sme security

-- The Need for Information Security Management for Small to Medium Size Enterprises --

Sound cybersecurity is vital to Singaporean SMEs in protecting business continuity, integrity, and financial stability.

This essay discusses how rising cyber crimes such as ransomware and phishing affect SMEs, the importance of proper cybersecurity policy management, the implementation of security frameworks, and evaluates the government initiatives such as Cyber Essentials and Cyber Trust by the Cyber Security Agency of Singapore (CSA) in addressing rising threats in cybersecurity by way of cybersecurity services and security training and education.

Justifying Sound Cybersecurity Management For SMEs

The Growth of Cyberattacks and Threats Faced

Cybercrime has grown into a multi-trillion-dollar enterprise, and is expected to cost the global economy a cumulative USD$12 trillion by the year 2025 from the start of 2024, with industries such as retail, manufacturing, professional services, and utilities to be the most vulnerable (Computer Crime Research Center, 2024). Cybercrime is now more prevalent and profitable than ever, with an economy so large it could be the third largest behind the US and China (World Economic Forum, 2023). With such rampant cybersecurity threats, businesses must prepare themselves for potential threats that may shutdown and paralyze operations.

In a survey conducted by the World Economic Forum for the Global Cybersecurity Outlook 2025, respondents rank the following organizational risks as the top three concerns - ransomware, cyber-enabled fraud (which includes but are not limited to: phishing, business email compromise, vishing), and supply chain disruption (World Economic Forum & Accenture, 2025).

Whilst global trends highlight the rapid growth of cybercrime, Singaporean SMEs are faced with distinct cybersecurity threats due to their high digital adoption in contrast to its meagre cybersecurity resources.

It has been reported by CSA that the top 5 cyber threats affecting local SMEs are: ransomware, social engineering, cloud misconfigurations, software vulnerabilities, and Denial of Service attacks (Cyber Security Agency of Singapore, 2025). SMEs in Singapore must protect themselves with proper cybersecurity policies and management as these organizations are disproportionately targeted. It has been reported that 52% of all reported ransomware attacks have impacted local SMEs, due to an absence of holistic cybersecurity measures which leaves their networks vulnerable. CSA has also reported that a large number of defaced websites belonged to SMEs, which were used for hackers to carry out phishing attacks (Cyber Security Agency of Singapore, 2024).

As SMEs make up 99% of the enterprise count and employ 70% of the population in Singapore (Department of Statistics Singapore, 2025), it is critical to ensure that this sector is protected so as to protect the livelihoods of Singaporeans. Cyber threats to SMEs directly jeopardize the state's economic stability.

Business Impact of Cyber Attacks

Cyber attacks invariably end up with negative impacts, with businesses reporting disruptions, data loss, reputation damage, financial loss, incident response costs, and regulatory implications (Cyber Security Agency of Singapore, 2025).

Further illustrating the financial impact of cyberattacks on SMEs, a survey carried out by cyber security firm ExtraHop revealed that between February 2023 to February 2024 revealed that SMEs encounter a minimum of eight ransomware attacks within the period. 95.7% of the respondents succumbed and paid out an average of S$4.49 million (Boo, 2024).

Another example of an attack on a local SME would be the ransomware attack on Shook Lin & Bok, which also yielded to the Akira ransomware group. They paid out an approximate S$1.89 million. There were two business impacts to the group that pressured them into making payment, which were losing access to their virtual private servers which would have paralyzed their business operations, and leak of confidential corporate and client information which may negatively affect their reputation and cause financial loss (Koh, 2024).

Beyond the upfront financial impacts, businesses also suffer unseen costs incurred during the downtime of such attacks.

Cybersecurity Policies & Solutions for SMEs

It is clear that SMEs require a robust information security management framework. However, it may prove difficult due budgetary constraints to form departments dedicated to cybersecurity.

