sb-as logo
Story image

Singapore firms barely prepared for cyber attacks - what's holding them back?

05 Jul 2017

Despite its reputation as a hub for smart cities, Singapore's cybersecurity preparedness is only in the early stages, according to a new joint survey by Quann, a managed security service provider, and IDC.

91% of surveyed companies are in the early stages of security preparedness, and many of them have not put key security measures in place.

Boards and senior management may not be taking things seriously: 91% consult security leads, but only 16% take it to the Board.

The board doesn't appear to be taking security seriously either, according to IDC Asia/Pacific's IT Security vice president, Simon Piff.

“Not all C-Suites in Asia are fully conversant with the fundamentals of a robust cyber security strategy and the appropriate investments. Cyber security investments are akin to military spending – we do it in the hope that we would never have to use the tools. They need to understand that this is not a business ROI with immediate, visible returns. However, the consequences of not taking a proactive approach now could lead to legal disputes, customer dissatisfaction, and even loss of jobs and careers at all levels in the organisation.”

60% of companies have an incident response plan, and 30% of those actually practice them. Incident response plans are critical to protecting networks and data during attacks.

Quann's managing director Foo Siang-tse, says the findings are worrying but not surprising.

"Many companies are simply not investing enough in IT security, despite the obvious threats.  The lack of investment in security infrastructure, professional services and employee training makes them extremely vulnerable. The recent WannaCry and Petya ransomware incidents are just the tip of the iceberg. Companies need to recognise that having a comprehensive security plan, comprising detection systems, robust processes and equipped individuals are critical in enabling them to detect threats early and mitigate their impact," he says.

Staff training is also weak; 33% of surveyed companies required all staff including CEOs to take part in security awareness training. 49% haven't conducted any form of training whatsoever.

According to the report, 75% do not have a dedicated IT budget and planning process. Most have a security lead, but they are also required to do other duties.

Companies are also skimping on 24/7 protection, with 32% having protection during work hours and 25% during the work week.

56% do not have a Security Operations Centre (SOC) in place. Foo believes there is a place for working with partners to build an effective SOC.

“Companies may consider working with an experienced cyber security partner to design, build and manage a 24/7 on premise Security Operations Center that can quickly detect threats. Another option is to engage a Managed Security Services Provider (MSSP) that can provide a comprehensive suite of services, including 24/7 monitoring, regular vulnerability assessment and penetration testing and incident response and forensics,” Foo explains.

The survey gained opinions from 150 senior IT professionals from medium-to-large companies in Singapore, Hong Kong and Malaysia.

The four security preparedness stages are below.

Stage 1 – Basic Defence IT security is perceived as an ancillary function and investments are restricted to the bare minimum. Compliance and governance distract from the day-to-day running of the business. There is limited capability to defend from anything but the most basic form of attack. No crisis response planning has been put in place.

Stage 2 – Tactical Knowledge There is a minimal strategy for IT security and key technological solutions put in place. Whilst IT security is something that the IT team considers as important, the rest of the business consider it an issue only for the IT department. Senior management is lacking in engagement and understanding of critical systems and data.

Stage 3 – Strategic Intent IT security is understood to be a concern for both the business as well as IT, with a dedicated lead. There is a clear delineation of security roles, and a Governance, Risk and Compliance (GRC) framework in place. While outsourcing is a consideration, it is kept minimal, and most technology and architecture are done in-house.

Stage 4 – Advanced Execution A CISO is designated in the organisation, with clearly defined reporting lines to CEO. There are internal and external applications of IT security policies, and a well-informed workforce that understands the issues. A clear response strategy is in place and fully documented.

Story image
Network visibility is the crux of security in 2020
Resilience sits at the heart of security, and there is a need for organisations’ architecture, processes and strategies to be more impervious in order to continue to ensure protection, writes Gigamon A/NZ manager George Tsoukas.More
Story image
Gartner reveals the top strategic tech trends for 2021
“CIOs are striving to adapt to changing conditions to compose the future business - this requires the organisational plasticity to form and reform dynamically. Gartner’s top strategic technology trends for 2021 enable that plasticity.”More
Story image
BlackBerry partners with ServiceNow for incident response management
BlackBerry has announced it has entered into a partnership with ServiceNow to integrate the BlackBerry AtHoc service within the Now platform for rapid crisis communications and IT service management. More
Story image
One in five employees download commercially sensitive files onto personal devices
Of these respondents, 40% admitted that the devices either had no password protection or no up-to-date security installed.More
Story image
Gartner names ThreatQuotient a representative vendor for SOAR
The company is listed in Gartner’s 2020 Market Guide for Security Orchestration, Automation and Response Solutions.More
Story image
BlackBerry, Microsoft enter partnership for Teams integration
"Integrating BlackBerry AtHoc will ensure that any organisation managing critical events using Teams is able to contact, alert, and account for everyone within the organisation directly."More