Govt should incentivise SMEs in building & maintaining cyber resiliency

Small and medium enterprises (SME) perpetually worry about the costs of everything in order to keep their business running.

When their computers do down, their productivity can slow to a crawl or stop entirely. Recovering the data would be very costly especially when they don't have backups or regular backup of their system. They would end up paying their employees for a day or days when they can’t get anything accomplished. The costs of downtime can be monumental when combined the lack of production and harm to their reputation. In surveys done in the developed countries, it is estimated that 60% of these SMEs go out of business after their operations were hacked by cyber criminals.

The current trend is that cyber criminals are increasingly targeting the supply chains populated by the SMEs instead of the large organisations as they know that these SMEs placed low priority on building their cyber resilience. The supply chain provides almost

'instantaneous' access for the cyber criminals to 'go into' the larger organisations with lesser difficulties.

Because of this trend, larger organisations are now beginning to demand that vendors in the supply chain undertakes and maintain a cyber resilient framework in their organisation failing which they would NOT be allowed to provide supplies to these larger organisations.

SMEs however, are constrained by costs, in installing and maintaining the necessary hardware and software to meet the required cyber resiliencies demanded by the larger organisations. Even if these SMEs can afford to do so, they are constrained by the lack of available and experienced cybersecurity analysts to assist and help them. This particular constraint affects not only SMEs but larger organisations also in Malaysia. In fact it is a problem across the world.

In one survey, 60% of the SMEs go out of business after their operations were hacked by cyber criminals.

Of late, a few countries in Asia legislated acts on cybersecurity. In our views, all these acts are 'defensive' in nature i.e., a 'defensive ring' were created to encircle the workings of the internet into and out of these countries respectively. These legislations, however, does not address the core issue - which is the organisations in the countries themselves must take proactive steps to 'protect' themselves. It is just like the country can have stringent quarantine measures to prevent livestocks and agriculture products from being imported or entering the country for fear of diseases being carried and transmitted by these products. However, if the citizens of the country does not practise and maintain 'hygiene' in their lifestyle when they travelled, they can also 'bring and transport' these diseases indirectly into the country and spread it into the local population when they comes into contact with their neighbors and friends alike upon their return. The government can’t possibly 'sanitised' every returning citizens!

Not every cyber criminals thrives on financial benefits. A lot, thrives on the challenge and the thrill of 'taking down' something for the fun of it. Some may say these hackers are irresponsible and have no ethics in destroying lives and businesses that take years to build. But whatever it is, cyber risks is here to stay and would remain forever, a part of our lives. Laws would not stop hackers from ceasing their activities. Proactive measures taken to minimise risks is more sustainable over the long term instead of enacting legislation to regulate. Vice versa legislation to regulate can also 'harm' the country’s attractiveness to the foreign investors if it is too stringent in implementation.

MITI has recently said they hope the country can pick up 'the slack' resulting from the US China trade war with businesses locating to Malaysia. MITI did however, said that the priority area they are targeting are the high technology companies.

Malaysia has more than 500,000 SMEs of various sizes supplying to larger organisations locally and internationally. Any take up of this slack would benefit these SMEs tremendously. If these high technology companies were to locate here, one of the key areas which they would be assessing will be the cyber resiliency of the SMEs in Malaysia. 

We hope that the government can explore and look into providing tax incentives or grants or other forms of incentives to incentivise SMEs in Malaysia to build and maintain cyber resiliency so that they do not lose out in trying to be part of the global supply chain to organisations that could be looking to locate their businesses to Malaysia.