EXECUTIVE SUMMARY: This is the first part of a two-part series about the state of cyber security in Singapore, the new cyber security law, and the need for companies to take action.
Singapore businesses underestimate threat level
Businesses in Singapore continue to underestimate the magnitude of the threat imposed by cyber-attacks, as a recent report by A.T. Kearney shows.
The report shows that Singapore’s strategic relevance makes organisations there prime targets for cyberattacks. “Specifically, cyber resilience is generally low, and the level of cyber readiness is low. There is an underestimation of value-at-risk, and thus underinvestment in threat protection.” The report warns as well of a skills shortage for cyber security.
The government is acting to improve the security readiness of organisations in the country. A new cyber security law has been passed (please see the next blog – link to part 2), and the national budget providing incentives for cyber security initiatives by private organisations has been increased. Fines for mismanagement of data breaches are now the highest in Asia.
But, in a twelve-month period, roughly one in four targeted attacks resulted in an actual security breach, which equates to two to three effective attacks per month for the average company in Singapore, according to Accenture. Less than half of Singapore organisations say that they are ready to detect and control data breaches.
A survey conducted by managed security services provider Quann and research firm IDC in June 2017 covered 150 senior IT professionals from medium to large companies based in Singapore, Hong Kong and Malaysia. The results showed that 40 per cent of the respondents do not have incident response plans for when they are being attacked and 67 per cent do not practise their incident response plans.
The point was made emphatically in September 2017, when 5,400 client records of the AXA Insurance firm in Singapore were leaked in a cyber-attack. In particular, client’s e-mail address, mobile number and date of birth were exposed, although the firm said no other data was leaked.
Singapore companies are digitally transforming their operations, and thus are increasingly data driven, according to Dell EMC Asia Pacific & Japan vice president of speciality sales Dmitri Chen. Singapore businesses are realising the opportunity and using data effectively. “But as they use data to take advantage of new opportunities, there is also a greater risk – the attack surface is expanding and so too are the requirements for how you manage this data. This makes building scalable secure IT environments and optimizing infrastructure an unavoidable requirement for organizations today,” he added.
Yet Singapore’s cybersecurity spend per capita is higher than the other Asia Pacific economies, at $75 per person according to a study by PwC, it is lower than that of the developed, western markets such as the US and UK. The is because Singapore companies do not consider cyber security a priority, and so are reluctant to divert resources to it, the report says.
A good example may be seen in the fact that only 10 per cent of Singapore organisations are taking action to comply with the EU’s General Data Protection Regulation. Yet a much larger percentage of companies share data with the EU, and so are liable under the regulation.
The government is taking action, with a new cyber security law (please see next blog) and with capacity building. But it is the private companies that are lagging and, as a result, are vulnerable to potential threats.
Skills shortage exacerbates challenge
In Singapore, SMEs are especially vulnerable, as they often lack the resources or know-how to adopt appropriate cybersecurity practices. There is, of course, the danger that an attack on an SME can then easily spread to critical infrastructure.
Almost 40 per cent of the 146 cases reported to SingCERT in 2017 involved businesses, particularly SMEs, and most of the cases involved phishing attacks and ransomware. The agency is working with SMEs and larger businesses to encourage investment in up-to-date threat protection.
But take up is still relatively slow. The result is that the compromise of employee records, followed by customer records, make up the top 2 issues organisations in Singapore experienced as a result of security incidents.
The need for more skilled cyber security experts is great in Singapore, although the shortage of talent is on a global scale. As of 2019, there will be a worldwide shortage of more than 2 million professionals, according to the US Information Systems Audit and Controls Association. Certain specific skill sets such as systems architecture design, behavioural analytics and digital forensics are acutely in short supply, the organisation says.
Furthermore, training for existing workers is critical to reinforce cyber security. Beyond the board and management, every employee matters. “A Cyber Security Agency of Singapore 2017 survey showed that Singaporeans display risky behaviour that jeopardises their own and their company’s cyber security,” according to a recent report. It does not matter how advanced the corporate anti-virus is if employees indiscriminately download free but potentially malware-laden software from dubious sources. Every careless employee is an open door for hackers to exploit.”
Mr David Koh, Commissioner of Cybersecurity and Chief Executive of CSA, makes clear that the government will pursue an aggressive strategy for overall improvement. “Given Singapore’s connectivity, what happens globally is often immediately felt here. As we continue our Smart Nation push, we have to raise our cyber hygiene and defences, especially against cyber-attackers who are getting better resourced and skilled. We need to play our part by being vigilant and adopting good cybersecurity practices to keep Singapore’s cyberspace safe and trustworthy for all.”
Clearly, having a robust governance practice is the best way for Singapore companies to ensure they can both protect themselves from data breaches and can manage those that occur.
Diligent Governance Cloud provides support for company-wide security
By managing cyber risk at the top, Diligent Governance Cloud enables the board to set an example across the organisation.
Governance Cloud is Diligent’s ecosystem of cloud-based governance tools that provides a complete solution to enable leading bodies of organizations to mitigate risk and collectively govern at the highest level.
Seasoned in the governance space, Diligent has been in the leading position in the market for more than 15 years, offering the industry’s leading, most secure and intuitive board management technology. Our deep customer insights and heavy investment in R&D has allowed us to expand our offering to support the full governance journey.
Whether you choose to start with only Diligent Boards™ or multiple, integrated tools, we are the only partner in the market you can grow with as your governance needs evolve.