Suspected data leak spurs F&B firm to boost cyber security

When a food and beverage company's customer rewards app had a suspected data leak in 2017, it was a turning point for the firm, which now runs Andersen's of Denmark ice cream outlets in Singapore.

Scammers had sent its customers fake e-mails, and this spooked Georges, which operates the Georges chain of restaurants.

It acquired the rights to Andersen's of Denmark in 2018.

Worried that crooks could have accessed its customer database, the company decided it had to improve its cyber security if it was to tap technology to digitalise, such as for online marketing.

As part of its security drive as it went digital, Georges participated in a government pilot in January this year for a new cyber-security certification programme.

It was launched yesterday by Minister of State for Communications and Information Tan Kiat How at the Sands Expo and Convention Centre at Marina Bay Sands.

This voluntary cybermarks programme, which is under the Cyber Security Agency of Singapore (CSA), recognises enterprises that have adopted and implemented good cyber-security practices, and sets minimum standards that businesses must meet to qualify for certification.

The marks are for organisations that do not manage critical information infrastructure.

Mr David Leong, director of Georges, said the pilot for the cybermarks presented an opportunity for the business to validate its IT security measures while it was in the midst of reviewing its cyber-security infrastructure.

The pilot sought feedback from participating companies on the certification process and tested certification requirements.

Georges plans to apply for CSA's certification as it is akin to an endorsement of the company's commitment to protecting its customers' data. "The mark will help us to build consumer confidence and our staff's confidence in their daily operations," Mr Leong said.

CSA's certification programme comprises the Cyber Essentials mark and the Cyber Trust mark.

The Cyber Essentials mark aims to help small and medium-sized enterprises (SMEs) have baseline cyber defences to safeguard their systems from common cyber attacks. The mark is valid for two years.

The Cyber Trust mark aims to guide larger and more digitalised companies on the expertise and resources needed to manage and protect their IT infrastructure and systems based on their risk profile. The mark is valid for three years.

Large organisations, as well as about 30 per cent of SMEs that are further along in the process of going digital, should be able to benefit from the marks, said CSA.

Fees for Cyber Essentials start from $150 for small enterprises with fewer than 10 employees. Fees for Cyber Trust start from $800.

CSA said it will review the certification progressively and assess the need to make the marks mandatory in future.

SGTech, a technology industry association that CSA is working with to encourage adoption of the marks, said the cost to be certified is relatively much smaller than the cost of the potential loss in customer confidence, brand reputation and legal costs, should a cyber attack happen.

Mr Tan, in launching the marks yesterday, noted that the average cost of a cyber attack for companies here was reported in 2020 to be about $1.7 million per breach.

This might be too high a cost for some SMEs to bear, he added.