SMEs vulnerable to data breaches: Association chief

Many small and medium-sized enterprises here are vulnerable to breaches similar to the one committed on SingHealth's IT system, as they do not have defence software that can monitor sophisticated cyber attacks, Association of Small and Medium Enterprises president Kurt Wee warned yesterday.

Numerous small and medium-sized enterprises (SMEs), especially those that do not have some active defence mechanism in place, have fallen prey to ransomware, a form of malicious software or malware that denies infected accounts access to their data until a ransom is paid.

Those at risk include compa-nies with high-value intellectual property and large financial databases or that are electronic installation contractors, and credit card transaction processing firms, Mr Wee noted.

As the dust settles on the most serious breach of personal data in Singapore's history, industry experts caution that many businesses, particularly those in the financial, healthcare and SME space, need to step up endpoint security.

An endpoint is a device that is connected to an organisation's network, which can include desktops, servers and tablets.

While many SMEs have antivirus protection and software or physical firewalls in place, those are not enough, Mr Wee said. Cyber-security threats are likely to increase as more enterprises, driven by digital transformation, move to the cloud.

SMEs that rely on cloud-based sharing platforms are vulnerable as any data stored and accessed on the Internet may be hacked, he added.

Delinking full Internet access to employees will reduce the possibility of cyber attacks. However, Mr Kowsik Guruswamy, chief technology officer of IT solutions firm Menlo Security, said this "may not be a viable option as it creates significant overhead as well as loss in productivity".

"Organisations should look into solutions that provide end-to-end security of various platforms, such as Web, e-mail or documents at any given moment," he said.

Mr Tom Kellerman of cyber-security firm Carbon Black said the Singapore financial sector is a prime target partly because most large European and US financial institutions have network operation centres here.

Cyber-security threats will only get more complex, said Mr Leonard Cheong, managing director of cyber-security consultant AdNovum Singapore.

"Financial and healthcare institutions hold data... which attackers can either sell or leverage for underhanded use. As the sharing economy grows, more industries such as last-mile logistics and travel could also be affected," he said.

Mr Kellerman said that financial records typically sell on Dark Web forums for about US$22 (S$30), healthcare records for US$70 and credit card data for US$3 to US$5.

Local sushi chain Sakae Holdings moved to set up its own cyber-security solutions firm after a malware attack last year shut down its company database just days before its first quarter report was due.

"We had to frantically scramble to get our earnings report done with the data system down for two days. We had to get our sales data through WhatsApp," Sakae founder and chief Douglas Foo said. It cost the company about $10,000 to unlock the data system.

Last month, he set up Sakae Cybersecurity in partnership with an Israeli cyber-security solutions firm. "For about $2,000, we will look after the SME's cyber-security needs. Our solutions can identify a hacker attack and stop it," he said.