The digital economy brings with it two consequences: it allows market players to go beyond their traditional borders via digital technology. It also allows cybercriminals from outside your borders to enter your market.
And no matter how good your security strategy is, your business is only as strong as your weakest link. To be clear, the weakest link may not necessarily be your employees anymore. It can be your partner or supplier. It can also be your customer.
Take the case of Singapore, according to Wai Kit Cheah, senior director for product management and practices at Lumen Technologies, the city-nation has a highly advanced IT infrastructure and is considered one of the most digitally ready countries in the region. It has near-universal broadband and mobile penetration.
“However, its advanced digital economy also presents cybersecurity risks. Singapore experiences thousands of cyberattacks annually, with threats coming from both nation-state actors and cybercriminal groups,” he continued.
State of IT risk in Singapore
Case in point, Kroll’s Cyber Threat Landscape report (2022) says Singapore businesses fare better when it comes to falling prey to cyberattacks – 46% versus 59% for all of Asia Pacific (APAC). But like the rest of the region, Singapore enterprises share the same concerns as their peers in other markets: data loss (55%) and business interruption (52%). Data loss and business interruption were also the most reported impacts of cyberattacks by 43% of those surveyed.
Aware of the risks that come with connectivity, the Singapore government has implemented various policies and initiatives to strengthen cybersecurity, These include the Cybersecurity Act which establishes a legal framework for monitoring and responding to cyber threats.
During the recent Singapore International Cyber Week (SICW), the Cyber Security Agency of Singapore (CSA) announced efforts that include facilitating cyber threat intelligence sharing, joint operations with private sector organisations to combat cybercrime and malicious cyberactivity, exchanges on emerging and critical technologies, such as artificial intelligence, as well as capacity-building efforts.
Compared to its ASEAN peers, Singapore generally has a more robust cybersecurity posture. Countries like Indonesia, Thailand and the Philippines face more cyberattacks and have less developed defences. Malaysia and Vietnam are actively trying to improve their cybersecurity capabilities, with Vietnam in particular seeking to model its policies after Singapore's. But Singapore remains the regional leader.
That said, Singapore is part of ASEAN and cyber threats do not respect borders. An attack on a neighbour could potentially spread and affect Singapore too. So continued regional cooperation is essential.
Impact to enterprises
Cheah opines that most Singapore executives recognise cybersecurity as a top business risk. “Singapore enterprises have matured and there is greater executive and board-level attention on cyber risks today than compared to several years ago,” he opines.
GlobalData estimates that Singapore enterprises will increase their security spending at a 9.8% compound annual growth rate (CAGR) between 2020 and 2025.
Financial services firms, a major industry in Singapore, are especially targeted. They are working closely with regulators like MAS on risk management. More financial services firms are adopting advanced security architectures like zero-trust networks to protect access.
Supply chain security is becoming more important. Companies are auditing vendors and building security into procurement processes.
With skilled cybersecurity manpower scarcity, companies are leveraging managed security services and exploring risk transfer options like cyber insurance.
Persistent vulnerabilities
Cheah concedes that enterprises face an evolving threat landscape. New threats are emerging constantly, making it very challenging to stay ahead of the curve. He cites two factors: New zero-day exploits, malware strains, and sophisticated phishing campaigns put supply chains at risk. “There is also an acute shortage of cybersecurity skills, meaning organisations may lack the expertise to properly monitor, secure and update complex tech environments,” he added.
The other problem, according to Cheah, is the insistence of many organisations to rely on legacy technology environments which may have inherent weaknesses. He opines that these take considerable effort to change or re-factor, making them extremely complex and hard to secure fully. There are also many more devices, higher adoption of Cloud services, and continued hybrid or remote work creating a very expansive attack surface. “The wider the attack surface, the more vulnerable organisations are to risks,” he continued.
Finally, people are still the weakest link. Despite continuous awareness training, employees remain vulnerable to social engineering and make mistakes that could potentially expose their organisations' systems and data to unauthorised access.
“Internal threats, whether through a human error or mistakes, or an intentional act by a disgruntled employee, are hard to detect because these are unpredictable. We can only detect them through behavioural-based monitoring,” he added.
