Continued Cyber Security Preparedness a Critical Success Factor to Singapore’s Digital Hub Status
The formation of the Ministerial Committee for Digital Transformation in June 2020, amid the COVID-19 pandemic, is a clear signal from the government of the focus on, and importance of, digitalisation to Singapore's future.
This digitalisation drive can enhance Singapore’s position as a digital hub. In tandem with being a digital hub, we must keep cybersecurity preparedness top of mind to ensure that companies can continue to place their trust in Singapore’s companies and institutions.
SGTech’s Cyber Security Chapter recommends a two-pronged approach to maintain Singapore’s cybersecurity preparedness.
One - focus on the immediate - we must make it easy for companies to know and adopt the type and level of cyber protection that is appropriate for their business.
Two - build for the future - build the talent pipeline for the cybersecurity industry by inspiring the youth and mid-career job-seekers.
Protection of company data, customer data and personal data is paramount for every company
It is often said that data is the new gold. Losing company data can be costly in business terms - for example, if intellectual property is compromised and may fall into the hands of competitors or if customer lists are not kept confidential.
Losing personal data can also be costly in terms of reputational loss from adverse publicity. In addition, there are the monetary costs and management time lost in regulatory investigations and the cost of forensic analysis and remediation of the IT system. There may also be direct costs in, for example, providing insurance to cover individuals where personal data lost by the company may be used in identity theft. And, finally, there is the risk of financial penalties. These have risen steadily in Singapore, and some companies may fall within the scope of the GDPR and be subject to penalties set at a level that is ‘effective, proportionate and dissuasive’.
It is crucial that all companies focus on ensuring that company data and customer data in their care is adequately protected and that they can demonstrate accountability to regulators for protection of personal data.
Ensure that Singapore Companies are Adequately Protected
High profile cybersecurity breaches in recent years (e.g. the IHiS breach, where fines totalling S$1 million were imposed on SingHealth and its vendor, IHiS) have raised the general level of awareness of cyber incidents among the community1.
Currently, only companies operating Critical Information Infrastructure (CII) supporting the provision of essential services across 11 critical sectors have prescribed cyber protection requirements under the Cybersecurity Act2. In contrast, there are no clear governmental guidelines for companies, especially SMEs, to know if they have taken all the right steps to ensure the protection of company data, customer data and personal data in their possession or under their control. There are, however, a wide range of reasonably well-known industry best practices and the availability of ISO certifications for companies, including SMEs - and even startups - to adopt to ensure the protection of such data.
Demystifying Cybersecurity and Driving Enlightened Adoption
Many SMEs do not have a clear idea of the range of cybersecurity options available, let alone what constitutes adequate cybersecurity for their business. Since they don’t know better, and protection constitutes a cost item, many go for the bare minimum and assume that passwords and anti-virus software are sufficient.
SGTech believes that the situation can be improved by making it easy for companies to know at least basic best practices and the right types of cybersecurity products that are appropriate for their business profile, based on their activity and types of data that they handle. This convenient reference can boost the right adoption of cybersecurity tools and encourage firms to adopt processes that can strengthen the security of data in their custody.
In particular, by defining the must-haves for each business profile, we can collectively level-up the baseline protection in place among Singapore companies. The recommendations can follow the Defense in Depth principle, by putting in place multiple layers of security controls to ensure redundancy in the event a security control fails, or a vulnerability is exploited, covering aspects of personnel, procedural, technical and physical security.
Where necessary, financial incentives can also be put in place (such as through the SMEs Go Digital programme) to ease the transition for SMEs to reach the baseline level.
Making Cybersecurity a Common Reality
SGTech will continue our collaboration with the relevant government agency (Cyber Security Agency) - this time, to identify relevant business profiles, and propose and to develop a menu of cyber protection practices and product types appropriate for each profile.
In this process, we also endeavour to identify must-have product types that should receive government support to maximise adoption among SMEs.
