Singapore firms unprepared for cyber attacks

Many of the country’s medium-sized and large organisations do not have a dedicated security budget or teams to respond to cyber threats

Singapore companies may know the importance of cyber security, but most have not gone beyond basic security practices to enable them to cope with cyber attacks better, a survey has found.

According to the survey, conducted by managed security services provider Quann and technology research firm IDC, about nine in 10 medium-sized and large organisations in the city-state are in the early stages of security preparedness, and 75% of them do not have a dedicated IT security budget and planning process.

While basic safeguards such as firewalls and antivirus software are widely deployed by Singapore companies, more than half (56%) of them do not have security intelligence and event management systems to correlate and raise alerts for any anomalies promptly.

Also, 54% of Singaporean respondents do not have a security operations centre or a dedicated team to proactively monitor, analyse and respond to cyber security incidents flagged by their systems. Security leads may have other responsibilities at the same time, with 32% of them providing security support only during work hours.

Cyber security investments are akin to military spending – we do it in the hope that we would never have to use the tools.
Simon Piff, IDC Asia-Pacific

The lack of proper monitoring systems and processes means anomalies picked up by security devices may not be acted upon and malware may reside and cause damage within corporate networks for a long period, Quann said in a statement.

Also, 40% of Singaporean respondents do not have incident response plans to protect their companies’ networks and critical data in the event of a cyber attack. For those that do, only one-third practise their incident response plans.

With employees often seen as the weakest link in cyber security, only 33% of Singapore companies require all their staff to take part in IT security awareness training.

The survey findings could be attributed to a low level of engagement from senior leadership in formulating IT security strategies. A big majority (91%) of Singaporean respondents consult security executives, but only 16% of them invite these executives to board meetings and involve them in assessing cyber security risks.

Simon Piff, vice-president of IDC Asia-Pacific’s IT security practice, said not all C-level executives in Asia are fully conversant with the fundamentals of a robust cyber security strategy and the necessary investments.

Read more about cyber security in APAC

“Cyber security investments are akin to military spending – we do it in the hope that we would never have to use the tools,” said Piff, pointing out that organisations must understand that the investments will not deliver immediate, visible returns.

“The consequences of not taking a proactive approach now could lead to legal disputes, customer dissatisfaction, and even loss of jobs and careers at all levels in the organisation,” he said.

The survey findings are in stark contrast to Singapore’s top position in the UN International Telecommunication Union’s latest Global Cybersecurity Index, in which the city-state was world leader for its commitment to cyber security in areas such as cyber security partnerships and capacity building, as well as the presence of legal frameworks and technical and policy coordination institutions.

Malaysia is ranked second in the Asia-Pacific region and third globally behind the US, with a perfect score in capacity building due to a range of initiatives in that area. Cybersecurity Malaysia, the government agency responsible for information security in the country, also offers professional training via higher education institutions in Malaysia.

Read more on Hackers and cybercrime prevention