Each month, the British Chamber asks for member company comments on a specific topic, for publication in the Orient magazine. Comments below may be re-published only with the Chamber's consent and quotation. Contact email@example.com with any questions.
Cyber security is back in the headlines this month (July 2018) with Singapore's health system facing a breach of personal data in an attach on the SingHealth system affecting up to 1.5 million users. Ahead of September (2018's) Singapore International Cyber Week, we invited member companies to comment on the topic across two issues of the magazine - July and September 2018.
The need for Government, policy makers, companies and individuals to consider cyber security in their strategic planning is steadily increasing. During SICW, Singapore will bring together industry experts and stakeholders. What are the key themes and recommendations that you believe need to be addressed?
Reuben Sinclair, Cyber Security Representative Singapore & SE Asia, Department for International Trade
As Singapore seeks to increase its resilience to cyber-attacks, recent news indicates that even the most advanced and well protected systems can be vulnerable. The SingHealth attack represented the most serious personal data breach in Singapore’s history. In the UK there is still high awareness of the impact of the NHS WannaCry incident last year.
As technology rapidly evolves, the challenge of protecting technology and information increases with threats becoming increasingly complex. This means that the cyber security strategies of governments, public sector organisations and businesses need to evolve to keep pace. We are seeing:
- More frequent and more sophisticated attacks
- An increasing reliance on technology meaning higher impact of business interruptions – what was an annoyance twenty years ago can be catastrophic today
- Substantial time and cost to resolve incidents – an average of 168 days to identify a data breach at an average cost of £2.48 million (SGD 4.5m).
- Cyber security costs escalating, and budgets being affected by an increasing skills shortage
What is the UK doing on the cyber security challenge?
Significant security benefits are being derived from emergent technologies such as artificial intelligence, machine learning and quantum cryptography. Strong examples of this can be found at CSIT in Belfast, the UK’s Innovation and Knowledge Centre for Cyber Security, where research projects include; Device Authentication and IOT, Secure Ubiquitous Networking, Quantum Cryptography, Supply Chain Integrity and Operational Technology (OT) and Industrial Control Systems.
Additionally, the UK has opened two Cyber Innovation Centres in Cheltenham and London. These centres support companies developing the next generation of cyber technologies. The National Cyber Security Centre (NCSC) opened in London in February 2017 and works with both public and private sectors in building cyber security skills, developing innovative defences and helping to manage cyber incidents.
Together with the huge number of cyber innovators and start-ups and the assurance of services available via NCSC, this makes the UK a very compelling cyber security partner. With the adoption of GDPR we are going further to help organisations and citizens protect their information.
The Challenge extends beyond Technology
But whilst technology can assist us, organisations are realising that this is not simply a technical problem. Most cyber risks are not caused by technology - they are caused by the way that humans interact with technology (in the SingHealth attack, early reports suggest that attackers initially gained accessed through the breach of a front-end workstation). So we recognise that for a fuller cyber defence we must look beyond technical solutions. Here are some of the key behaviours that will help us succeed:
- Educate staff, customers and citizens to be more aware of cyber threats
- Focus on improving cyber hygiene (good practices and security procedures that keep systems and date safe) – 80% of incidents are caused by poor cyber hygiene
- Create inventories of our systems and data - we cannot protect what we don’t fully understand
- Separate critical or sensitive internal systems from public facing systems such as internet and email (or deploy solutions that render these safer from attacks such as phishing and other malware)
- Accept that we will probably all experience a cyber security incident at some point – focus on building effective response capabilities and take advice from industry experts;
- Consider the competitive advantages arising from cyber resilience
- Look outwards at the threat landscape as well as inwards to our defences, consider security threat intelligence solutions to better inform us of emerging threats
- Start to think like the attacker - use security testing services that allow a vision of our vulnerabilities as the attacker sees them
So, we see that whilst new technology presents some of the risks it can also contribute to the protective solutions. It’s really a combination of people, process and technology working together with good information sharing that will provide the answer.
The UK has developed a deep and productive dialogue with Singapore’s Cyber Security Agency and we share information and know-how across our governments. We also continue to work together in our shared pursuit of a free, well-regulated international cyberspace. The UK is also assisting other ASEAN States in increasing their cybersecurity capabilities.
