5 cyber security measures Singapore SMEs should know

If you thought that cyber criminals only target big businesses, think again. According to the Verizon 2012 Data Breach Investigation Security Report, 67% of cyber security compromises in 2011 happened in organisations with just 11 to 100 employees, which fits the description of SMEs and start-ups in Singapore.

That small and medium-sized businesses are more vulnerable to cyber crimes as compared to the 'big boys' is not surprising given their lax security practices, especially in regard to employee access to company data.

In Singapore, 150 IT decision makers from SMEs polled by SolarWinds in September 2013 listed unsecured sharing of company files/data, creating simple passwords that are too easy to crack, and not using a VPN among other poor cyber hygiene practices, as the most common user behaviours on employees' personal mobile devices that threaten their organisations' IT security.

Unlike a multinational corporation, the typical SME would not have the same budget for a broad-spectrum cyber security defence shield. Beyond the basics of installing a firewall and anti-virus software, and practising good software patch management, here are five important cyber security measures for Singapore SMEs that will help protect their precious data while not bursting their budget:

1. Identify your most valuable digital assets

By adopting a risk-based approach to protecting your most valuable assets, you can maximise security while minimising costs. This entails identifying and categorising your company's digital assets according to the level of sensitivity/importance.

In other words, how damaging would the loss of the data be to the company? Assign “low,” “moderate,” and “high” ratings according to the level of sensitivity of the company data. Secure your highest rated assets first.

2. Set up an access control list

Determine which employees have control to which assets and set up levels of security clearance (open or restricted access). Review and update the list regularly to reflect staff movement. Remove anyone that does not require high-level access anymore.

The most senior person need not have the highest-level access; on the contrary, he/she may have the least access, for example, to the company's databases if management reports are prepared for him/her by other staff.

3. Implement 2FA for remote VPN access

Passwords alone are not secure enough to prevent unlawful access to your company data. Implement two-factor authentication (2FA) for remote virtual private network (VPN) access. This means that employees have to key in a One-Time Password (OTP) on top of their username and password in order to access company data remotely.

Depending on your budget, hardware token-based 2FA should be adopted to secure access to more sensitive data. Tokenless SMS OTP or soft tokens such as Google Authenticator can be considered for access to less sensitive company data.

Sensitive company emails and attachments should also be password-and 2FA-protected. For example, authorised recipients can key in a OTP to read the emails and download the attachments.

4. Encrypt sensitive company data

Bring Your Own Device (BYOD) policies may offer flexibility to staff, but this also opens up a security loophole when staff lose their laptops or smartphones containing precious company data. The data should be encrypted to ensure that only staff with the necessary security clearance can access them.

Budget conscious SMEs can use free encryption software such as Microsoft BitLocker. SMEs who wish to go a step further can deploy Full Disk Encryption (FDE) with 2FA.

FDE refers to encrypting all the data on the hard drive used to boot a computer. Access to the data is granted only after the employee has been authenticated with a password and a second factor such as a smart card.

5. Practise secure business outsourcing

As more budget-conscious SMEs in Singapore take advantage of recently announced government subsidies on high-speed Internet access and outsource their data centres to cloud providers, the security risks of doing so have become apparent.

Develop a security checklist (physical and virtual) for your vendor. Onsite security, malware protection, data encryption, and security measures to counter colocation risks are some of the items that should be on the list.

Choose cloud providers who offer 2FA on top of the basic security measures. You can outsource your data storage, but not the responsibility for ensuring the security of the outsourced data.

Data breaches can cost your company not only financial damage, but also reputational embarrassment. By adopting the above five cyber security measures, you can strengthen your defence against identity theft while staying on budget.