TAIPEI (Taiwan News) — Inadequate awareness of cybersecurity is to blame for the series of breaches reported at Taiwan’s small and medium-sized enterprises (SMEs) since the start of the year, said IT experts.

From car rental platforms including iRent and Car-plus to department stores like Breeze Center, incidents of data leaks concerning customers over the past months have sparked concern. Many companies in Taiwan lack the expertise, resources, and willingness required to protect their systems, a Business Today investigation has found.

In an example, the system of a server at a firm that received complaints about personal data being leaked was found to be lacking any sort of safeguards. Not only was the database it held not password-protected, it also appeared without access restrictions, the report quoted a Taiwanese information security expert as saying.

Jason Hsieh (謝昀澤), head of advisory services of KPMG in Taiwan, shared another example in which a company’s staff used the computer storing files of sales orders to “play video games.”

Many are simply pushing their luck, said Akuei Hsu (徐富桂) of IEK Consulting, and there is also the issue of accountability and insufficient investment in cybersecurity, according to Tsai Sung-ting (蔡松廷), founder of TeamT5, a digital security services provider.

The role of information security is often dwarfed by other IT elements in SMEs, such as infrastructure upgrades, which results in meager spending on security bolstering measures. According to KMPG, Taiwanese companies invest an average of 5% to 12% of their IT budget in cybersecurity, but a large proportion of SMEs do not fork out even 5%.

Meanwhile, fines incurred from cybersecurity incidents are considered too lenient, discouraging expanded investment. Supervisory measures also have been criticized for being ineffective.

Digital Minister Audrey Tang (唐鳳) has said the government is introducing higher penalties following the data leak events, with the Securities and Futures Bureau recently warning listed companies in Taiwan will face NT$5 million (US$163,178) in fines for not disclosing cyberattacks. The Cabinet is seeking to mend regulations, addressing the loopholes in how the country manages IT risks.