How businesses can adapt and thrive amid ESG integration and rising scam threats

Integrating cybersecurity into ESG (environmental, social, and governance) initiatives is critical, as is treating it as an integral part of a comprehensive business strategy. ESG should not be viewed as a separate entity, but rather as a facilitator that should be presented to both the board and the organisation. To ensure the organisation's cybersecurity, key leaders such as the Chief Information Officer (CIO), Chief Information Security Officer (CISO), and Chief Finance Officer (CFO) must collaborate.

Mr Marcus Yin, CISO at CPIB (Corrupt Practices Investigation Bureau), emphasized this perspective at the "IBM Tech Fest: Explore the Catalyst for Innovation" event in Singapore. He stressed the importance of the CISO's role in collaborating with other departments to create a cohesive cybersecurity strategy.

In Singapore, scam victims lost over $660 million in 2022, a 4.5 per cent increase from the previous year. According to the Singapore Police Force (SPF), young adults aged 20 to 39 were the most vulnerable demographic, with job scams being the most prevalent. The top five scam types included phishing, job, e-commerce, investment scams, and fake friend call scams.

To address this issue, the Cyber Security Agency of Singapore (CSA) plans to launch a program that assists small and medium-sized businesses (SMEs) in creating cybersecurity health plans and securing funding. The program will provide CISO-as-a-Service (CISOaaS) to SMEs with limited resources for hiring cybersecurity personnel. This initiative was announced by Senior Minister of State at the Ministry of Communications and Information (MCI), Tan Kiat How, on February 28, 2023.

CSA's goal is to encourage SMEs to enhance their cyber defenses through regular "cyber health check-ups" and by obtaining national cybersecurity certifications, such as the CSA's Cyber Essentials mark.

The challenge lies in allocating security budgets to minimise risk. Mr Yin suggests considering human risk factors, whether malicious or unintentional, and using tools such as data loss prevention, monitoring tools, and Security Detection and Response (SDR) to address various risks. Each tool serves a different purpose, requiring distinct budget allocations but falling under the overall security budget.

BT in your inbox

Start and end each day with the latest news stories and analyses delivered straight to your inbox.

Sign Up

Sign Up

Balancing priorities like digital transformation, ESG, and cybersecurity can be difficult for companies striving to stay competitive. Ms Tan Hwee Chee, Group Head of IT Security and Governance at CGS-CIMB Securities, believes companies need to act quickly while remaining aware of the risks. A strong cybersecurity culture takes time to develop, and it is up to the cybersecurity team or CISO to ensure appropriate conversations occur at the board level.

Dividing a security budget between human and non-human risks is challenging. Ms Tan notes that visibility is increasingly important in addressing human factors, and cybersecurity must evolve from being an IT job to a collaborative business function.

"Innovative initiatives require thorough assessment of risks and impacts. Open communication and collaboration between cybersecurity professionals and business units are crucial in guiding decisions toward mutually beneficial outcomes," she adds.

Mr Nicholas Kwan, Country Security Leader at IBM Singapore, believes Singapore is more advanced in cybersecurity compared to the rest of the region. Companies are increasing their security budgets, but it is crucial to consider how these funds are utilised. Investments in training and technology may not yield immediate results, so having a roadmap outlining expected outcomes and return on investment is vital.

Mr Kwan asserts that cybersecurity should take precedence over ESG, as security requires immediate attention. Organisations must invest in security across all facets of their business, including apps, infrastructure, and cloud services, to avoid future repercussions.

According to the latest IBM Security X-Force Threat Intelligence Index, ransomware continues to be a significant threat, and paying ransoms is not advised. "Companies should focus on prevention through cyber hygiene, data backup, incident response training, and securing all potential attack surfaces," Mr Yin says.

Companies must assess the potential impact of AI tools like ChatGPT on their organisation. Mr Tan notes that organisations should consider the possibility of data leaks and ensure that policies and tools are in place to protect confidential information. Proper guidelines should govern the use of AI tools like ChatGPT within the organization.

Mr Yin compares the use of ChatGPT in an organisation to social media, requiring security policies to ensure proper use and awareness. By doing so, organisations can benefit from AI while reducing the risk of security breaches and data leaks.

Mr Kwan emphasizes the importance of an organisation's response in a critical moment, which can significantly impact the time and money lost during an incident. Employing endpoint or extended detection and response technologies is crucial. He says, "Organisations must also assume compromise, perform regular offensive testing, and think like an attacker to identify vulnerabilities and possible entry points.

"There is no single, out-of-the-box solution to protect businesses today. Attackers are constantly innovating and evolving their techniques to evade detection, and cybersecurity strategies should be just as adaptable and flexible."

Written by Mr Colin Tan, managing director, IBM Singapore.

Content provided by