The Big Read in Short: Singapore’s weakest link in cyber security

Each week, TODAY’s long-running Big Read series delves into trends and issues that matter. This week, we look at how complacency among employees could derail the efforts of organisations to beef up their cyber defences. This is a shortened version of the full feature, which can be found here.

SINGAPORE — In most offices across the island, it is a common sight to see employees not taking fire drills as seriously as they should, with some even lamenting that these are a waste of time as they take their time to leave their desks and go to the assembly areas.

This, despite the fact that fires are a very real threat and could have disastrous consequences in high-rise office buildings.

The same could be said for cyber security and all the training and policies that companies try to put in place, said Mr Erman Tan, president of the Singapore Human Resources Institute (SHRI), who used the analogy to explain the challenges that firms face in getting their staff to take cyber security seriously.

“People will think: 'Why do we have fire drills when we never encounter fires? It's the same for cyber security. People will always feel it will never happen to them, or it will never happen to their company."

While Singapore has one of the best infrastructure, technologies and legislation in place to deal with cyber threats, it is no coincidence that the human factor — long seen as the weakest link in the chain, or the first line of defence — had contributed to some of the recent data breaches which made headlines here.

Recognising the need for individuals to play their part in response to the growing cyber threats, a new “digital defence” pillar was added to Singapore’s Total Defence framework on Feb 15.

As Singapore shores up its cyber defences, all the best hardware and software that money can buy will not be able to fend off cyber attacks if the “peopleware” is lacking, experts pointed out.

Digital forensics specialist Ali Fazeli said: “The public and private sectors are heavily invested in the staff handling cyber security, information technology (IT), and technical matters by updating their knowledge. However, it's the normal users who are the weakest link.”

RELATED STORIES

• The Big Read: As more cyber attacks loom, Singapore has a weak ‘first line of defence’
• Be on guard against cyber security threats

A ‘LAISSEZ-FAIRE ATTITUDE’

It is natural for most people, especially those with no prior knowledge or experience of cyber-security matters, to be nonchalant, noted Mr Tin Aung Win, vice-president of the Singapore Computer Society infocomm security chapter.

Driving a mindset change is difficult as the results are not tangible, said Mr Tan.

He said: "Cyber-security changes are generally preventive measures so you don't see the results, and it may cause complacency."

Cyber-security solutions and IT talent are also expensive, which means that companies, especially small and medium-sized enterprises, may put cyber-security plans on the backburner, said Mr Tan.

LEGISLATION NOT THE PANACEA

As the public and private sectors amass vast troves of personal information for Internet of Things devices, artificial intelligence, and analytics, the Government has introduced legislation governing cyber security, privacy and the misuse of such data, such as the Personal Data Protection Act (PDPA), the Cybersecurity Act, and the Computer Misuse Act.

Experts and lawyers agreed that while Singapore is leading in cyber-security laws, legislation is not the panacea for cyber crimes.

Nevertheless, building on the PDPA, laws should be fine-tuned to allow both public and private bodies to collect sensitive personal data only when absolutely necessary and retain it for the shortest period of time, said Mr Koh Chia Ling, managing director of law practice Osborne Clarke.

Sign up for TODAY’s newsletter service on any of these platforms. Tap here:

WhatsApp  Telegram Email

WHAT INDIVIDUALS, COMPANIES CAN DO

Starting young, students are taught various aspects of cyber security as part of the Ministry of Education’s (MOE) cyber-wellness education in schools.

MOE also works with parents and relevant agencies to monitor and review its cyber-wellness syllabus regularly as the cyber-security landscape evolves, said Madam Choy Wai Yin, Director of Guidance Branch, Student Development Curriculum Division at the ministry.

At the workplace, regular training sessions are also standard practice at companies such as Rackspace, Qlik, Carousell, PayPal, and Xero.

For example, Xero employees, including the non-technical staff, are required to complete security modules on password security and phishing scams regularly.

The company also conducts internal checks and external audits as part of the information security management system ISO 27001 certification.

To ensure the effectiveness of such training and briefings, Dr Wong suggested that companies conduct periodic internal campaigns where internal “hackers” try to test their employees’ cyber security awareness.

An “assumed breached” mentality is also crucial, said Mr Andrew Mahony, regional director for commercial risk solutions at Aon's financial services and professions group.

While it may sound defeatist to recognise that breaches are inevitable, rapid detection and containment can prevent damage and reduce the impact on businesses, said Mr Eric Hoh, Asia-Pacific president of cyber-security company FireEye.

Companies such as PayPal and Carousell currently adopt artificial intelligence and analytics to combat fraud at scale.

“PayPal is moving away from detective and reactive measures to be more predictive and preventive, allowing us to detect and correlate anything suspicious, and then stop it before it even becomes an attack,” said Mr Phoram Mehta, head of information security at PayPal Asia Pacific.

For SMEs, migrating their infrastructure to a major cloud-based service provider will allow them to tap the latter’s cyber defences, said Mr Lucas Ngoo, Carousell's co-founder and chief technology officer.

The Government also has the SMEs Go Digital programme offering advice and subsidies for pre-approved cyber-security solutions.

MINIMISING DATA COLLECTION: ‘CAN’T LOSE WHAT YOU DON’T HAVE’

Web security expert Troy Hunt, who created the “Have I been pwned?” data breach search website, told TODAY that companies should also consider segregating duties to prevent employees from having carte blanche to access data.

“When collecting data, do you really need the person’s name, their identity card numbers or their addresses?” Mr Hunt said.

Echoing what Mr Koh said about minimising data collection, Mr Hunt added: “This speaks to the very important principle of ‘you cannot lose what you do not have’. We just need to figure out what is the right amount (of data) to justify the benefits (of efficiency and convenience).”