What is Cyber Security?
The protection of internet-connected systems, hardware, software, data, and sensitive information from cyber-attacks.
Businesses operate in a hyper-connected world where cybersecurity is no longer a ‘good to have’ but an essential concern of CEOs. As companies grow in their digital presence, cyber threats and risks are also becoming increasingly sophisticated. Over the past few years, a slew of high profile cyber-attacks have emerged in South East Asia—In 2018, Singhealth, Singapore’s largest group of healthcare institutions experienced a major cyber-attack which saw 1.5 million patients’ personal particulars stolen; just in May this year, one of Indonesia’s largest e-commerce companies, Tokopedia, suffered a breach of personal data for over 91 million accounts.
Cyber attacks can happen to any organisation and its impacts do not end at lost data. Companies, both big and small, can suffer from a major loss of reputation and be subjected to legal penalties and implications arising from privacy breaches. Few companies want to take the risk and top managers have recognised the need for more robust cybersecurity measures. According to McKinsey, leaders worldwide are keen to better manage cyber risk in their organisation and seek tangible results from their existing cybersecurity investment. But how can this be done?
Based on our research and experience working with both global and local firms, we firmly believe that companies should adopt a holistic approach to cybersecurity.
People – Your Employees
As companies grow, they tend to lose sight of the most granular level where cybersecurity can be easily compromised – the employees. Iron-clad policies and top of the range IT solutions can be easily defeated by obtaining the credentials of your office manager, and hackers recognise that the easiest way in is through the human element. Companies have the mandate to ensure that employees understand and comply with cybersecurity principles such as:
- Use strong passwords and multi-factor authentication. Simple passwords are the ‘passports’ for cyber hackers to gain access to critical and sensitive company data and networks. Employees should be required to use strong and complex passwords containing at least 10 characters and include numbers, symbols, and capital and lowercase letters. Password change should be prompted periodically to mitigate the risk of credentials which have already been lost to hackers.Multi-factor authentication such as Two-Factor Authentication (2FA) should be in place to verify the identity of employees when they are trying to access sensitive or confidential networks and files. The most common 2FA these days would be the use of employees’ mobile device or smartphone application to approve authentication requests.
- Ensure firewall protection is always activated. A firewall is a network security device filtering incoming and outgoing network traffic to permit or block data packets such as a malicious programme based on predetermined security rules. Whether employees are working in the office or from home, activating firewalls can reduce the risks of unauthorised users or attackers from accessing private or internal company information such as emails and documents.
- Be educated and wary of phishers. Research by Verizon in 2017 reported that over 70% of cyberattacks globally arise from simple tactics such as phishing emails. Additionally, a report by the Cyber Security Agency of Singapore published that there were 47,500 phishing URLs with a Singapore-link detected in 2019—close to double a tenfold increase since 2016.Phishing is one easy trap for anyone to fall into. Employees should, therefore, be cautious when they come upon suspicious emails or links. Phishers often embed viruses and malware into emails, attachments and links—one wrong click and they can infiltrate into the company’s network. Some tell-tales of phishing URLs include spelling errors in the website URL or attempts to redirect one to a suspicious URL. When unsure about the legitimacy of online communications, employees should alert the security or IT department and do not attempt to click into them.
Processes – Moving from Defensive to Proactive
“One common pitfall of many companies is to delegate the responsibility of cybersecurity to the IT department. Cyber risks should be regarded as a risk management issue. What is needed is a cybersecurity culture that permeates every level of the organisation.
The IT department can help to procure the latest firewall and malware-detection software but it is not enough. This model of defending the organisation against cyber attacks is akin to playing catch-up with cyber threats – the company is vulnerable to the elusive and changing antics of cyber attackers. Rather than passively leaving things to chance, everyone in the organisation ought to join hands and take a more proactive approach to anticipate and mitigate cyber risks.
1. Every individual has a mandate to raise and alert cyber vulnerabilities.
Not only should employees be trained on good cybersecurity and data-hygiene practices, but they should also keep a lookout for the ‘at-risk’ areas in the supply chain.
When working with a third-party supplier or agency, the signing of a non-disclosure agreement (NDA) is often regarded as the be-all and end-all to information confidentiality— but companies can never be too sure that these external parties would abide by it. Employees who work with third parties regularly need to be kept on their toes to ensure that these parties only access information that they require to perform their obligations, and access to confidential data such as intellectual property (IP) or proprietary information is restricted. Employees also have the responsibility to ensure that these third parties are no longer privy to the company’s information and communications after their contract has ended.
2. Removing the divide between cyber and physical security
In this digital age, the line between cyber and physical security is blurring. Indisputably, cybersecurity and physical security are both important and play an integral role in the company’s resilience against external threats. Rather than spending unnecessary time haggling over the allocation of budget between cyber and physical security, companies need to consider if there are overlapping concerns that need to be addressed between these two units..
“Another pitfall of companies is to have “periodic commitments” towards cybersecurity. Budgets allocated for cybersecurity often increase and decrease according to the C-suite executives’ opinion on the level of cyber threats. The truth is, no one would ever know when cyber attackers would launch an offensive.
Although organisations do not usually see quantifiable results from good physical security measures, they still invest in it because they know the importance of deterring attackers. It would be too late to ramp up on physical security after the attackers have successfully infiltrated or damaged the physical assets of the company. Similarly, cybersecurity may not provide instantaneous benefits for the organisation but it plays an indispensable role in preventing system intrusions and costly information losses. Continuous commitment to cyber and physical security thus keeps the company vigilant and well-protected against all impending threats.
While managements are used to addressing a physical threat to their business, the cybersecurity awareness of corporates is still in a developmental stage. According to Singapore Business Review, companies take an average of 100 days to detect and react to a cyber intrusion activity. IBM further highlighted that the average total cost of a data breach is USD 3.92 million! Since one cannot undo the losses incurred from the theft of valuable proprietary information and data, It is never too early to be ready and prepared against cyber risks.
3. Taking a risk-based approach to protecting digital assets
Companies and C-suite executives often buy into the idea of a ‘one-size fits all’ cybersecurity solution. Unfortunately, not all digital assets are created equal— every organisation will have data which can be classified as their “crown jewels”—and a robust cybersecurity strategy requires companies to use a variety of security measures to protect their digital assets. A blanket cybersecurity solution can provide basic protection for the organisation but it cannot stand against instances where the cyber attackers make targeted attacks on certain corporate assets (i.e. the more valuable ones such as proprietary information).
By proactively conducting threat assessment, reviewing current cyber protection measures, and prioritising assets, companies can find balance and success in deploying cybersecurity strategies according to risk and value. Additionally, such exercises also provide opportunities for C-suite executives to come together and have a shared understanding and agreement on the goals and priorities of the company’s cybersecurity strategies
Conclusion: Can you future proof your infrastructure?
Temporary, half-hearted cybersecurity measures are time-consuming yet they do not deliver results. Moving forward, companies must develop risk-based cybersecurity strategies based on proper risk assessments and a strong understanding of the company’s network and digital asset structure. While the C-suite executives are the key drivers of a robust cybersecurity programme, every individual has a place in securing digital assets against malicious attackers. Companies who are constantly looking out for cyber threats and reviewing their cybersecurity strategies would be well-positioned to take on the challenges in this digital age.