Beyond this menu of practices and products, the Cyber Security Chapter also stands ready to advise companies that need further help. For example, some companies may need help to build a business case for budget, head-count, and other resources for cybersecurity initiatives. We can help bridge the gap through information-sharing seminars discussing the lessons from previous instances of security breaches and possible approaches to present their business case to senior management.
Ensure that Vulnerable Micro-enterprises are not Put at Risk
In our drive to make Singapore’s economy digital, we are encouraging the micro-enterprises (such as hawkers and small retail shops) to go online. We must be mindful that many of them do not have a good understanding of technology, let alone being aware of cyber security and data protection practices. They also do not have resources to consider or address the associated risks. We must avoid placing these vulnerable businesses at risk of being held ransom online.
To achieve this, we must embed cybersecurity and data protection into digital tools, and ensure that users are trained, adopt good practices and stay cyber safe.
To drive the embedding of cybersecurity and data protection into digital tools, SGTech will continue outreach activities for our members and other ICT SMEs. We will encourage companies to use IMDA’s Capability Assessment Tool to assess their gaps in cybersecurity, and leverage financial support via the GoSecure programme to address them.
We urge the SG Digital Office (SDO) to include appropriate cybersecurity training as part of their outreach activities for the hawkers and small retail shops to go digital. Furthermore, the SDO or the CyberSecurity Agency could spearhead a community education effort to raise the cybersecurity awareness and good practices that small and micro-businesses can adopt.
Building the Cybersecurity Talent Pipeline
Looking to the future, the way to make sure that Singapore companies and their data assets can continue to be secured depends on ensuring that a continued pipeline of qualified cybersecurity talent joins the industry. It is necessary to conduct outreach to attract promising students and mid-career job-seekers to take up the related courses of study.
There are many such activities today. However, the efforts by educators and training providers tend to focus on hard facts, the “What” of the profession insofar as it relates to cybersecurity. This over-emphasis on facts misses out on the “Why”, the meaning derived from a career in cybersecurity and inspirational success stories of how a career in cybersecurity can be rewarding, all of which can form the driving force to spur them to join the cybersecurity industry.
Industry Veterans Inspiring Future Talents
It is necessary to enrich the outreach efforts to build the cybersecurity talent pipeline by communicating the “Why”. We believe that this is best achieved through experience-sharing by industry veterans.
SGTech’s Cyber Security Chapter can contribute to outreach efforts to attract talents to join the industry, by tapping industry veterans in the Chapter to share their experiences, to communicate the value and meaning from a career in this sector.
To take the outreach a step further, we can strive to improve the gender balance within the industry, by having women leaders in the industry to speak and debunk myths that may cause women to find it daunting to step into what appears to be a male-dominated industry.
To this end, we will organise SGTech outreach efforts with these as the primary focus, and urge other organisations in this space to consider supplementing their initiatives using a similar approach.
As Singapore makes the leap forward with broad-based digital transformation, SGTech proposes that we adopt a two-pronged approach to collectively maintain the country’s cybersecurity preparedness.
Focus on the immediate cybersecurity risks. Make it easy for companies to know and adopt the appropriate type and level of cyber protection for their business, and ensure that the vulnerable micro-enterprises are not put at risk.
- Build the talent pipeline for the cybersecurity industry by inspiring the youth and mid-career job-seekers with the “Why” of a career in cybersecurity, and improve the gender balance.
We invite other stakeholders to join us in making this a reality.
SGTech's Cyber Security Chapter brings together vendors, resellers and integrators of cybersecurity products, solutions and services, as well as auditors, consultants, practitioners and legal and compliance organisations in the cybersecurity ecosystem. The Chapter aims to promote awareness and adoption of cybersecurity among organisations in Singapore, and boost a pipeline of talent to ensure the continued viability of the Singapore’s cybersecurity industry.
Please contact firstname.lastname@example.org if you’d like to find out more about the Chapter.
Published Oct 2020