You are here
Don't let cybersecurity be an afterthought
MANY business and information technology (IT) leaders whom I have spoken to agree that technology is a disruptive force - one that enables new business models, opens new sources of revenue and shapes entire industry landscapes. However, one of the biggest challenges in digital transformation is ensuring security, privacy and compliance.
As employees bring devices, apps and data into organisations, protecting company data becomes more important than ever before. In today's digital world, traditional IT boundaries are fast disappearing and adversaries are continuously identifying new targets to attack.
Against this backdrop, organisations that do not prioritise security face the risk of significant financial loss, damage to customer satisfaction and market reputation - as has been made all too clear by recent high-profile breaches.
The recent Singapore Cyber Landscape Report 2017 painted a clear picture of the cybersecurity risks that the nation faced in the past year. What was interesting to note was that global incidents such as the mass defacement of WordPress websites, WannaCry and NotPetya ransomware attacks as well as the Yahoo data breach seem to mirror the cybersecurity incidents that we encounter here in Singapore.
While organisations in Singapore emerged relatively unscathed from the incidents that took place last year, the report revealed that there is still much work to do as we expect more attacks on business and individuals, growing threats to connected mobile devices, state-linked cyber actors making bolder moves, weak links being increasingly targeted, and more signs of artificial intelligence (AI) enabled cyberthreats and solutions being used in 2018.
This means that increasingly, cybersecurity cannot be an afterthought for organisations of all sizes as threats are becoming increasingly malicious, with potentially bigger impact on businesses as the threat landscape evolves.
The true cost of cybersecurity incidents: economy, opportunities and job losses
Earlier this year, Microsoft conducted a cybersecurity study in partnership with Frost & Sullivan, with the aim of providing business and IT decision makers with insights into the economic cost of cybersecurity breaches in Singapore and identifying key gaps in organisations' cybersecurity strategies.
The study, which was conducted with 1,300 business and IT decision makers across the Asia-Pacific region, including 100 from Singapore, revealed that business and IT leaders often underestimate the business and economic impact of a cyber attack, and that what leaders see at the moment could merely be the tip of an iceberg. By calculating the direct, indirect and induced losses associated with a cybersecurity incident using the Frost & Sullivan economic loss model, the potential economic loss in Singapore due to these incidents can hit a staggering US$17.7 billion, amounting to 6 per cent of Singapore's total gross domestic product of US$297 billion.
This also points to the idea that the direct losses incurred because of a cybersecurity incident - associated financial losses including loss of productivity, fines, remediation costs, etc - form only a part of the total. Indirect costs such as the opportunity costs to the organisation such as customer churn due to reputation loss; and the impact of a cyber breach to the broader ecosystem and economy, such as the decrease in consumer and enterprise spending also add up to form the bigger picture to reflect the true cost of cybersecurity incidents - which is often much larger than what most leaders imagine.
Prioritising security in your organisation's digital transformation journey
With cybersecurity incidents being extremely costly for organisations of all sizes in Singapore - averaging US$13.8 million in economic loss for a large-size organisation and US$177,000 for a mid-size organisation, cybersecurity needs to be prioritised in an organisation's digital transformation strategy in order to help lay the secure foundation for its continued growth in the future.
Each year, Microsoft invests in research and development, spending over a billion dollars, to discover ways to help organisations withstand and respond to cyber attacks through a unique combination of our intelligence, platform and partners. Drawing from what we have learnt, here are five cybersecurity best practices that can help organisations strengthen their cyber defence in the digital world:
- Prioritise cybersecurity as a digital transformation enabler:The disconnect between cybersecurity practices and digital transformation efforts creates frustration for employees. By positioning cybersecurity as a pre-requisite for digital transformation, not only does this keep the company safe through its journey, it also presents an opportunity for business leaders to abandon ageing cybersecurity practices to embrace new methods of countering today's cyber risks.
- Invest in strengthening your security fundamentals: Over 90 per cent of cyber incidents can be averted by maintaining the most basic best practices. Maintaining strong passwords, conditional use of multi-factor authentication against suspicious authentications, keeping device operating systems, software and anti-malware protection up to date and genuine can rapidly raise the bar against cyber attacks. This should include not just tool-sets but also training and policies to support stronger fundamentals.
- Maximise skills and tools by leveraging integrated best-of-suite tools: Contrary to popular belief that deploying a large portfolio of cybersecurity solutions will render stronger protection, our survey revealed that 29 per cent of respondents with more than 50 cybersecurity solutions could recover from cyber attacks within an hour. In contrast, 38 per cent with fewer than 10 cybersecurity solutions said that they can recover from cyber attacks within an hour. By reducing the complexity of your security operations through the use of integrated best-of-suite tools, this could be a great way to maximise your risk coverage without the risk of introducing too many tools and complexity to the environment.
- Assessment, review and continuous compliance: Assessments and reviews should be conducted regularly to test for potential gaps that may occur as the organisation is rapidly transforming. The board should keep tabs on not just compliance to industry regulations but also how the organisation is progressing against security best practices.
- Leverage AI to increase capabilities and capacity: With security capabilities in short supply, organisations need to look to automation and AI to improve the capabilities and capacity of their security operations. The current advancements in AI has shown a lot of promise, not just in raising detections that would otherwise be missed but also in reasoning over how the various data signals should be interpreted with recommended actions. Such systems have seen great success in cloud implementations where huge volumes of data can be processed rapidly.
- The writer is chief technology officer of Microsoft Singapore