Despite its reputation as a hub for smart cities, Singapore's cybersecurity preparedness is only in the early stages, according to a new joint survey by Quann, a managed security service provider, and IDC.
91% of surveyed companies are in the early stages of security preparedness, and many of them have not put key security measures in place.
Boards and senior management may not be taking things seriously: 91% consult security leads, but only 16% take it to the Board.
The board doesn't appear to be taking security seriously either, according to IDC Asia/Pacific's IT Security vice president, Simon Piff.
“Not all C-Suites in Asia are fully conversant with the fundamentals of a robust cyber security strategy and the appropriate investments. Cyber security investments are akin to military spending – we do it in the hope that we would never have to use the tools. They need to understand that this is not a business ROI with immediate, visible returns. However, the consequences of not taking a proactive approach now could lead to legal disputes, customer dissatisfaction, and even loss of jobs and careers at all levels in the organisation.”
60% of companies have an incident response plan, and 30% of those actually practice them. Incident response plans are critical to protecting networks and data during attacks.
Quann's managing director Foo Siang-tse, says the findings are worrying but not surprising.
"Many companies are simply not investing enough in IT security, despite the obvious threats. The lack of investment in security infrastructure, professional services and employee training makes them extremely vulnerable. The recent WannaCry and Petya ransomware incidents are just the tip of the iceberg. Companies need to recognise that having a comprehensive security plan, comprising detection systems, robust processes and equipped individuals are critical in enabling them to detect threats early and mitigate their impact," he says.
Staff training is also weak; 33% of surveyed companies required all staff including CEOs to take part in security awareness training. 49% haven't conducted any form of training whatsoever.
According to the report, 75% do not have a dedicated IT budget and planning process. Most have a security lead, but they are also required to do other duties.
Companies are also skimping on 24/7 protection, with 32% having protection during work hours and 25% during the work week.
56% do not have a Security Operations Centre (SOC) in place. Foo believes there is a place for working with partners to build an effective SOC.
“Companies may consider working with an experienced cyber security partner to design, build and manage a 24/7 on premise Security Operations Center that can quickly detect threats. Another option is to engage a Managed Security Services Provider (MSSP) that can provide a comprehensive suite of services, including 24/7 monitoring, regular vulnerability assessment and penetration testing and incident response and forensics,” Foo explains.
The survey gained opinions from 150 senior IT professionals from medium-to-large companies in Singapore, Hong Kong and Malaysia.
The four security preparedness stages are below.
Stage 1 – Basic Defence
IT security is perceived as an ancillary function and investments are restricted to the bare minimum. Compliance and governance distract from the day-to-day running of the business. There is limited capability to defend from anything but the most basic form of attack. No crisis response planning has been put in place.
Stage 2 – Tactical Knowledge
There is a minimal strategy for IT security and key technological solutions put in place. Whilst IT security is something that the IT team considers as important, the rest of the business consider it an issue only for the IT department. Senior management is lacking in engagement and understanding of critical systems and data.
Stage 3 – Strategic Intent
IT security is understood to be a concern for both the business as well as IT, with a dedicated lead. There is a clear delineation of security roles, and a Governance, Risk and Compliance (GRC) framework in place. While outsourcing is a consideration, it is kept minimal, and most technology and architecture are done in-house.
Stage 4 – Advanced Execution
A CISO is designated in the organisation, with clearly defined reporting lines to CEO. There are internal and external applications of IT security policies, and a well-informed workforce that understands the issues. A clear response strategy is in place and fully documented.