You are here
Putting on the cyber defence armour
IN this age of digitalisation, we are not safe from cyberattacks. Organisations are always at risk of digital heists as data currency becomes the most sought after asset. With a lack of cyber hygiene and the common citizen being an easy target, data breaches are a common occurrence today and the consequences are almost fathomless.
Monetary loss and exposure of private and confidential information are almost inevitable but it is reputational damage that impacts organisations most severely, especially with high technology dependence.
Technological advancements have benefited many, from boosting productivity to making our daily lives more convenient. These advancements have also resulted in the growth of a darker side.
The underground cyber community is now growing its own "industry" with a projected trajectory of a trillion dollars. It is spawning an endless list of products such as "off-the-shelf" phishing and ransomware kites, customised malware, DDoS-as-a-Service and even hack-as-a-service.
It is a positive sign that the government of Singapore recognises the danger of the borderless nature of cyber to its economy and national security.
From signing memorandums of understanding (MOUs) to enhance cross-border cybersecurity cooperation with countries such as the United States, the Netherlands, France and China, to investing S$10 million in an Asean Cyber Capacity Programme to deepen cybersecurity cooperation and capabilities among the Asean member states, Singapore is clear in its intention of establishing a secure and resilient cyber ecosystem both within and outside of its borders.
The government has expressed its plans to benchmark its cybersecurity budget against South Korea and Israel at 8 per cent - 10 per cent of the Info-Communications & Technology (ICT) budget. It also published the Cybersecurity Strategy, detailing its roadmap to build a safe and resilient cyberspace through national efforts and international ties. This has manifested most recently with changes to the existing Computer Misuse and Cybersecurity Act passed in Parliament.
More specifically, the changes now allow action against wrongdoings relating to personal data breaches and use of hacking tools to commit an offence in Singapore regardless of the origin of the offence.
In addition, we can also expect the Cybersecurity Act to be published in the later part of 2017 as an update to the legislative framework to include cyber defence.
Growing pool of cybersecurity professionals
Any organisation functioning without a cybersecurity professional may not feel a gap in its technology capabilities until an incident happens and things spiral out of control.
The role of cybersecurity professionals is crucial - not only do they secure data and systems, they are responsible for vigilantly monitoring suspicious activity and responding to incidents.
More importantly, they enable the resilience needed for an organisation to return back to normal business after an attack.
There is a worldwide shortage of cybersecurity professionals. In Singapore, the recently announced Cybersecurity Professional Scheme, along with the previously launched TechSkills Accelerator (TeSA), Critical Infocomm Technology Resource Programme Plus (CITREP+) and Cyber Security Associates and Technologists (CSAT) programme, should go some way to address this shortage. These schemes and programmes are strongly focused on developing a pool of skilled cybersecurity professionals to stem the acute talent shortage.
It is encouraging to see further revisions that support talent development announced in the 2017 Singapore Budget.
This includes plans to enhance Workforce Singapore's Adapt and Grow initiative that provides wage and training support for career development and conversion, and the launch of the new Attach and Train initiative for industry partners to further provide training and work attachment opportunities to prepare personnel for employment in growth sectors, including those with an interest in cybersecurity.
While these two initiatives give a general push to cultivate a more diversely skilled workforce by encouraging knowledge and insight across sectors and industries, in order to address the future needs for highly experienced cyber professionals, specific cyber-relevant industry placements and specialised training are especially needed.
What would be good to see in the future is a more targeted cybersecurity training scheme, under Attach and Train, so that there is sharper focus on this high demand skillset.
Cybersecurity battle for SMEs
Local small and medium enterprises (SMEs) make up more than 90 per cent of enterprises in Singapore and contribute to nearly half of the GDP while employing 70 per cent of the workforce.
It is no surprise that the government has provided many incentives and schemes for SMEs to innovate, adopt new and enabling technologies, increase productivity and expand overseas. The latest scheme announced at Budget 2017 is the SMEs Go Digital Programme.
As part of their technological and digitalisation journey, it is imperative that SMEs put in equal zeal in building up their cybersecurity capabilities - the more digital and technology-abled they become, the bigger the cyber threats are to their business.
SMEs are an intrinsic part of supply chains, and all it takes is for one person in their company to click on a link or open a file to unleash malicious codes or download ransomware into a system, exposing themselves and third parties (likely to include other SMEs) in their ecosystem.
As the government schemes mature and evolve, SMEs should take advantage of the opportunity and assess their cybersecurity maturity to continually develop and update their IT security to ensure resilience against cyberattacks.
Simulation and testing through the use of sandboxes before a launch is useful as it provides a safe environment to test features and functions of an application.
It also allows simulated behaviour, including attacks by white-hats, to expose vulnerabilities that need to be addressed before they go online.
As part of the journey, SMEs need to further consider:
- recognising that cyber risks confronted by the organisations are regardless of the nature of their business;
- having in-depth understanding of the regulations and compliance regime in the countries they are targeting;
- implementing a sustainable and robust security programme;
- acquiring experienced talent to build and maintain the programme;
- engaging approved solutions and service providers to supplement skills and operational gaps to meet business and regulatory expectations.
Cyber savviness has to start early and cybersecurity needs to be at the top of the mind. It is only with heightened vigilance that we can defend ourselves in today's digital world.
- The writer is cybersecurity leader for Deloitte South-east Asia.
- The views expressed are his own.