Skill shortage leaving S’pore firms vulnerable to cybersecurity threats

SINGAPORE — The Republic’s ability to fight a rising threat from hackers is hindered by a skill shortage and lack of awareness among companies, said cybersecurity firm FireEye, which runs a training centre in collaboration with the Infocomm Development Authority (IDA).

With online threats becoming more sophisticated in recent years, cybersecurity risks pose a challenge as the Government steps up efforts to link public facilities and infrastructure for real-time data in South-east Asia’s only developed nation.

“We do see a lack of capability and capacity in skilled professionals, and that’s partly due to massive demand across the world that stretches an already small, existing pool of people,” said Mr Bryce Boland, Asia-Pacific chief technology officer at United States-based FireEye, in an interview in Singapore last week.

Although companies increasingly recognise that the approach towards cybersecurity must be organisation-wide, said Mr Lyon Poh, head of IT Assurance and Security at KPMG in Singapore, “they lack people with the experience to set up a comprehensive cybersecurity defence system to promptly detect and respond to cyberthreats”.

FireEye’s Centre of Excellence was launched in January in collaboration with the IDA to train cybersecurity professionals and develop malware detection and prevention solutions. The number of such professionals in the Republic fell to 1,200 last year from 1,500 in 2012, Mr Boland said. That represents about 0.8 per cent of Singapore’s total information technology workforce, showed Bloomberg’s calculation, using data provided by the authority.

Delays in adopting cybersecurity capabilities could result in a loss of US$3 trillion (S$3.75 trillion) in economic value by 2020 globally, the World Economic Forum said in a report in January.

Singapore has suffered several high-profile online attacks on government websites and security breaches involving companies’ client data in recent months.

Earlier this month, the IDA said 1,560 SingPass accounts — which allow users to access services including personal income tax filings and Central Provident Fund statements — had probably been tampered with.

The infringement came about six months after Standard Chartered said wealthy clients’ confidential information was stolen in Singapore from a printing company.

And in November, it emerged that the data of about 4,000 individuals — including their names, email addresses, phone numbers and, in some cases, nationalities — that was stored on the Singapore Art Museum’s website had been exposed on an overseas website earlier that month.

That same month, the local authorities also investigated a breach of Prime Minister Lee Hsien Loong’s website, one day after he said he would track down a group that had announced plans to hack government online portals.

Yet, some companies remain resistant to the idea of improving cybersecurity measures. While online threats have become more sophisticated in recent years, many organisations lack awareness and urgency to deal with them, said Ms Stephanie Boo, FireEye’s regional director for South-east Asia.

“Many times, we try to explain to customers in terms of what is happening in the real world,” Ms Boo said. Customers sometimes say “this sounds really very much like a Hollywood movie plot”, she added.

Meanwhile, the business model of hackers has evolved, including the ability to buy and sell malware packages in black markets, which enables anyone to perform cyberespionage, she said. Malware is short for malicious software.

A good “zero-day attack” that exploits previously unknown vulnerabilities in a computer application can be bought for US$750,000 on the black market, Ms Boo said. Typical buyers include governments and companies that “use it for cyberespionage or basically to get information about their competitors”, she added.

While hackers sent e-mails containing malicious attachments in the past, they now research their victims as well as their networks and interests before launching a targeted attack, a method that is common in South-east Asia, Mr Boland said.

“They are able to obfuscate and dynamically modify attacks so that each attack instance looks unique and it can’t be detected with signature-based technologies any more,” he said.

With an increased awareness of the risk of attacks, the industry expects greater demand for cybersecurity in the Republic. FireEye forecasts global revenue will grow as much as 157 per cent this year, Mr Boland said.

Enterprises in Asia are expected to spend about US$230 billion this year to deal with issues caused by malware deliberately loaded onto pirated software, said a study conducted by research firm IDC and the National University of Singapore. Of that, US$59 billion will be to deal with security issues and US$170 billion for data breaches.

FireEye was funded in part by the US intelligence community. In-Q-Tel, a venture-capital firm started by the Central Intelligence Agency to back companies with emerging national-security technology, invested in the firm in 2009.

A survey by human resource firm Robert Half International this month showed that 60 per cent of financial services firms in Singapore are anticipating increased spending on cybersecurity, compared with 44 per cent in Hong Kong.

Forty-two per cent of financial services firms here that employ more than 1,000 employees plan to hire permanent employees to manage cybersecurity, the survey of 150 financial leaders showed. Salaries of IT security experts are expected to rise 10 per cent this year compared with last year, it said.

“Every information professional should be an information security professional as well,” Mr Boland said.

“They should be thinking ‘how do I ensure that what I’m building doesn’t create a hazard for the customers and business I built it for’.” BLOOMBERG