American business owner Donna Huneycutt’s SME is an example of a small business that was negatively affected by implementing the National Institute for Standards and Technology (NIST) framework, especially the Special Publication 800-171 (NIST SP 800-171). After spending USD$1 million to implement the security measures listed within the NIST SP 800-171, they were priced out, discovered they were under cyber attack, and eventually sold the company. This expenditure and mitigation after cyber threat discoveries put them at a stark disadvantage against less secure defense contractors who were cheaper (Waterman, 2024). This highlights the possible reservations that SMEs may have in implementing sound cybersecurity policies and management. While this example stems from the U.S., Singaporean SMEs encounter similar issues when attempting to adopt potentially exhaustive cybersecurity frameworks such as ISO/IEC 27001, ISO/IEC 27005:2022, or NIST frameworks.

As such, SMEs may find it easier to implement frameworks and policies more suited to their stature, such as the “Least Cybersecurity Control Implementation” (LCCI) framework for SMEs than a more robust framework such as the previously mentioned ISO or NIST frameworks.

The LCCI framework comprises 7 steps (Pawar DBA & Palivela, Ph.D, 2022, 10-11)-

1. 1. Identification of Mission Critical Assets (MCA).

   • This can be payment gateways for e-commerce businesses, or business email encryptions.

   2. Assess the priority within the Confidentiality, Integrity, and Availability (CIA) triad for each MCA.

   • How each MCA ranks on the CIA triad. For example, an e-commerce business may put Availability (A) as a top priority for their webpage and mark Confidentiality as the top priority for customer credit card data. Organizations in different domains will have different priorities outlined.

   3. Apply prioritized security measures for each MCA security (MCAS).

   • For example, an e-commerce business may take up a Web Application Firewall, admin access control to only relevant parties, and physical restriction to access the servers to protect the uptime of their online storefront. The implementation of MCAS is dependent on physical, technical, and administrative controls.

4. Compute the organization's MCAS' levels.

• To rate each MCA's levels (1-3) based on safeguard controls that need to be applied. If safeguards need to be applied for only one aspect of the CIA triangle, it is level 1, for two aspects, it is level 2, and for all three aspects it is level 3.

5. Evaluate the minimum overall cybersecurity controls implementation (MOCCI) for the organization.

• A higher level (“overall” in MOCCI acronym) overview and security control required based on the potential threats that the organization may encounter on the human, physical, and data layers. If the organization has public facing endpoints then that must be prioritized in the minimum overall controls.

6. Evaluate the organization's MOCCI levels.

• Evaluate minimum implementations for data protection levels. An organization may begin with a baseline level at level 1 - which minimally safeguards the endpoint, human, physical, public application, network, and data layers, then move on level 2 - safeguarding the internal network and application layers, then level 3 - protection of the data layer.

7. Evaluate the organization's LCCI level

• Having implemented the above (evaluating and implementing) MCAS and MOCCI the organization may be evaluated and receive an LCCI level. MCAS level 1 with MOCCI level 1 evaluates to LCCI level 1.

The framework is domain specific (SecureClaw Inc, 2025), which makes it more versatile and agile which can ease and encourage an SME's adoption. While frameworks such as NIST SP 800-39 may require dedicated teams, LCCI's approach allows SMEs to apply cybersecurity policies with minimal resources.

Other leaner frameworks exist, for example, the United States' Department of Defence's (DoD) Cybersecurity Maturity Model Certification (CMMC) program which provides a similar tiered model of evaluation for contractors with the DoD (Chief Information Officer U.S Department of Defense, 2025). Singapore's CSA also has its own version of a leaner cybersecurity framework. It is important to note however, that while these certifications are referred to as “frameworks” within the context of this essay, they are technically certification programs and not internationally recognized standards like that of the aforementioned ISO and NIST frameworks.

Cyber Security Agency of Singapore

Beyond the adoption of a cybersecurity framework for SMEs, on a macro (national) scale, the Singaporean government is also making cybersecurity initiatives with the formation of CSA in 2015. CSA was formed with the vision to capture the benefits of a more connected world in a trusted and resilient cyberspace (Information on CSA's Mission, Vision and Values, 2025).

