As the famous cybersecurity saying goes, “there are only two types of companies: those that have been hacked and those that will be.”
With automated bot attacks happening across the world every second, it’s no longer a matter of whether an attack happens. All companies — big or small — will experience a cyber breach at some point.
Question is, when your network is attacked, will the protocols you’ve put in place prevent damage to your assets and reputation?
The truth is that companies that have invested in cybersecurity have a significant competitive advantage over companies that don’t.
Consumers are more likely to transact with companies with strong cybersecurity, for one. Investors also have greater confidence in cyber-secure business models.
Conversely, those with lackluster cybersecurity risk having to pay many times more in operational disruptions, ransoms, fines, loss of consumer confidence, and even bankruptcy. Cybersecurity can no longer be an afterthought: by the time an attack happens, the damage has already been done.
Cyber Attacks on Singaporean Businesses: A Problem of Growing Urgency
In March this year, local furniture retailer Vhive reported that their server was hacked by a group known as ALTDOS. They claimed to have stolen information pertaining to over 300,000 customers as well as nearly 600,000 transaction records.
Instead of just encrypting the information and demanding a ransom, ALTDOS contacted Vhive management and threatened to release 20,000 customer records daily until they’d been paid off. These were not empty threats: ALTDOS had released confidential data from Thailand-based Country Group Securities just a few months before.
In June, several Singapore companies were fined a total of S$75,000 for not properly securing the personal data of 600,000 users. These companies were from different industries and of different sizes, showing just how indiscriminate hackers are when it comes to selecting their targets
As the protection of personal data is taken more seriously in Singapore, the PDPC is increasing the penalties for companies that fail to protect user data. The current maximum fine is S$1 million. Soon, companies may be fined up to 10% of their annual turnover in Singapore or S$1 million, whichever is higher.
There were many more cyber crimes that went unreported. Up until January 2021, reporting data breaches to the PDPC was voluntary. But starting February 1st, 2021, PDPC has made it mandatory for companies to report data breaches within 3 days.
Add that to the fact that trend analysis is showing a year-on-year increase in cyberattacks. In Singapore, ransomware detection numbers shot up by 45% in the second half of 2020 compared with the first half of the year.
That means we’ll be seeing a lot more cyber incidents publicized — and a lot more penalties handed out.
What’s the Cost of a Data Breach?
So what do you stand to lose by not investing in cybersecurity for your SME? There are two significant areas:
1. Loss of Brand Reputation and Trust from the Public
When consumers choose a business, they’re also trusting that business with their personal data. Any breach immediately erodes their confidence in the company’s ability to protect their personal information.
In today’s world where privacy is paramount, consumers are quick to find more trustworthy alternatives.
Here are a few statistics to back that up:
- A Centrify study found that 65% of data breach victims lost trust in an organisation as a result of the hack.
- According to IDC, four out of five consumers will defect from a business because their personal data was exposed in a security breach.
- Security Magazine reported that 52% of consumers would consider paying more for the same products or services from a provider with better security, and 52% of consumers said security is an important or primary consideration when purchasing products or services.
2. Loss of Revenue and Negative Pressure on Your Share Price
When news of a cyberattack breaks, potential impact on business revenue and share price is significant.
Take Japan’s largest dating app Omiai for example. It was hacked earlier this year with the personal data of almost two million users likely exposed. When the news came out, users began switching to competitor platforms. The share price plunged 19.43% — the largest drop since they listed in 2017.
For companies that have built their business models on trustworthiness and privacy, a cyberattack that exposes personal data may spell the end of not only their profitability but also their existence.
Do You Have a Protocol for Cyber Attacks?
It’s too late to come up with a protocol after an attack happens. In addition to your Business Continuity Plan, we recommend incorporating two elements in your response:
1. Transparency & Communication
Be the first to break the news and be transparent about the extent of the damages. It’s much better that your customers hear directly from you rather than from a third party.
Don’t downplay the severity of the incident. Consumer confidence is already low after a breach, and transparency is the first step in rebuilding that trust. If it’s revealed later on that the incident was more serious than initially reported, whatever trust remains will be permanently gone.
We’d recommend getting your PR spokesperson or crisis manager to handle communications and do damage control. Companies that don’t have one can opt for Cyber Security Insurance instead, which includes the cost of PR and damage control in the event of a cyber breach.
2. Prove You Are Committed to Improving Cybersecurity
Personal data leaked from a dating app would probably spell the end for that business. How much more so when a leak from Ashley Madison — an app for arranging illicit affairs — resulted in the devastation of its users’ personal lives. Sadly, there were even people who committed suicide because of the Ashley Madison leak in 2015.
Yet in spite of this catastrophe, as of 2019, Ashley Madison was able to recover and rebuild trust with over 30 million users.
How did they manage such a feat?
The company set cybersecurity as its priority. They hired a new Chief Information Security Officer (CISO), a new security team, fixed their internal structure, and implemented features such as Multi-Factor Authentication and audits on their systems.
All of these established a sense of security for their end-users, proving that they could be trusted again — maybe even more so than their competitors.
Cybersecurity is an Investment Opportunity You Can’t Afford to Miss
Rather than attempting to do damage control after being a victim of a cyberattack, it’s much easier to implement cybersecurity into your business early on. This not only helps protect the trust your customers have in you, but also becomes a competitive advantage that sets you apart.