SMEs are 'soft targets' for cyber criminals

Mr Chang said ransomware, where cyber attackers digitally "lock out" data and hold it for ransom, is the leading cyber threat for SMEs.
Mr Chang said ransomware, where cyber attackers digitally "lock out" data and hold it for ransom, is the leading cyber threat for SMEs.

Cyber criminals are hacking into smaller businesses as a way of getting into larger corporations.

Smaller companies are easier targets because they often lack the resources, expertise and technical capability to defend themselves against illegal online intrusions.

Mr Bill Chang, Singtel's chief executive officer for group enterprise, said they are the "soft underbelly" in the business supply chain, where small and medium-sized enterprises (SMEs) are subcontractors to corporations providing services such as cleaning, air-conditioning, engineering and human resource solutions.

"They are soft targets being used as conduits for cyber attacks," he told The Straits Times.

Mr Chang said the situation is serious, citing the global 2015 Internet Security Report which indicated that 60 per cent of all cyber attacks are targeted at SMEs. Since SMEs make up 99 per cent of Singapore's registered companies, "there is a clear and present danger for them".

"As SMEs move into e-commerce and digitise their business transactions, they present greater opportunities for online attacks," he said.


    There are three emerging cyber-attack scenarios.


    Cyber attackers encrypt proprietary or sensitive information and hold it for ransom. If it is not paid, the data is not de-crypted. Payment is usually about one to two bitcoins, which is a form of crypto currency. The price of one bitcoin traded yesterday was about US$689 (S$933). If the ransom is not paid after seven days, the ransom is usually doubled. If none is paid, the "digital keys" are thrown away.

    Mr Bill Chang, Singtel's chief executive for group enterprise, said: "Companies usually pay because it costs more to de-crypt the data."


    It appears as an e-mail attachment or is embedded in the e-mail itself. It impersonates an individual or business that is known to the recipient. It is sent by criminal hackers who aim to steal credit card and bank account numbers, passwords and financial information. The aim could also be to steal identities, such as personal information of chief financial officers so that they can illegally transfer funds.

    Mr Chang said: "Spearphishing can also lead people to access websites that allow other malware to be downloaded. These malware can activate the computer camera and speaker, allowing the hacker to spy on various things, from what is happening in a research lab to boardroom discussions. "The hacker can even remotely wipe your computer so that a user loses all his data and information."


    This is a rising cyber threat because of the smartphone explosion. Smartphones are usually infected when users download mobile apps. Cyber hackers have developed innocent-looking apps like mobile games to entice people to download them. That is when the malware is downloaded.

    Malware can also be downloaded when users access e-mail on their phones. They can steal passwords that can be used to illegally transfer funds to the hackers or buy goods online.

    Mr Chang noted: "The malware can remain active for a very long time, stealing information over time. Some remain in the phone even if it is switched off and on again."

    Grace Chng

Mr Chang pointed to the massive breach suffered by the American chain store Target in 2013. The breach might have been due to an air-conditioning SME subcontractor infected with malicious software. Target picked up the infection during the exchange of e-mail it had with the subcontractor. A Reuters report in 2013 reported that Target lost 40 million credit and debit card numbers to these cyber attackers.

SMEs can find cyber attacks costly. Global studies estimate that 50 per cent of businesses close within six months of a cyber breach, noted Mr Chang. The average cost of cyber attacks for SMEs with about 100 employees in the United States is about US$3.5 million (S$4.7 million), which could be outlaid on legal suits or remediation efforts, he added.

There are no local figures available. The explosion in e-commerce here provides another gateway for cyber attackers. Research reports from management consultancy firm A.T. Kearney and the bank CIMB show that Singapore's online retail market could have hit $4.4 billion last year.

When consumers who are also office workers go online to buy products and services or search for information, they could be infected by the malware. When these consumers use their computers for work e-mail, the infection spreads to other networks.

Once in a network, the malware begins its nefarious activities. It could steal passwords, credit card numbers, the latest blueprint for a new product or customer information. Mr Chang said ransomware, where cyber attackers digitally "lock out" data and hold it for ransom, is the leading cyber threat for SMEs. Mobile malware is on the rise too, he added.

"SMEs depend on their phones to do business. They send e-mail, do online banking and conduct other transactions on their smartphones. Their exposure to malware is very high."

Singapore is listed as the 12th biggest market in the Asia-Pacific in terms of the number of malware detections. The Microsoft Malware Infection Index for 2016 has Pakistan, Indonesia and Bangladesh as suffering from the most malware infections out of 19 countries.

Mr Keshav Dhakad, the regional director for intellectual property and digital crimes at Microsoft Asia, said it generally takes an average of 200 days for organisations to find out that they have been victims of cyber attacks.

During this time, the malware could have stolen identities or other information, he said.

His advice was that companies practise good cyber security hygiene such as using genuine software and regularly upgrading security patches on computers.

Singtel's Mr Chang added that it was important for SMEs to raise cyber security awareness among employees, including senior management.

"They also should prioritise their key data assets to protect what is vital to their business. It could be intellectual property, mergers and acquisitions documents, details of new product launches and customer information."

This data should be backed up since ransomware is on the rise.

"SMEs should also regularly review the information they hold to ensure that security practices are followed," he added.

Join ST's Telegram channel and get the latest breaking news delivered to you.

A version of this article appeared in the print edition of The Straits Times on June 16, 2016, with the headline SMEs are 'soft targets' for cyber criminals. Subscribe