Suspected data leak spurs F&B firm to beef up IT security, apply for new cybermark

Store front of Andersen’s of Denmark at NEX shopping mall. ST PHOTO: THADDEUS ANG

SINGAPORE - When a food and beverage company's customer rewards app had a suspected data leak in 2017, it was a turning point for the firm, which now runs Andersen's of Denmark ice cream outlets in Singapore.

Scammers had sent its customers fake e-mails, which spooked Georges, which operates the Georges chain of restaurants. It acquired the rights to Andersen's of Denmark in 2018.

Worried that crooks could have accessed its customer database, the company decided it had to improve its cyber security if it was to tap technology to digitalise, such as for online marketing and providing services online.

This included training the small- and medium-sized enterprise's (SME) nearly 100 full-time staff on IT security and developing procedures such as how to manage suspicious e-mails.

As part of its security drive as it went digital, Georges participated in a government pilot in January for a new cyber-security certification programme. It was launched on Tuesday (March 29) by Minister of State for Communications and Information Tan Kiat How at the Sands Expo and Convention Centre at Marina Bay Sands.

This voluntary cybermarks programme, which is under the Cyber Security Agency of Singapore (CSA), recognises enterprises that have adopted and implemented good cyber-security practices, and sets minimum standards that businesses must meet to qualify for certification.

The marks are for organisations that do not manage critical information infrastructure. Owners of critical information infrastructure, such as those in the water and energy sectors, are held to a higher standard under current cyber-security rules.

Mr David Leong, director of Georges, said the pilot for the cybermarks presented an opportunity for the business to validate its IT security measures while it was in the midst of reviewing its cyber-security infrastructure with a consultant.

The pilot sought feedback from participating companies on the certification process and also tested certification requirements.

Georges plans to apply for CSA's certification as it is akin to an endorsement of the company's commitment to protect its customers' data.

"The mark will help us to build consumer confidence and our staff's confidence in their daily operations," Mr Leong added.

Mr Tan said that companies in the pilot found the certification useful to help them identify their cyber-security gaps.

CSA's certification programme comprises the Cyber Essentials mark and the Cyber Trust mark.

The Cyber Essentials mark aims to help SMEs have baseline cyber defences to safeguard their systems and operations from common cyber attacks. The mark is valid for two years.

For a food and beverage SME, this could mean having measures such as controlling who has access to customer data and backing up that data, as well as having software to protect the company's IT systems.

The Cyber Trust mark aims to guide larger and more digitalised companies, such as multinational corporations, on the expertise and resources needed to manage and protect their IT infrastructure and systems based on their risk profile. The mark is valid for three years.

For a financial service institution, this could entail ensuring its internal and external systems have robust cyber defences to protect customers' personal and financial data.

Large organisations, as well as about 30 per cent of SMEs that are further along in the process of going digital, should be able to benefit from the marks, said CSA.

The certification process will be done by certification bodies appointed by the agency, with eight appointed so far.

The fees companies pay to the certification bodies will vary depending on the scope of the assessment. Fees for Cyber Essentials start from $150 for small enterprises with fewer than 10 employees, while fees for Cyber Trust start from $800.

CSA said it will review the certification progressively and assess the need to make the marks mandatory in future.

Singapore technology industry association SGTech, one of the industry partners CSA is working with to encourage adoption of the marks, said the cost to adopt recommended practices and be certified is relatively much smaller than the cost of the potential loss in customer confidence, brand reputation and legal costs, should a cyber attack happen.

Mr Tan, in launching the marks on Tuesday, noted that the average cost of a cyber attack for companies here was reported in 2020 to be about $1.7 million per breach. This might be too high a cost for some SMEs to bear, he added.

Despite some sectors being badly hit by the Covid-19 pandemic, companies could be looking to shore up their cyber defences further.

A 2021 SGTech poll found that 38 per cent of companies had invested in and implemented cyber-security measures in the past year.

But in the next 12 months, 53 per cent of SMEs intend to increase their spending in cyber-security technology, while 85 per cent of large enterprises plan to do so, according to the poll.

Mr Dutch Ng, the chair of SGTech's cyber-security chapter, said CSA's two cybermarks allow organisations to have a laser-sharp focus on investing in cyber security to take care of high-priority vulnerabilities.

When their situation improves, businesses can consider further investments to improve their cyber security in other areas, he added.

For instance, with many SMEs paying less attention to cyber security compared to other business priorities, the Cyber Essentials mark is a good starting point for them, said Mr Ng.

He added that while large enterprises are likely better resourced and have more cyber-security measures than SMEs, customers or business partners might not know how secure they really are. So the Cyber Trust mark could be a trusted and reliable indicator of the companies' cyber defences.

"The Trust mark might also provide an opportunity for organisations to look across their network or ecosystem of suppliers and customers to get an indication of their overall cyber risk," said Mr Ng.

Even for SMEs like Georges, Mr Leong said that when his company is looking for vendors, it would prefer those with the cybermarks.

"It gives us confidence in the vendors' cyber security," he said, adding that if the suppliers' cyber defences are up to mark, they would help keep Georges safe too.

- To find out more about the Cyber Essentials and Cyber Trust marks, visit this website. 

Join ST's Telegram channel and get the latest breaking news delivered to you.