SMEs still taking cyber attack risks too lightly: Experts, Latest Singapore News - The New Paper

SMEs still taking cyber attack risks too lightly: Experts

This article is more than 12 months old

Even after SingHealth's high-profile data breach last year, many small and medium-sized enterprises (SMEs) are taking the risk of cyber attacks too lightly, warned experts.

The indifference is all the more striking as three in five SMEs said they had suffered cyber security breaches that resulted in business disruptions and data leaks over the past 12 months.

According to insurer Chubb's survey of 300 SMEs, only 30 per cent of those affected notified customers or employees about the data leaks.

More than three in five polled said they believe that large corporations are more at risk of cyber attacks than SMEs.

"They think they are too small to fail," said Mr Andrew Taylor, Chubb Asia-Pacific's cyber underwriting manager.

But the opposite is true, he added.

"In fact, smaller companies have a relatively larger exposure as they face the same threats as larger businesses but do not have the means to implement comprehensive protection, leaving significant risk uncovered."

The poll of SMEs with fewer than 200 workers was conducted in August and September last year after news broke of Singapore's worst data breach involving the personal details of 1.5 million SingHealth patients, including those of Prime Minister Lee Hsien Loong.

Earlier this week, SingHealth and its IT vendor Integrated Health Information Systems received the largest combined fine of $1 million by the Personal Data Protection Commission (PDPC) for failing to protect patient data.

According to the Chubb survey, the system and data breaches experienced by those polled were mainly due to system breakdowns and human error, including the loss of portable storage devices.

The survey also showed that SMEs are ill prepared to protect sensitive data, with three in five companies saying cyber security is seen largely as an IT issue in their organisations.

Half of all the companies polled said key staff may not be fully aware of their obligations to protect the data they have access to, and there is no consistent understanding of what constitutes a cyber security risk.

A new requirement will soon be tabled in Parliament this year requiring organisations to report breaches to the PDPC. The revised Personal Data Protection Act will require individuals affected by a breach to be notified. Organisations found guilty of being tardy in reporting can be fined up to $1 million.