Attitude and culture trump compliance in cybersecurity

ASK anyone about RMS Titanic, and chances are they might lament about how Rose could have saved Jack if she had made some space. However, back when it was still fresh on people's minds, the sinking sparked public outrage. It was no surprise given how it was avoidable if not for the ship crew's blasé attitude towards safety - negligence that claimed over 1,500 lives. What similarities does a tragedy that happened more than a century ago have with cybersecurity today?

We are well aware of the consequences of a cyberattack - nine of 10 organisations in Asia-Pacific experienced it firsthand in 2016. But awareness often does not equate action; consider how in the same year, hackers were 80 per cent more likely to attack organisations in the region due to a lack of cybersecurity measures. Governments are ramping up efforts to reduce cyber risks. China, for instance, implemented a cybersecurity law last year to protect its citizens' data while Singapore is set to introduce a new Cybersecurity Bill in 2018 to ensure organisations maintain a certain level of security in their IT systems.

But is compliance really enough? In the case of RMS Titanic, it operated well within the maritime safety standards of the time, but what it failed to do was to cultivate a culture of safety among the crew. Hazard warnings of icebergs - not one but six of them - were treated as advisories rather than a call to action. Crew members were not given enough time to familiarise themselves with RMS Titanic before it sailed, and lifeboat training was only conducted once - and that too a cursory effort. Not least, despite being fully aware of icebergs on its course, the ship steamed full speed ahead.