When Singapore’s data protection laws were put in place in 2012, the main concern among consumers was with the big players – telecom operators, banks and supermarket chains – misusing their private data.
Now, as these companies have toed the line, the focus seems to have shifted to small and medium businesses (SMBs), many of which do not have the know-how or budget to keep on the right side of the law.
The latest to get a slap on the wrist by the government regulator yesterday was Cellar Door, a gourmet food retailer. For having its customer data leaked online in 2014, it was fined S$5,000 by the Personal Data Protection Commission (PDPC).
The penalty may cost no more than a case of fine wine. However, the message from the data protection watchdog is clear – SMBs cannot fail to protect the personal data of their customers.
Many businesses don’t know it, but they are obliged to put in adequate security measures, from the usual lock and key for physical files to encrypting personal data for cyber security.
For failing to install a server-side firewall, close unused ports and implement stronger administrative passwords, Cellar Door’s Web hosting provider also got fined a separate S$3,000.
Therein lies the issue. While it is commendable that the government regulator is taking a tough stance on data protection, it is creating precedents with each fine it metes out.
How often, for example, do IT managers fail to implement strong administrative passwords? Or forget to close unused ports? Too often, if you ask anyone who’s in the industry.
In other words, many SMBs could find themselves in hot water for issues that plague many a company that do not have the technical know-how to keep their data secure.
Think about folks who keep Excel files of customer information in their office server, unencrypted and without a strong password. Will each one be fined if their systems get hacked?
Taking things to the extreme, what about those who install IP cameras that are then taken over by hackers to take down other servers and create mischief? What would the penalty be?
In Cellar Door’s case, neither the company nor its hosting company knows how its data was taken and posted online on the Pastebin website, where sensitive information is often leaked.
That’s hardly surprising. Many SMBs don’t have the technical skills or the knowledge to protect their data adequately. When they get hacked, they could now suffer the double whammy of a fine from the regulator.
There’s no doubt the onus is on them to secure things. Singapore’s cyber security strategy calls for everyone, from home users to large corporations, to reduce their vulnerabilities. A smaller target makes it harder for criminals to strike.
Yet, it is a tough ask for SMBs that have not kept up with the increasingly sophisticated cyber threats today. Who can blame them when even banks and government agencies get hacked despite the best defences?
In a few industries, such as the financial sector, a government regulator may prescribe the strongest measures to hold data secure. However, in many others, there isn’t enough clear guidance.
The PDPC itself lists a number of guidelines, but much of it is understandably generic as cyber security evolves so fast. They call for computer networks to be secure and regular updating of their IT equipment, which are already common sense today, really.
What does this mean to SMBs? Too often, the cyber defences put up is down to what’s called “best effort”. In other words, something is done where possible.
More can be done to get SMBs to better protect their data. Cyber security awareness is great, but SMBs can keep up with new threats with financial help from the government.
In the same way it has encouraged SMBs to take up broadband and other technologies through the PIC (Productivity and Innovation Credit) programme, it can specify that cyber security-related purchases be tax-deductable.
For SMBs, the bottomline counts most. Waving a stick at them might make them worried but not all would know how to respond. How many will pick a cloud service provider that passes the Singapore standard for cloud security, for example?
Sure, SMBs do get training on data protection today. But what’s the use of assigning a data protection officer if there’s no budget to store the data on a reliable cloud provider?
It is clear more SMBs will be hauled up for data breaches in future. Just as important as penalising them is providing the knowledge and incentive to prevent these leaks.
