Singapore’s New Cybersecurity Landscape Demands a New Approach

Singapore, January 19, 2017

Cyber-attacks are reaching new unprecedented levels of impact and scale. Ransomware attacks, spearfishing and the number of detected zero days are all sharply on the rise, alongside frequent mega-hacks, exposing record-breaking quantities of private data.

This will be of no surprise to IT security professionals, but what remains unknown is how to counter these unwavering trends. Certainly, there are ever more sophisticated cybersecurity solutions available, but the range of threats and incidents continues to climb. This begs the question, is there something missing from most organisation's approach to cybersecurity?

To answer this question, Mr Freddy Tan, Director of Business Development from NCS' Enterprise Security Division, shares why these trends exist and how organisations in Singapore can change their approach to enhance their cybersecurity.

Freddy Tan, Director of Business Development from NCS’ Enterprise Security Division Tan explains that whilst incidents like the Yahoo hack, the Ukraine power outage and the attack by Anonymous against the Singapore Government are all significant individual attacks, there is a lot going on that organisations are not aware of. Whilst the number of cybersecurity attacks are widely suspected to be vastly under-reported, an even more telling statistic is that, according to research by NCS, 51 percent of breaches are not actually detected by the victims themselves. "Attacks are usually reported by a 3rd party, like law enforcement or a merchant bank," says Tan. "On average it takes more than 100 days for such breaches to be discovered." This means that whilst some attacks are detected sooner, others can remain undetected for months and some even years. During this time, hackers can raise their privileges, plan their attacks, cover their tracks and create backdoors, all of which makes it harder to detect their activity and increases the potential impact of their attack.

As a result, a new mind-set is needed says Tan: "It's no longer a matter of if you will be breached, it's a matter of when you will be breached. Then the question I have is that when you are breached, how soon can you discover that you have been breached?" This key question ought to be the first step towards identifying a range of security shortcomings related to detection time, resilience and response, however, according to Tan, many organisations have not yet adopted this mind-set. This has negative knock-on effects to the importance cybersecurity is given within an organisation, the types of cybersecurity precautions which are implemented and overall spending.

For example, by placing too much confidence in perimeter defences like firewalls, important precautions like encrypting private or sensitive data risk being viewed as unnecessary. "Although the tools are cheap and readily available, people have this mistaken notion that when you encrypt information, you can lose it, like if somebody forgets a password or leaves the organisation. But there are many ways in which encryption keys can be safeguarded and recovered, especially in a large enterprise, yet many organisations remain fearful of implementing encryption."

Then there is the issue of costs and resourcing, both of which are key challenges for CIOs and IT security decision makers. "It has been proven that when security is an after-thought, the costs of security increases," explains Tan. "Alternatively, if security is part of the design, deployment and development stages, the costs are substantially less." Whilst this sounds positive, the problem is that even if IT security decision makers are already aware of this, making this change requires buy-in from other senior business leaders, who are unlikely to be aware of the importance of this new approach.

It is worth noting that whilst cybersecurity regulations are gradually being introduced, the current level of cybersecurity risk demands that organisations rethink their approach to cybersecurity now rather than later. So to help drive change and encourage a new approach to cybersecurity, in April 2016, Singtel launched the Cyber Security Institute (CSI). This educational institute runs a wide variety of skills development and education programmes tailored to the varying needs of company boards, C-suite management, technology and operational staff. For example, when working with board level executives, the programme helps them understand security threats, helps them ask the right questions and crucially offer the right support to their IT security department.
The Singtel Cyber Security Institute

Above: Dr Yaacob Ibrahim, Minister for Communications and Information inspects the Singtel launched Cyber Security Institute.

One example of best practice can be seen in the Singapore government, which has already taken steps to ring-fence a percentage of their IT budget for cybersecurity, an approach that South Korea and Israel both follow as well and one that Tan commends. "This is important because when you are putting together a project, even at the planning stage, having the budget ring-fenced sends a clear message that security has to be considered. This means that people have to get involved early on and the IT architecture must be planned with security in mind."

The CSI also runs a programme for management, which teaches not just IT security, but also the necessary steps to take when an incident happens such as when to make a police report when to start speaking to the media and what information to share. "This is crucial because these things can affect not only your brand reputation it can also affect your share value," explains Tan. "TalkTalk, a telco in the UK is one example. They had a breach and initially, their assumption was that it was something major. Fortunately, this was not the case, but the news was already out and the damage was done. As a result, they lost customers who no longer had confidence in the way TalkTalk secured their information."

What then for the future of cybersecurity? With a greater focus on cybersecurity from the onset of a new project, is the future secure? "We see hundreds of cybersecurity companies and start-ups coming out with new solutions," says Tan. "Unfortunately it's not going to make cybersecurity simpler, it's going to make it more complex." This is a problem that organisations are already wrestling with and by the sounds of it, one that is unlikely to go away. In response, Tan suggests outsourcing certain aspects of IT security to a trusted third party. "Organisations need people who are adequately trained and up-to-date with the latest attacks, techniques and tools. Unfortunately, bringing that in-house is not something every organisation can do because it's very expensive. What I see is that companies will start looking for specialised security solution providers to complement their existing security team and provide that additional protection, as well as remove the complexity from the solutions perspective, so that their employees can focus more on compliance, ISO, audit requirements and so on."

Tackling the new cybersecurity landscape requires a new approach in terms of preparing your organisation as though being breached is an inevitability, incorporating cybersecurity from the onset of project planning, raising awareness throughout your organisation and outsourcing certain aspects of cybersecurity. Assistance to help adopt this new approach is available and the need to make this change has never been greater, the only question is whether you will be the one to drive this change and fundamentally enhance your organisation's cybersecurity.

This article was written by Richard Pain, CIO Asia and appeared first on