Stephen McNulty, President, Asia Pacific, Micro Focus
The incident on Singapore’s health system indicates that no industry is safe from the increasing targeted nature of cyberattacks. There is no silver bullet that can mitigate all risks, but being able to detect threats in real-time through a ‘data-centric’ approach can boost an organization’s defence. In a large and heterogeneous technology environment, finding a balance between data security and usability is complex. While information owners want to harness data, it requires end-to-end data security across the cloud and on-premises. It is important to build an overall cyber-security strategy that spans across traditional IT environment, modern application workloads and smart devices. This strategy must encompass identity, data security, application security, advanced security monitoring and effective incident response. Increasing connectivity with smart devices, smart cities means that the data will be more vulnerable and protection is vital. Data-centric security is the enabler for unleashing the business potential of sensitive data.
Henry Tan, Managing Director, NexiaTS Group
How can cybersecurity help us? With the ever-changing tug-of-war between cyberattacks and cybersecurity products, today’s game-changer can be obsolete tomorrow. As entities grow in size and expand overseas, the identification and management of cyber assets becomes a significant challenge to organisations. How are you going to stay ahead of the curve and ensure that you are making worthwhile investments to tackle your cybersecurity concerns? In addition, the human element is the linchpin in making or breaking a cybersecurity framework – have you ensured that your workforce are in the best position for your cybersecurity solution to succeed?
John Bittleston, Founder & Chair, Terrific Mentors International Pte Ltd
Every consultant wakes up daily wondering if valuable data has been hacked. There are always some who find it is their turn for attention. Access to and interference with clients records is the greatest cyber worry. Intellectual property and development programmes also rank high on the list of cyber security needs. Protection of these should be first to attract attention in SCIW. Stronger and less cumbersome methods of protecting data than passwords comes next in the need for better cybersecurity. All passwords can be broken, not all can be remembered. ‘Collective password’ programmes are vulnerable to decryption. A key issue for cybersecurity is the ability to edit lists of files that have been duplicated as part of a backup system. There also needs to be attention to the possibility of a one-system security token running several different and discreet access points and deactivated by an unexplained change in environment.
As Singapore embarks on its Smart Nation initiative to move the nation’s economy digital, ensuring security, privacy and compliance remains the biggest challenge. The recent Singapore Cyber Landscape Report 2017 highlighted certain cybersecurity risks that the nation faced last year. Recently, SingHealth, the largest healthcare group in Singapore, suffered the worst cyber-attack in Singapore, affecting 1.5 million users. This attack highlighted the need for more best-practices for cybersecurity. While organisations operating in Singapore emerged mostly unaffected from major cyber security incidents, NotPetya and WannaCry, there is still much work to be done. There is a growing cyber threat as the number of connected devices continue to increase. This is exacerbated by an increase in state-linked cyber actors, weak links being targeted, and the use of artificial intelligence enabled cyber threats and solutions used this year. Some key themes to be addressed include: boosting cyber hygiene for businesses and individuals, understanding how your IoT devices could be leveraged as part of a cyberattack and the potential security threats from the adoption of new technologies like blockchain, Internet of Things, and identity recognition.
Steve Settle, Managing & Regional Director, CFO Centre
This is one of those issues that everyone knows a little about but not a lot. Unless they have been exposed to it, they can imagine certain things that might be damaging to their business (theft of customer details etc.) but have no comprehension as to the extent of what is actually happening out there and what people are doing to prevent it. To that end, I think it would be hugely beneficial to our business and the business of our clients (growing SME’s) to hear some practical examples of a) what damaging things have happened (no need to name names) and b) what can, was and should be done about it.
