Smart Nation agenda needs rethink on cybersecurity

SINGAPORE'S Smart Nation push is yielding results. Identified as one of the most technologically ready economies in a recent Economic Intelligence Unit study, Singapore also ranked relatively high in cybersecurity preparedness, one of the key aspects of a strong digital infrastructure and a principal element of the ranking.

However, instead of prioritising cybersecurity as a strategic asset, companies still view investments in cybersecurity as a cost on the balance sheet.

The Singapore Board of Directors 2017 survey showed that while cybersecurity is a concern for nine out of 10 boards in Singapore, it is still not part of strategic discussions at the board level. SMEs in the country haven't been spared the risk either. The Cyber Security Agency of Singapore highlighted last year that a lack of knowledge and resources is preventing local SMEs from adopting robust cybersecurity measures.

These challenges and attitudes must be tackled immediately.

The costs of cyberattacks to businesses can run high, spread across financial loss, reputational damage and cost of remediation. Singapore businesses lost some S$43 million in 2017 to cyberattacks. Just recently, the threat from cybercriminals hit close to home as 1.5 million SingHealth patients had their personal particulars stolen.

Described by Cyber Security Agency chief executive David Koh as a "deliberate, targeted and well-planned cyberattack", this episode exemplifies the growing sophistication of cybercriminals and underlines how no organisation is safe from attackers.

If this continues, ineffective cybersecurity defences could be the single biggest threat facing Singapore's Smart Nation Vision. There needs to be a change in how cybersecurity is approached. Cyberthreats can no longer be kept at bay with a single solution. Instead, cybersecurity must be woven into the entire organisation.

Traditional cybersecurity not enough to combat evolving threat landscape

New threats and security vulnerabilities are discovered every day and security professionals are struggling to keep up. The 2016 Mirai Botnet attack that brought down large parts of the Internet caught the security industry off-guard due to the unprecedented use of IoT devices in the attack. Last year's high profile and widespread WannaCry and Petya ransomware attacks affected businesses globally, including many in Singapore.

Cybercriminals are getting better at launching sophisticated attacks that easily get past traditional security tools such as endpoint anti-virus systems and firewalls. The reality is: traditional cybersecurity is aimed at ensuring compliance and this is no longer enough as cybercriminals start exploiting any vulnerability they can find.

To counter this, businesses need to now think about being proactive and embedding security into everything they do, hence building a defence strategy that continuously identifies new threats and works to close the gaps.

Rethinking cybersecurity to drive business success

Focusing on three key organisational pillars - People, Process and Technology - can enable businesses to take a long-term view of cybersecurity.

First, it is vital for businesses to educate their people about cyber threats and manage employees' susceptibility to social engineering attacks and e-mail phishing. This is especially important in workplaces today as trends such as bring-your-own-device coupled with highly variable employee awareness of cybersecurity best practices can open the door for cyber criminals.

Adura's experience and phishing simulation work with clients in Singapore has shown that employees in finance and HR, two departments that handle sensitive employee and customer information, are most likely to click on suspicious phishing e-mails without a second thought to security.

Educating employees about cybersecurity requires tackling any existing misinformation and empowering employees with knowledge and best practices. Cybersecurity training should also be a continuous process - just as threats evolve, training should too.

Second, businesses should tailor and implement cybersecurity processes that are catered to their size, industry and business goals. A blanket approach cannot work as no two businesses are the same. For example, cybersecurity processes for a social media company would be focused on protecting consumer data and should look very different from processes at a bank that would be focused on preventing fraud.

Once processes have been put in place, the hard part begins. Companies must have the discipline - and this isn't just limited to IT but across all departments - to maintain and follow the processes established.

The final piece of the reimagined cybersecurity framework is technology. This is a digression from the traditional approach that tends to put technology first.

However, the right technologies can only be identified after a comprehensive security audit has been completed and processes have been reviewed, and a tailored cybersecurity programme has been established for the business.

Safe Nation, Smart Nation

The adoption of advanced technologies in an increasingly connected society is central to Singapore's Smart Nation goals. However, cybercriminals too are nimble, constantly improvising their techniques and looking for opportunities to capitalise on unprotected devices and networks.

Businesses play a pivotal role in Singapore's Smart Nation push and must become more proactive, taking a long-term and sophisticated view of cybersecurity. Adopting the People, Process, Technology framework can help organisations stay ahead of cybercrime, both protecting and bolstering their business growth and success.