Story image

Singapore firms barely prepared for cyber attacks - what's holding them back?

05 Jul 2017

Despite its reputation as a hub for smart cities, Singapore's cybersecurity preparedness is only in the early stages, according to a new joint survey by Quann, a managed security service provider, and IDC.

91% of surveyed companies are in the early stages of security preparedness, and many of them have not put key security measures in place.

Boards and senior management may not be taking things seriously: 91% consult security leads, but only 16% take it to the Board.

The board doesn't appear to be taking security seriously either, according to IDC Asia/Pacific's IT Security vice president, Simon Piff.

“Not all C-Suites in Asia are fully conversant with the fundamentals of a robust cyber security strategy and the appropriate investments. Cyber security investments are akin to military spending – we do it in the hope that we would never have to use the tools. They need to understand that this is not a business ROI with immediate, visible returns. However, the consequences of not taking a proactive approach now could lead to legal disputes, customer dissatisfaction, and even loss of jobs and careers at all levels in the organisation.”

60% of companies have an incident response plan, and 30% of those actually practice them. Incident response plans are critical to protecting networks and data during attacks.

Quann's managing director Foo Siang-tse, says the findings are worrying but not surprising.

"Many companies are simply not investing enough in IT security, despite the obvious threats.  The lack of investment in security infrastructure, professional services and employee training makes them extremely vulnerable. The recent WannaCry and Petya ransomware incidents are just the tip of the iceberg. Companies need to recognise that having a comprehensive security plan, comprising detection systems, robust processes and equipped individuals are critical in enabling them to detect threats early and mitigate their impact," he says.

Staff training is also weak; 33% of surveyed companies required all staff including CEOs to take part in security awareness training. 49% haven't conducted any form of training whatsoever.

According to the report, 75% do not have a dedicated IT budget and planning process. Most have a security lead, but they are also required to do other duties.

Companies are also skimping on 24/7 protection, with 32% having protection during work hours and 25% during the work week.

56% do not have a Security Operations Centre (SOC) in place. Foo believes there is a place for working with partners to build an effective SOC.

“Companies may consider working with an experienced cyber security partner to design, build and manage a 24/7 on premise Security Operations Center that can quickly detect threats. Another option is to engage a Managed Security Services Provider (MSSP) that can provide a comprehensive suite of services, including 24/7 monitoring, regular vulnerability assessment and penetration testing and incident response and forensics,” Foo explains.

The survey gained opinions from 150 senior IT professionals from medium-to-large companies in Singapore, Hong Kong and Malaysia.

The four security preparedness stages are below.

Stage 1 – Basic Defence IT security is perceived as an ancillary function and investments are restricted to the bare minimum. Compliance and governance distract from the day-to-day running of the business. There is limited capability to defend from anything but the most basic form of attack. No crisis response planning has been put in place.

Stage 2 – Tactical Knowledge There is a minimal strategy for IT security and key technological solutions put in place. Whilst IT security is something that the IT team considers as important, the rest of the business consider it an issue only for the IT department. Senior management is lacking in engagement and understanding of critical systems and data.

Stage 3 – Strategic Intent IT security is understood to be a concern for both the business as well as IT, with a dedicated lead. There is a clear delineation of security roles, and a Governance, Risk and Compliance (GRC) framework in place. While outsourcing is a consideration, it is kept minimal, and most technology and architecture are done in-house.

Stage 4 – Advanced Execution A CISO is designated in the organisation, with clearly defined reporting lines to CEO. There are internal and external applications of IT security policies, and a well-informed workforce that understands the issues. A clear response strategy is in place and fully documented.

Forget endpoints—it’s time to secure people instead
Security used to be much simpler: employees would log in to their PC at the beginning of the working day and log off at the end. That PC wasn’t going anywhere, as it was way too heavy to lug around.
DimData: Fear finally setting in amongst vulnerable orgs
New data ranking the ‘cybermaturity’ of organisations reveals the most commonly targeted sectors are also the most prepared to deal with the ever-evolving threat landscape.
IXUP goes "post-quantum" with security tech upgrade
The secure analytics company has also partnered with Deloitte as a reseller, and launched a SaaS offering on Microsoft Azure.
ExtraHop’s new partner program for enterprise security
New accreditations and partner portal enable channel partners to fast-track their expertise and build their security businesses.
Hackers increasingly ‘island hopping’ – so what does it mean?
Carbon Black's Rick McElroy discusses this new trend and what it means for the new age of cybercrime.
Trust without visibility is blind – Avi Networks
Enterprises are wanting to gain the trust of their customers, but are often found blindly defending themselves.
How to avoid becoming a cryptojacking victim - Bitglass
Large-scale cryptojacking is a lucrative business due to the popularity and value of cryptocurrencies like Bitcoin and Ethereum.
Symantec, Ixia combine efforts to secure hybrid networks
Ixia’s CloudLens and Symantec Security Analytics now feature complete integration, which allows Symantec customers to gain real-time visibility into their hybrid cloud environments.