Jim Fitzsimmons, Director of Cyber Security, Control Risk
Sophisticated cyber attackers understand the value of information. The recent attack on SingHealth’s database is a case in point, with over a million Singaporeans’ personal data stolen. Despite the growing focus on cyber security by governments, policy makers and organisations, the sophistication and, unfortunately, effectiveness of cyberattacks is still expected to increase in the months ahead. To build a more secure cyberspace, there firstly needs to be stronger mechanisms to address transnational cybercrime. This includes strengthening reporting channels and cooperation across countries and jurisdictions. Secondly, more clarity on how, when and why information handling should be regulated is required. Governments should look closely at the balance between guidance and penalties for cyber security – getting the balance right is critical to ensuring accountability for securing citizen’s data without overly taxing organisations. Thirdly, we need more information on how past breaches occurred. While organisations that have been victimised generally feel that their situation is unique, the reality is most of these cyberattacks happen in similar ways. More sharing would raise the level of awareness and knowledge among the public and industry to help prevent future occurrences.
Gino Bello, Senior Director, Computer Forensics, Technology, FTI Consulting
Singapore has rightly invested in Cybersecurity defences; establishing dedicated agencies to monitor and mitigate against recent threats, including the CSA and PDPC. Bad threat actors are sophisticated, well-funded, and highly motivated. There is much to be gained from attacks with little to no consequence. Threats of monetary loss, identity theft, privacy, the black market, human trafficking, and personal safety, are real. Global efforts need to combine and keep pace with the growing threat vectors, including a comprehensive approach covering:
- investment in methods, intelligence, technology, and research and development into defence
- ensuring a holistic, risk-based, proactive approach, including heavier investment in monitoring and detection, leveraging artificial intelligence
- education and ensuring robust policies are in place and followed
- people and talent development at grass roots level, harnessing the shortage of specialised skillsets
- collaboration between government, law enforcement, corporations, associations, and specialist groups
- more investment in methods to trace offenders, and tracing offenders
Paddy Hills, Account Manager, Financial Lines Group, Jardine Lloyd Thompson Asia
In today’s digital economy, cyber risks are non-discriminatory and therefore strategic planning to address them is essential. The common theme holding back effectively dealing with these threats remains the lack of accessible information. Collaboration in knowledge sharing among security vendors, regulators, governments, insurers and corporates will ultimately underpin success in dealing with this complex and evolving risk. With the right information, organisations can construct the blend of services and products that best suit their exposure. Evidence of this collaboration is underway. For instance, in the US the Cybersecurity Information Sharing Act is in place which allows the government to share cyber threat information with businesses that voluntarily agree to participate in the program. At JLT we’ve also looked to collaborate using a consortium of partners to get a deeper understanding of the threat actors, claims environment, breadth of regulation and changes in technology in order to provide tailored cover and analytics for our clients.
Menaka Muthu, Regional Assistant Director, Financial Lines Group, Jardine Lloyd Thompson Asia
Cyber security cannot focus solely on technology controls and remediation plans — it needs to be a shared responsibility. Business stakeholders at all levels, inside and outside the organisation, must understand the risks that a company faces and work together to build a resilient culture. Alongside this, companies and organisations need to share news of cyber attacks and information on their responses instead of facing these threats in silos. Since they face a common threat, collaboration is key.
Jim Gee, Partner and National Head of Forensic Services, Crowe UK LLP & Visiting Professor and Chair of the Centre for Counter Fraud Studies, University of Portsmouth
Cyber crime should be seen as akin to a clinical virus, continuously evolving and changing. It is not possible to be secure but you can be as secure as possible. With the White House, the Pentagon, and the CIA building all being hacked in recent years and developed country statistics for 2017 showing almost half of all organisations suffering cyber breaches, this is clear. The latest research, undertaken by Crowe and the Centre for Forensic Studies at University of Portsmouth (Europe’s leading research centre in this area), provides a way to assess an organisation’s vulnerability to cybercrime and to protect themselves better. Crowe has turned this into a free online Cyber crime Vulnerability Scorecard tool which takes only a few minutes to complete. It assesses how attractive an organisation is to cybercriminals, what damage would be done if a cybercrime attack took place and the extent to which an organisation is cyber secure and cyber resilient. Users get a downloadable report which rates their vulnerability and provides a checklist of necessary action. Go to https://crowecybercrime.com to use the tool. Fraud and cybercrime are now facts of life – but you don’t have to be a victim.
