Strengthening SME Cybersecurity in The Wake of Data Breaches

Late March, a jeweller in Singapore notified its customers and the relevant authorities of a data breach. The data breach contained customers’ personal data, including customer names, contact information, and addresses. The Jewellery store case is a stark reminder of the cybersecurity risks faced by businesses and the need to strengthen data safeguards.

This article provides a Singapore focused view of the current trends on data breaches, common causes and best practices and new tools available for business to minimise or prevent data breaches and further strengthen their security and privacy posture.

The Rise of Data Breaches

In Singapore, the prevalence and impact of data breaches are growing — particularly phishing and ransomware attacks:

• Data Breach Prevalence: An Armis survey found that 70% of Singaporean organisations experienced a breach due to cyberattacks within the year.
• Financial Impact: The average cost of a data breach in ASEAN countries escalated to US$3.05 million per incident, a 6% increase from the previous year.
• Phishing attacks most common method: Phishing attacks were identified as the primary method in 42% of data breaches in Singapore for 2023.
• Singapore has highest ransomware rates globally: Ransomware incidents doubled for 60% of local organisations, with Singapore experiencing the highest global rate of ransomware attacks — 84% of organisations reported as victims, up from 65% the previous year.

Common Causes of Data Breaches

Common causes of data breaches include coding and configuration errors, malware and phishing, lack of security oversight and weak account and password management. Each cause can lead to a potential data breach:

• Coding errors and configuration issues can lead to unauthorised data disclosure due to software bugs or misconfigured IT components.
• Malware and phishing issues rely on human vulnerabilities and social engineering to gain potential unauthorised access.
• Security and responsibility issues may result in inadequate access controls, out of date systems and gaps in policies, procedures, controls and people.
• Accounts and passwords issues: weak password policies, insecure storage of passwords, sharing of admin accounts with personal data, and weak authentication methods.

Traditional Ways of Safeguarding Against Data Breaches

The Personal Data Protection Commission (PDPC) and Info-communications Media Development Authority (IMDA) highlight several recommendations:

• Coding Issues: Design before coding, impact analysis, document changes, thorough testing, code reviews.
• Configuration Issues: Harden configurations, automate deployments, manage settings systematically, regular security checks.
• Malware and Phishing: Phishing simulations, employee vigilance education, restrict internet access, update endpoint security, regular offline backups.
• Security and Responsibility: Use synthetic data, access control, assign clear ICT security responsibilities, system maintenance security tasks.
• Accounts and Passwords: Review and remove old accounts, hide passwords in codes/configs, prevent brute force attacks, strong password policies, stronger authentication for admin accounts.

While these measures are effective, many SMEs face difficulties implementing them due to limited budgets and a lack of skilled IT staff. Channel News Asia reported that 44% of companies in Singapore said they do not have dedicated IT security teams.

New Tools to Minimise Data Breaches

Decentralised identity solutions, whereby personal data is in possession and controlled by individuals, present an alternative to how companies store customer data centrally; they can prevent or minimise the potential for data breaches, especially for SMEs who often lack IT security teams and budgets.

Unlike centralised identity solutions that have large data sets of customer data stored with businesses or third parties, decentralised identity solutions enable customers to store and control their personal data on their devices. Businesses can obtain the necessary data from customers with consent when required — without the risks attached to storing excessive amounts of sensitive data.

When data is decentralised and stored on an individual’s device, each user’s device becomes a separate IT asset that must be accessed individually. This makes mass data breaches considerably more difficult:

• Weak/Reused Passwords: Accessing data on individual devices requires bypassing the authentication mechanisms of each device separately.
• Software Vulnerabilities: Decentralised identity stores each individual’s personal data on their own devices — with varied hardware, modes of authentication and operating systems — making a uniform attack more difficult.
• Social Engineering: Phishing attacks against a single IT admin won’t directly apply to many end-users, as attacks are often tailored for each individual.
• Insider Threats: An inside threat actor would only have access to their data, limiting the scale of a data breach.

How Decentralised Identities Work

Decentralised identity solutions comprise of various technologies, such as Verifiable Credentials (VCs), Decentralised Identifiers (DIDs), OpenID Connect for Verifiable Credentials (OID4VC) and DIDComm.

These technologies, when combined, serve as building blocks to provide businesses with capabilities such as passwordless authentication for secure and seamless onboarding, secure storage of user data and privacy-enabled data sharing with consent.

Beyond Security: A Multifaceted Advantage

The benefits of decentralised identity solutions extend beyond security. From a regulatory perspective:

• Clear consent: Users have full control through selective disclosure and explicit consent for each exchange of data.
• Reduces obligations on businesses to provide access and correction capabilities by placing the onus of accuracy and retention limitation in the hands of the individual.
• Reduces costs and challenges to adhere to transfer limitation obligations for businesses.

Implementing Decentralised Identity: A Phased Approach

A transition to decentralised identity does not have to happen overnight:

• Targeted Pilot — Initiate a pilot project using decentralised identity for a particular application like registration and verification of customer identity.
• Stakeholder Education — Educate employees and customers about why decentralised identity is beneficial.
• Seek Expert Guidance — Work with solutions providers that specialise in decentralised identity systems.

Key Takeaway

Decentralised identity solutions create an opportunity for SMEs to create a more secure, privacy-conscious business environment and minimise data breaches. Such technologies will allow businesses to meet regulatory requirements while earning their customers’ trust. CISOs and DPOs in Singapore should learn more about decentralised identity solutions and assess integrating them into their cybersecurity plans.