around one-fifth of Singapore’s population, were leaked - including that of Prime Minister Lee Hsien Loong.

Despite these very high profile incidents, one of the major challenges, Tay notes, would be to educate and convince SME owners on the benefits of addressing cyber risks and other possible risk transfer mechanisms. ”As it is, insurance is mostly a cost to SME owners and something which most try to reduce as much as possible. And if so, what is an acceptable risk premium that most SMEs are willing to pay?”

Screenshot 2019-01-29 at 13.59.15

”Most SMEs are straddling that fine line between adopting digital tools and outdated legacy business processes. SME digital adoption will ramp up and with it a whole host of digital and cyber-related risks,” Tay says.

“Some SMEs believe they are too small to be targeted by cyber criminals or any internal issues will not greatly impact them. In effect, they think they are “too small to fail”. However, every report, survey or set of statistics on cyber events tell us that all businesses are exposed, whether big or small. ” Andrew Taylor cyber underwriting manager, Chubb Asia Pacific.

“Structured risk management methods and strategies are largely nonexistent as most SME owners seek to maximise profitability and growth. I see this is an opportunity for insurance companies and brokers to better inform their clients,” he adds.