Dominic Wrench, Associate, Taylor Vinters
Humans are arguably one of the weakest links in any organisation’s cyber security defences, but if utilised effectively can also be one of the best forms of protection. For that reason, staff engagement should be a key theme for discussion at the upcoming SICW. Irrelevant of the size, scale, and industry of an organisation, its staff must be adequately informed of the dangers relating to the electronic security of the business and harnessed effectively to help protect key electronic assets. Key stakeholders need to be able to address how to; implement suitable internal cyber security policies; train staff effectively; and to foster a business culture that is collectively responsible for protecting a business and vigilant to the threat posed by cyber criminals.
Peter Godfrey, Managing Director APAC, The Energy Institute
Despite somewhat turbulent economic times, the energy sector continues to be heavily engaged in identifying digital enablers and threats aimed at building new strategies and capabilities capable of increasing productivity, making use of new technologies, redefining competencies and addressing skills’ gaps. Cyber security issues remain the single biggest threat to applying key digital technologies: Cloud, Cognitive/AI, IoT, and Blockchain. To accelerate successful adoption, the energy sector will increasingly need to find ways to effectively manage and mitigate the risks of Cyber security by combining deep industry skills, digital technology expertise, research capability and risk/assurance management. Digital transformation has the potential to deliver significant innovation and improvement to both top and bottom line performance throughput the energy sector value chain, but new, more proactive collaborative models between digital technology providers and their energy sector clients will undoubtedly be required in the future.
Daryl Pereira, KPMG Advisory LLP
In light of the SingHealth data breach, cyber-attacks have grown in frequency, scale, complexity, and impact, involving wide-ranging threat actors, and spanning across national boundaries. Organisations should seek to holistically approach cyber security to transform business strategies with confidence by conducting the following:
- Regular health checks to provide vital insights into the cyber readiness of your organisation
- Implementing a cyber security strategy that optimises protection using a combination of people, process, and technology
- Training and empowering staff through cyber education, building awareness as a foundational block for security
- Improving identity and access management to restrict administrative privileges to a ‘need to have basis’, and ensuring a readily activated cyber incident response plan is in place to enable your organisation to recover quickly from an attack
It is important to ensure stringent cyber hygiene practices to both improve your organisation’s cyber resiliency, and proactively reduce the attack surface for potentially malicious activity.
Joel Pridmore, Head of Financial Lines & Business Development, Asia Pacific, Munich Re Singapore
The Singapore business community takes a very reactive approach to the cyber threat landscape with many holding misguided beliefs they are immune from cyber related attacks and breaches. The recent breaches uncovered within SingHealth and SIAS show this belief is not only false but concerning. The delay in uncovering the breach within SIAS, in particular, exposes Singaporeans to systemic threats relating to identity fraud that may have been perpetrated over many years. More needs to be done to educate all level of business from micro SME to the largest corporates on what the cyber landscape is and how best to not only respond but also mitigate. This represents both an opportunity and threat to Singapore’s reputation on the global stage as a trusted business hub and education must form part of the Government’s action plan to tackle this ever-growing threat.
Lee Kuok Ming, Chief Executive Officer, Bray Leino Splash
With increasing adoption of digital technologies, companies must view cyber security as a core and essential part of their business, not an afterthought or a nice-to-have.
Dr. Lim Woo Lip, VP Data Analytics & Cyber Security, StarHub
Singapore is rapidly evolved into a Smart Nation, with many of its traditional industries undergoing a major digital transformation, and this increases its risk exposure to cyber attacks. One of the key challenges that Singapore faces today is the insufficient number of security professionals to fill the security roles that will be created over the next few years to defend the smart nation. Current automation technologies such as orchestration and automation of Security Operations Centre operations, Automated Incident Response, etc., are able to address some of these problems, however, there is a continuous need to leverage on the advancements of AI and machine learning to sharpen the automation capability so to further reduce the demands of manpower.
