At The Secrets and Art of Cyber Security event held on 29 July this year, information security specialists shared their insights on cyber security trends and threats, and the key considerations in developing an effective enterprise cyber security plan. Moderated by Tan Yen Yen, who serves as the Regional Vice President and Managing Director, Asia Pacific (South) at SAS Institute, the forum panel hosted an insightful discussion by Foo Siang-tse, Managing Director of Quann, Vincent Loy, Partner at PwC Singapore and Asia Pacific, Low Huan Ping, CTO of Singapore Press Holdings, and Ben Gerber, Head of Data Governance, Security Strategy and Privacy at DBS Bank. Attended by the C-suite and directors from various organisations, the forum revolved around the primary concerns of key stakeholders in cyber security.
The speakers came to a consensus that many boards are not as engaged in cyber security as they should be. While most boards are aware of cyber security risks and its potential implications, the challenge for many boards lies in knowing what to do and managing the numerous risks within the organisation like operational risks, financial risks and so on. Among these risks, cyber security is among them but it is not the most significant risk faced by organisations. This is furthered complicated by that fact that there is insufficient information sharing on security incidents and breaches, for a variety of reasons with the most notable being reputational damage. Traditionally, cyber security has been regarded as an extremely technical and specialised field, deterring many boards from active engagement in cyber security. As a result, cyber security has yet to mature and be properly considered as a business risk in organisations. Responsibility with regards to information security is relegated to IT departments, rather than being dealt with at the level of C-suite. The speakers urged the audience to recognise that the board is ultimately responsible for cyber security, regardless of whether security operation is developed in-house or outsourced to Managed Security Services Providers (MSSPs).
Ben Gerber and Vincent Loy stressed on the importance of raising cyber security awareness and appreciation among directors and key decision-makers within the organisation. This awareness is critical in giving the board an understanding of the actual threat environment, allowing them to ask the right questions and craft the cyber security strategy accordingly. Gerber observed that all organisations are still growing in this regard; many need to improve cyber security knowledge and maturity among the senior management. Loy mentioned a notable example set by the UK, where cyber security is one of the standing agenda in organisational business plan, rather than an afterthought or remediation process. To further enhance on the importance of board awareness, Low Huan Ping added that having network and application-based protection and spending a hefty amount on peripheral defences do not mean that your organisation is definitely safe. Many organisations are lured into a false sense of security. Foo Siang-tse reinforced this point as he mentioned that board directors should be worried if their IT department reports zero attacks and penetration because attacks, even if unsuccessful, occur all the time.
Next, the speakers covered a security memo that has received significant coverage – the Singapore government’s decision to block Internet access in all public service computers and laptops. Nearly all the speakers agreed with the government’s decision. Gerber highlighted that no first-world government in the world grants total Internet access to its public servants and Singapore has never done that in the first place. However, it is set to move towards a stricter Internet control and this is desirable because organisations should not grant access by default and increase their attack surface unnecessarily. Instead, government establishments and organisations should assess the needs and access required for different roles and grant bespoke access as needed. This process requires careful consideration because the repercussions of this strategy may be more detrimental than beneficial. Loy offered an alternative view that it is a broad and drastic measure to eliminate Internet access entirely as a thorough risk assessment is needed to understand the types of risks faced by the organisation in question. The access restrictions should be designed in accordance to the organisation’s security risk. Disconnecting Internet does not eliminate security risk; it merely mitigates some risks and reduces the organisation’s attack surface. Foo added that when the Internet is separated, the human being replaces the machine and becomes the link between the Internet and the government network. Therefore, though this measure is a significant improvement, it is not a fool-proof solution.
A security issue that is beginning to affect many organisations and businesses alike is ransomware. Beyond the simple solutions such as keeping backups, the speakers offered several insights into the perpetuation and proliferation of ransomware crimes. Foo noted that ransomware perpetrators are adopting their business model to increase their chances of success. Many are requesting for relatively small ransoms to encourage victims to pay the cheaper amount rather than hire a MSSP to mitigate the security threat. As a result, the ransomware industry thrives. It is important to note that in Singapore, it is considered illegal to pay ransom to these cyber criminals.
Lastly, the speakers discussed one of the more pertinent issues for boards – striking a balance between security protection and business productivity. Given the many stringent controls that security requires, employee productivity may be compromised. It is impossible to protect everything in the organisation, so identifying the most valuable asset and layering it with the most stringent controls is crucial. The second step is designing better security controls to maximise protection and productivity simultaneously, whether it is privacy by design or security by design.
On a final note, the speakers ended the forum by strongly emphasising on the importance of making risk-based decisions and understanding that cyber security is not simply about technology; it is also about people, governance and processes.