“The combination of insufficient resources, evolving threat landscape, complex tech, outdated systems, and inevitable human error makes it extremely difficult to be always 100% secure. The most they can do is try to be as close as possible to 100%. Vigilance and adaptation are key.”
Wai Kit Cheah
Top challenges to controlling risks
Organisations in the region experienced 47% more cyber-attacks per week in the first quarter of 2023 compared to the global average. Collating research and reports on cybersecurity in ASEAN, Cheah lists the top 3 challenges organisations in the region in trying to improve their risk management as follows:
1. Shortage of cybersecurity talent/skills
There is a severe lack of knowledgeable and experienced cybersecurity professionals in ASEAN. Educational pathways are limited, and demand exceeds supply. This skills shortage makes it hard to staff key positions.
2. Limited security budgets and resources
Many ASEAN organisations, especially SMEs, are still struggling with constrained security budgets. Unfortunately, cybersecurity technical and operational controls are many and cut across a wide domain, from networks to systems to applications, to endpoints and Cloud. Most organisations lack the funds to acquire and implement modern security solutions, tools, and infrastructure.
3. Low cybersecurity awareness
Across the public and private sectors, there remain gaps in understanding of cyber risks. Executives and employees lack training to identify threats and follow best practices. This leads to greater vulnerability.
Accountability
“In my opinion, there is a shared accountability between vendors and their customers, namely enterprises,” acknowledged Cheah. “Vendors could reasonably improve development practices, follow best practices in secure software development, testing and rapid patching when issues are uncovered.”
He argues that vendors should also provide full transparency when vulnerabilities are discovered and work urgently with customers on fixes and mitigations. “Negligence and lack of responsiveness increase accountability. However, we have to be practical - eliminating vulnerabilities in complex software is likely impossible,” he pointed out.
Cheah opines those customers, on the other hand, must also implement strong defences, enforce secure configurations, patching rigour, and enforce policies and risk management programs to counter an inherently uncertain threat landscape. Over-reliance on vendors reduces their accountability.
“Cybercriminals and threats are often the root cause of enterprise breaches when they exploit vulnerabilities. Vulnerabilities alone do not produce risks. It is only in the presence of threats that risks happen. Hence, the criminals bear ultimate responsibility.” Wai Kit Cheah
Cheah believes that customers or enterprises must have controls to deter or prevent vulnerabilities from being exploited. Accountability here is debatable as it boils down to the level of culpability and which party shows a lack of negligence.
Looking into 2024
Cheah lists his emerging cybersecurity trends in 2024:
- Shift towards cyber resilience – Rather than solely relying on prevention, there will be a greater focus on recovery. This means implementing comprehensive incident response plans, system redundancy, data backups, and business continuity management. The threat landscape is too complex for prevention alone. Resilience will minimise business impact.
- Adoption of zero trust architecture – Zero trust principles of least privilege access, micro-segmentation, and strict identity verification will become more mainstream. This improves the security of complex environments.
- Convergence of IT/OT security – Operational technology (OT) and information technology (IT) systems will be better integrated and secured together as mixed environments prevail.
- Growth of managed detection/response – Due to skills gaps, organisations will increasingly leverage managed security services for threat monitoring, analysis, and response. This is to augment their limited in-house capabilities and get 24/7 specialised monitoring.
- Adoption of passwordless authentication – The weaknesses of passwords are too great to ignore. Biometrics, FIDO tokens and other standards will increasingly be displacing passwords for identity management and access control. This will reduce risks and friction for our users when accessing critical data and systems.
- Expanded use of AI and automation – Applying AI and machine learning to tasks like threat detection, vulnerability management and alert triaging will mature.
- Regulations driving action – New regulations like CCPA 2.0 and greater enforcement will force companies to re-evaluate security controls and processes. Controls must be audited and updated to adhere to new mandates, with resources allocated to address any gaps identified. Compliance must remain a key driver of our security roadmap.
- Third-party/supply chain risk focus – Enterprises will likely emphasise a more risk-based approach with supplier selection. They will institute more rigorous assessments of supplier and partner security practices. Security criteria will be embedded into vendor selection and contract processes.
