The Covid-19 pandemic has forced companies and organisations to digitise. Sudden adoptions of remote and hybrid work arrangements meant the migration of a significant part of operations to the cloud. In the past year or so, businesses have grown used to collaborating online, with many of them making distributed work models a permanent fixture.

While employees welcome such arrangements, citing higher productivity and cost-savings from the reduction in commuting to the office, there are some perils that are often not talked about when it comes to using cloud-based tools for work.

A higher incidence of cybercrime

The risk of a data breach is higher when staff bring their work home. Why? Simply put, firewalls and compliance procedures that exist within office frameworks don’t exist at home. Staff access office servers via their work devices such as laptops, tablets and mobile phones.

These devices are connected to their home networks, which lack the cybersecurity infrastructures and protocols that protect enterprises from possible hacks and breaches. Employees are left on their own to exercise any best practices their companies may impose to prevent any breaches originating from their home networks.

As such, the risk of data breaches looms large.

Organisations and businesses with a large database of client data are often targeted by cybercriminals through malicious acts, such as launching ransomware, as with the case of Eye & Retina Surgeons, which took place in August this year. Attackers held patient information hostage for a ransom, threatening to leak the data if the clinic did not pay up.

Potential lawsuits stemming from the Personal Data Protection Act

Then there is the Personal Data Protection Act, or PDPA, a law that penalises companies when their customers or clients’ private data are in danger of being accessed unlawfully.

The PDPA was passed in April 2016. It is enforced by the Personal Data Protection Commission (PDPC), which is Singapore’s designated consumer data watchdog.

Under the PDPA, organisations cannot share your personal data with an external entity without your consent. Even if you gave your consent for the organisation to use or share your data with third parties, it needs to occur only within the consent’s terms and conditions.

Personal contact information and medical records are examples of data that the PDPA protects. The latter of which could spell disastrous consequences if it is leaked, particularly if there is a stigma attached to a patient’s medical conditions.

If an organisation is found guilty of flouting the PDPA, they could face the maximum fines of $1 million or 10 percent of annual turnover if turnover exceeds $10 million, whichever is higher. It is a hefty sum to pay.

Beyond the financial consequences are the loss of reputation and trust with consumers. This could be more detrimental than fines, as a damaged reputation takes a long time to fix. But it appears that businesses have yet to catch up - the Personal Data Protection Commission has already collected $2.68 million in fines to-date, since it launched six years ago.

The responsibility lies with the business owner to ensure that their customer data is well-protected and isn’t at risk of being stolen by cybercriminals. Although cloud vendors are typically insured against breaches, entrusting them isn’t going to protect you when the PDPA rears its ugly head.

After all, businesses have been fined by the PDPC for not protecting customer data hosted on a third-party cloud server. Commeasure, the operator of RedDoorz hotel booking platform, was fined in November for failing to protect their customer data. The data was stored on Amazon Web Services’ cloud platform.

What is cyber insurance and how will it help you?

Cyberattacks are getting increasingly sophisticated, with hackers constantly conjuring up new and more mysterious methods of stealing sensitive information. You could fall prey to data breaches, regardless of how robust and up-to-date your cybersecurity framework is.

Cyber insurance is another layer in protecting your business against unwanted threats. Just like regular insurance, it provides payouts in the event that something unexpected and unfortunate happens.

The payout amount could provide a cushion for financial losses that may occur in case of a data breach. These financial losses include any penalties levied by the PDPC, if you are found to have flouted PDPA regulations. Bear in mind that the insurer will go through a detailed process of assessment, before deciding if a claim is approved.

Cyber insurance’s benefits also cover various types of recovery costs. For instance, there may be legal costs incurred, as well as public relations and data forensic expenses.

In the event of a ransomware attack or other types of cyber fraud, where your data is held hostage to extort money from you, cyber insurance covers the funds used to recover your data.

Most insurers utilise a professional ransomware negotiator to deescalate the situation and minimise further threats, as well as gather information on the cybercrime organisation responsible for the attack.

A cyber insurance framework will initiate some form of damage control should a data breach occur. There are many types of cyber insurance products that offer different types of benefits and solutions. On top of that, cyber insurance providers have a hotline that you can call, should there be a data breach or a hack.

Business owners should consult with a cyber insurance specialist to find out which type of product suits their business models and needs.