You are here
Targeted initiatives, collaboration needed in war on cyber crime
WITH Singapore having gone from one data breach to another lately, observers are looking to the upcoming Budget to offer cyber security funding and to put in place additional protective measures.
A 2018 report by global consulting firm AT Kearney has found that Singapore spends about 0.22 per cent of its gross domestic product on cyber security, well above the global average of 0.13 per cent.
Specialists in the field who spoke to The Business Times generally agreed that the current strategy addresses most macro cyber security issues, but lacks targeted initiatives such as roadmaps for building up cyber security defences and handling cyber attacks, public-education programmes and platforms to help organisations collaborate in fighting cyber crime.
Matthew Heap, head of solutions architecture at Rackspace Asia, said that a common concern among businesses about investing in cyber security is ensuring that cost-reduction measures are in place, so that IT expenditure does not undermine profits or cut into core business expenditures.
"It is important to reduce IT costs - but without cutting skilled resources or impacting customer service."
Rajah & Tann Singapore LLP partner Benjamin Cheong, whose specialisations include data protection and cyber security, suggested that to defray some of these costs, the Budget could include grants especially for small and medium-sized enterprises (SMEs).
SMEs make up 99 per cent of all local enterprises here, and many handle important data in their support roles for the government and critical information infrastructure.
The wider population would benefit from better cyber security knowledge and improved IT systems; such businesses would also need staff trained to respond to cyber attacks.
Companies should be urged to treat cyber security as a persistent threat, and to constantly update their employee training to defend against it.
Naveen Bhat, managing director for the Asia-Pacific at Ixia Solutions Group, noted: "The tactics employed by cyber criminals will evolve, and the only way to avoid falling prey to them is to stay vigilant and keep yourself up to date with today's threats."
Companies that do not prioritise cyber security and training will be caught off-guard when breaches occur, and will have to scramble to contain the damage and figure out what to do.
Rajah & Tann's Mr Cheong suggested setting up a hotline where companies can get help in dealing with severe cyber security breaches. A database of incidents should be compiled to help with spotting trends, detecting cyber risks early and identifying best practices for the prevention and management of cyber breaches.
Cyber incidents are often under-reported because the relationship between the government and companies that have experienced these breaches is perceived as "adversarial", said Aman Dhingra, associate partner and lead for cyber security practice in South-east Asia at McKinsey & Company.
He urged the government to offer assistance to companies that come forward to report their data breaches. This would encourage them to continue being transparent about such incidents, in turn promoting a more collaborative relationship between the private and public sector - while giving the authorities better visibility of threats and attacks.
Even better would be round-the-clock surveillance of both public and private networks, said Ixia's Mr Bhat. "Just as Singapore continuously monitors its highways with cameras, we should dramatically step up the monitoring of our networks to watch for malicious traffic as well."
Patrick Chew, OCBC Bank's head of operational risk management, urged organisations to share information and test their collective responses to cyber attacks regularly.
"This collective effort should not be limited to just peers in the same industry," he said. "National agencies, industry associations, security vendors and consultants should also be included."
All the same, the rapid evolution of cyber-attack tactics means that security breaches are getting harder to prevent, and cyber criminals will only become bolder with each success.
Andrew Yeong, head of the Asia-Pacific for Tata Communications, said Singapore's cyber security strategy should start shifting from prevention to resilience, and focusing on identifying and dealing with breaches as quickly as possible.
Stas Protassov, chief operating officer and president of data-protection firm Acronis, noted: "When dealing with the risk of advanced persistent threats, the government should adopt an 'assume compromised' mindset and stay alert at all times."
This means focusing on threat "detection-and-response" practices to actively search for traces of an attack, as opposed to taking the classic "threat-protection" approach with security tools like antivirus programs and up-to-date software, said Mr Protassov.
Given that experts with such threat-hunting and investigation skills are hard to come by, the Singapore government may have to step in and help companies develop such skills among existing employees, suggested Nilesh Jain, vice-president for South-east Asia and India at Trend Micro.
At the same time, Singapore needs to strengthen its law enforcement and prosecution of cyber attackers, said Rajah & Tann's Mr Cheong.
He noted that the current focus is on a strong defence by securing systems and exchanging information on cyber norms and legislation with other countries, rather than going on the offensive to recruit international cooperation and take action against cyber attackers.
"Taking steps to track down and prosecute cyber criminals who perpetuate very serious cyber attacks would send a strong deterrent signal to the world at large - that targeting Singapore companies or systems will land them in serious trouble in Singapore," he said.
Public-education initiatives are another needed measure to ensure that ordinary employees are part of a company's defence against cyber attacks, rather than being its weakest links.
Unsafe data practices are rife among Singapore employees. These range from poor password management and having unprotected devices to clicking on dubious website links. Such actions, rather than conventional hacking, were the root cause of breaches in 61 out of 68 enforcement cases by the Personal Data Protection Commission, which data protection firm Straits Interactive analysed.
Straits Interactive CEO Kevin Shepherdson noted: "All of these could have been prevented by basic training and educational talks - for everyone within the company, including senior staff."
Public-education campaigns should be mounted to warn the public about the dangers of cyber attacks and how to avoid them, in the same vein as current campaigns about WeChat and WhatsApp "love scams", said Rajah & Tann's Mr Cheong.
He added that cyber safety programmes should be made readily available to secondary school students and SkillsFuture courses for adults.
Cyber safety training for non-IT employees is also a cost-effective way to improve overall cyber security, since one can hire only so many IT professionals to shore up a company's defences, said Tata Communications' Mr Yeong.
"By training existing employees on cyber security, companies can help close the skills gap without having to hire new employees. If more employees are aware of what they can do to help prevent attacks, fewer specialists are needed."