For a holistic approach to cybersecurity on a macro scale, the CSA outlines a Cybersecurity Health Plan which includes several services and funding for eligible SMEs. Such services include Chief Information Security Officers as-a-service (CISOaaS), Data Security as-a-Service (DSaaS) for Ministry of Health (MOH) for organizations in the healthcare sector, Data Protection Officer as-a-Service (DPOaaS) for social service agencies under the National Council of Social Service, Vulnerability Assessment / Penetration Testing (VA/PT) Service, and Incident Response (IR) Service (CISO As-A-Service to Develop Cybersecurity Health Plan, 2025).

Additionally, organizations with limited resources, if eligible, can seek government funding once onboarded with CSA. Between March 2021 to April 2023, over 500 businesses have taken up CSA's initiatives and 80% of them now have basic cybersecurity practices within the organization (Nur, 2023).

To further bolster SMEs to take up cybersecurity practices, CSA has also come up with certifications namely - Cyber Essentials and Cyber Trust. These provide recognition to SMEs that invest and prioritize in cybersecurity.

Cyber Essentials - Basic Security for SMEs

The Cyber Essentials certification is crafted and geared towards organizations that are embarking on their cybersecurity journey and will equip them with the minimum necessary security controls and best industry practices to face upcoming cyber threats. It is a cost effective approach to garner trust among customers, clients, or stakeholders. The key factors of the certifications are identification of assets, protection of the assets, updating systems, backing up the assets, and preparing an incident response plan (Cyber Security Agency of Singapore, 2025). This framework also allows for SMEs with lean resources to apply a basic level of cybersecurity within their organization.

Cyber Trust - An Elevated Cybersecurity Standard

To go a step further, the Cyber Trust mark is a certification awarded to organizations that go beyond the basic cybersecurity practices. SMEs that utilize more extensive digital features in their business operations and require advanced cybersecurity measures can begin on the structured pathway of the international standard - ISO/IEC27001 cybersecurity framework. SMEs looking to receive a mark of distinction for cybersecurity may look into acquiring this certification. This also means that the organization may receive guided training and instructions to follow and achieve the ISO/IEC27001 framework requirements (Cyber Security Agency of Singapore, 2025).

Importance of CSA

The CSA plays a pivotal role in Singapore's digital landscape. In forming a lean and minimal framework that SMEs can adopt via Cyber Essentials and also creating an accessible pathway for SMEs to begin their ISO/IEC27001 certification via Cyber Trust, CSA encourages SMEs to take up the initiative to secure their digital assets in a low resource manner by way of structured outsourced training and education.

The CSA also offers services such as CISOaaS and DPOaaS which allows for organizations to gain access to important cybersecurity talent on-demand without having to allocate major funds and resources towards specific cybersecurity roles. The democratization of such roles help low-resource organizations defend themselves against emerging risks while also focusing on their business operations.

Conclusion

This essay has marked the critical role of cybersecurity within SMEs to protect their business continuity, reliability, and financial stability. It began with outlining the rapid growth of the cybercriminal industry, how SMEs are disproportionately targeted due to the likelihood of lower cybersecurity, the business impacts, and possible solutions that SMEs may adopt. Additionally, it highlights the initiatives that are being undertaken on a national scale in Singapore, to assist SMEs in securing their cyberspace.

The business impacts of cyber threats upon SMEs cannot be ignored and the Singaporean government has responded with actionable plans to address the risks. However, SMEs must proactively adopt even basic cybersecurity measures which are now more accessible than ever to mitigate risks. It is clearly illustrated that SMEs are the backbone of Singaporean economy, and its resilience determines Singapore's economic stability. In a time of unrelenting cyber attacks, complacency and ignorance is unacceptable, cybersecurity is a must for survival.

[[ REFERENCES ]]