Anne Kerr (Global Head of Cities) and James Prothero (SE Asia Water Sector Leader), Mott MacDonald
There are certainly major concerns over cybersecurity, particularly in the context of services such as water and energy. Here in Singapore, the new Cyber Security Act is focusing many companies to consider the safety of their assets. Mott MacDonald is now being approached by clients to audit their industrial control systems and ensure that they are protected against malicious cyber attacks on their networks and the infrastructure they control. Understanding your cyber assets and having a plan to protect them is critical.
Autonomous vehicles are another big area of concern, as there are many risks to address, such as remote hacking. You can just imagine the disaster of hacked traffic lights, causing carnage in cities in a nanosecond. We must take some time to work out how to deal with these issues!
Data is incredibly powerful, but we must always think about the unintended consequences and see what we can do to mitigate those before we throw ourselves fully into a world where everything is digital.
By 2025 there are expected to be 26 Smart Cities worldwide (according to Frost & Sullivan). There is no doubt that Cloud adoption will change the way services are delivered and that it will contribute to an overall increase in living standards, but interconnected networks will extend the potential attack surface as well. Our conviction is that in a world focused on creating smart cities, two crucial prerequisites are cyber security and identity management. In fact, a smart city in the true sense does not even exist without a well-established structure of unique identities, combined with granular access control for data subjects. As for cyber security, its challenge will be to protect all those identities in an increasingly mobile world, where perimeter security does not work anymore.
Rowland Johnson, Chief Executive Officer of Nettitude, part of Lloyd’s Register Group
The threat from cyber is escalating with increased veracity and velocity. Barely a day passes by where there isn’t a media article about an organisation being breached or data being compromised. As we generate increasing volumes of data, so the ability for threat actors to cause malice is amplified. The growing reliance between information technology and operating technology only increases our susceptibility to the threat. It is a fallacy to believe that an organisation can make themselves impregnable to cyber attacks. Through, direct and indirect threats that target people, processes, and technology even sophisticated organisations are exposed to cyber risks. Organisations need to gain a better understanding of their true attack surface, considering the wider supply chain as opposed to focusing on technology in isolation. Instead of building strategies that are oriented solely on defence, cyber resilient organisations will also calibrate their attentions towards an assured and quantifiable detection and response strategy.
Lijun Chui, Counsel, Clifford Chance
One key theme is the notification of individuals when their personal data has been breached. This has been proposed to be included as an obligation under the Personal Data Protection Act, consistent with the requirements under the General Data Protection Regulation in Europe. One operational issue arising from this is how and when the affected individuals should be notified, in a manner which enables them to take steps to protect themselves but also avoid imposing an overly onerous regulatory burden on organisations.
Related to this is the potential liabilities which organisations may owe to the affected individuals. Given the increased discovery of cyber incidents and heightened general awareness of personal data rights locally and in the region, organisations should therefore be quick to take steps to mitigate damage, pre-empt such claims and be in a position to identify or ascertain the damage or injury suffered by the affected individuals.
At UPS, over 20 million packages and documents – equivalent to three percent of the world’s GDP – move through our global network each business day. Our services are fundamental to the functioning of global commerce, enabling just-in-time inventory, transporting high value or sensitive items and documents, and connecting buyers and sellers large and small across borders. Maintaining the seamless movement of data across borders is crucial in order for our planes, trucks and systems to run like clockwork. At the same time, we also recognize that this connectivity brings with it risk and have instituted policies that protect and maintain the integrity of our systems and information assets. To maintain a good balance between enabling seamless trade and protecting the integrity of our global systems, we encourage all governments to take a policy approach that favours openness while also safeguarding security and privacy.
Tan Shong Ye, Digital Trust Leader, PwC Singapore
There are three key themes to note. Firstly, cyber security is not an activity that can be done in isolation and needs to be built into all aspects of the business. Secondly, organisations need to quantify cyber risks so that board and management will be better able to allocate resources appropriately. Finally, organisations need to learn how to be cyber resilient (recover quickly and continue operating in the event of attacks). It is impossible to prevent all possible cyber attacks in this day and age. We are seeing an increasing need for companies to either develop in-house cyber and data protection abilities or work with trusted business advisors to build essential cyber and data resilience. How an organisation protects its data will be a competitive advantage. Finally, best in class organisations will have well-developed and rehearsed resilience plans at the business unit levels.