Singapore cyber security bill amendment: Securing your supply chain
To keep up with evolving technology and business models, the Singapore Government recently announced an amendment to the Cyber Security Bill, first established in 2018. When it was first developed, the Bill addressed the security of critical information infrastructure (CII), which at the time was typically physical systems held on premises and entirely owned or controlled by the CII owner. However, the advent of cloud services has challenged this model. Under the amended Cybersecurity Act, CII operators in Singapore will need to declare any cyber-security outage and attack experienced on their premises and in addition, they will now need to declare any cyber security attack that has taken place along their supply chain.
This effects a large proportion of organisations in Singapore, as CII operators include those in the energy, water, banking and finance, healthcare, transport (land, maritime and aviation), infocomm, media, security, emergency services, and government sectors.
Cloud technology and information sharing platforms are not going anywhere - with the advent of productivity applications like Office 365, Zoom, WhatsApp, and others, organisations have gained immeasurable efficiencies with these technologies.
In response to the security risks associated with shared applications, many Singaporean organisations have banned or blocked the use of these applications in a bid to remove risk. But security breaches are still taking place, with Cradlepoint's annual State of Connectivity Survey 2024 finding that more than two-thirds of organisations in Singapore were subject to a network security attack in the past 12 months. Nearly one-quarter of those were a major security breach, which resulted in loss of data, and more than 14% resulted in significant company fines. The most common network security attack was phishing (40%), followed by data breach, insider threat, zero-day (36%), ransomware (35%), denial-of-services attack, and hacked IoT device (31%).
It is evident that organisations are struggling to balance the benefits of increased efficiency, reduced people-power, and lower capital costs associated with broad application-enabled remote access and the significant security risks that come with that. Furthermore, "appification" has resulted in customers, contractors, and partners – the whole supply chain - accessing applications from devices that are unmanaged and, therefore, risky, not to mention employees using their own devices to access sensitive data. Security measures and controls need to adapt for organisations, their networks, and their data to stay safe.
The risks of unmanaged devices for organisations include:
- Malware: Infection with malware, which can spread to corporate applications and networks when the device is connected.
- Credential Theft: Without security controls and governance, unmanaged devices are easy, vulnerable targets for hackers phishing to steal user credentials for corporate applications.
- Data Loss: Once a device is logged into an application, a hacker using a compromised user account can bypass in-app controls to exfiltrate sensitive data using a variety of techniques such as leveraging browser clip-boarding functions.
- Broad Attack Surface: Traditional VPNs and reverse proxies authenticate users but once connected, permit full network access. Users and malware can move laterally through networks, attacking all business assets, in violation of the Zero Trust principle of least privilege access.
- Inappropriate Data Access: A data breach can result if an unmanaged device with access to corporate data is stolen or lost.
While organisations in Singapore need to ensure they address the requirements in the Cyber Security Bill amendment, the best safeguard is to protect shared systems across organisational supply chains. Companies should consider Web Application Isolation, which enables employees to access public cloud applications and private or web-based corporate applications while providing secure access from unmanaged devices of third parties and employee BYODs.
Air-gapping applications and data from malware or security threats on a device means users on any managed or unmanaged device can still access applications. Easy-to-set granular policy controls can restrict access and data usage on a least-privilege basis and enforce per-user browser controls to prevent data loss. This means that, for instance, if you have an employee working from a BYOD, they may be permitted to edit a file within O365 but not to download it onto their unmanaged device. In contrast, a contractor may be limited solely to viewing data within an app.
Policies can also be used to control which content -- if any -- can be uploaded to organisational networks or web or cloud apps, and by whom. Tools like content disarm and reconstruct (CDR) can allow documents to be uploaded, inspected, and sanitised to ensure that they are free of malware and pose no threat.
Other tools, such as data filtering and data loss protection (DLP), safeguard against the exposure of confidential information and PII. Built-in Identity and Access Management enables quick user onboarding and makes it simple to cancel access privileges when users no longer need it.
Cradlepoint cybersecurity solutions allow organisations to adopt to these new requirements – simply and securely. Schedule a demonstration with Cradlepoint to see how. Contact Christopher Joseph on LinkedIn.