Many small and medium-sized enterprises in Singapore provide solutions directly or indirectly to the Government.
But, given the high intensity of recent cyber threats, these SMEs might just be Trojan horses affecting critical information infrastructure, or CII (Help available to boost SMEs' cyber security, by the Cyber Security Agency of Singapore, May 18; and Do more to help SMEs fight cyber threats, by Mr Yong Jun Jie, May 6).
Some SMEs supply their products and render their services directly to the Government.
Indirect solutions, on the other hand, are services rendered by SMEs to appointed main contractors, which in turn cater to the Government. This, perhaps, forms a large chunk of our SME ecosystem, and there could be several links in the supply chain.
This is where the weak spot might be.
The data residing in the indirect service provider's computer systems might be compromised without it knowing. As a result, information related to the public sector might be exposed.
For example, if a file is infected with a cloaked malware, there is a likelihood that the malware would be transmitted.
Tasks which need to be carried out in conjunction with sensitive material might be running in the computer systems of indirect service providers without any protection. This potentially creates an entry point for cyber criminals to exploit.
With the ongoing public consultation on the Cyber Security Bill, perhaps it is time to look into this gap in the SME ecosystem.
To encourage SMEs to adopt cyber protection, tender requirements can indicate the need for bidders to declare what protection tools they have in their computer systems.
For government tenders directly related to CII, interested SMEs must have protection tools in order to qualify for the tender.
Businesses that make the effort, and show that, in their tender submissions should stand a better chance of being awarded contracts.
Tan Kar Quan