The cybersecurity landscape has been continuously evolving. All businesses, regardless of their size, need to be prepared in advance or face the unpleasant surprise of a security breach. Some examples of this constant evolution include:
- Proliferation of technology is rapidly taking place, as advanced IT services like cloud computing are becoming increasingly easy for business units to purchase independently. This creates additional risks as linking up newer and existing technology modules creates opportunities for cybercriminals to strike
- The lines between corporate and personal technology are blurring. Personal mobile devices are particularly susceptible to data leaks because they can be lost or stolen, as well as more easily accessed by cyber-criminals
- Most ominously, cyber-attacks have matured into persistent, sometimes state-sponsored threats to businesses in nearly every industry. According to the Singapore Cyber Landscape report, even Small and Medium-sized Enterprises (SMEs) were not spared. 1750 local websites, mostly belonging to SMEs, were defaced by hackers in 2016 - an average of nearly five a day1
Cyber threats to Singapore’s businesses
This article explains why all businesses should take cybersecurity seriously and highlight how they can take meaningful steps to protect themselves. Many cybersecurity incidents can be prevented if technology risks were better understood and security protocols were followed diligently. To help us better understand these risks, let’s list down the four key threats that businesses face:
1. Technology risks
External threats: Common threats include distributed denial-of-service (DDoS) where multiple compromised computer systems attack a target, such as a server, website or other network resource, and cause a denial of service for legitimate users as well as trojan programmes that pretend to be something they're not while including malicious additions. For instance, trojan programmes are often bundled with legitimate software downloaded via P2P sites.
Internal threats: External threats may attract relatively more attention, but businesses should be aware that employee education is vital for any cybersecurity plan to work. Without education, the average staff goes about their day handling and sending sensitive data without thinking about hackers or data loss. This lack of awareness results in not encrypting sensitive data in emails and being loose with corporate database access.
2. Process risks
Cybersecurity plans require sound processes, resource planning to support these processes and detailed contingency plans if a breach occurs. These plans also need to be checked against all compliance requirements communicated by your business’ regulator. It requires a long-term business commitment and unfortunately, there is no quick-fix.
If there is a weak link in processes or the supporting infrastructure, your business is leaving itself vulnerable to a security breach.
3. Outsourcing risks
Many businesses rely on third parties to provide cloud computing services. Vital information is often hosted on these cloud computing services such as customer and staff data, including Personally Identifiable Information (PII), bank account or credit card data and commercially sensitive contracts or data that may influence financial markets.
Given the extreme sensitivity of such information, businesses need to carefully plan their mitigating risk management measures.
4. Business continuity risks
Many businesses’ worst nightmare is to experience a prolonged downtime for their website or core operations during a cyberattack. Imagine the panic experienced by a hospital hit by last year’s WannaCry ransomware attack as their staff are unable to access patient records as new patients were getting admitted. When continuity of operations is affected, financial, legal and reputational problems can quickly follow.
The best way to deal with a ransomware attack is to wipe out these criminals’ presence on your business server or network and restore from backups. However, some businesses have no way of verifying when their last backup took place, let alone attempt restoring a recent backup.
How to enhance your cybersecurity plan
By now, readers may have noticed that cybersecurity risks are multi-dimensional. Your business may have trained staff to send encrypted emails when dealing with sensitive data, but this effort is wasted if this data is stolen when internally transmitting to third party cloud computing services.
Therefore, a comprehensive cybersecurity plan needs to be holistic in a digital world. Here are three concrete steps that all businesses can take to enhance your cybersecurity.
1. Run regular cybersecurity risk assessments
Similar to an annual health check, upon understanding your business’ issues, you can then mitigate these risks. These assessments2 typically include:
- Take stock of your IT systems: List down the various hardware and cloud-based access points, partners and vendors, what information is stored and shared and its sensitivity
- Look at potential threats: In addition to hacker intrusions, one must also consider breaches resulting from human error, e.g. poor data backup and unsecured data transmission
- Analyse the environment: This step involves the examination of controls governing factors like administrator access, user authentication, infrastructure data protection, continuity of operations and others. How vulnerable are these individual controls to the threats a business is likely to face?
- Likelihood: Consider the probability of each breach type and its point of origin. This can, depending on organisational or network complexity, involve dozens of breach/source pairings
- Final risk assessment: Multiply the likelihood of breach against its resultant damage to determine a risk rating. For example, if a business is likely to experience breach attempts due to the valuable information its handling and the results of such a breach would be catastrophic, a high-risk rating should be applied
2. Incident Response Plan
When managing cybersecurity threats, businesses should plan their responses well in advance. Contingency planning involves:
- Informing your employees about who to call after discovering a breach
- Planning the immediate steps that your cybersecurity team should take when facing a breach, e.g. ransomware as described earlier. For reference, your team may wish to factor in the latest cybersecurity threats as published by credible subject matter experts such as U.S Computer Emergency Readiness Team (CERT)
- Details the roles and responsibilities of management and external consultants in the event of a breach
- Apart from a response plan, your business may also consider cybersecurity insurance. A cyber insurance policy is designed to help a business mitigate risk exposure by offsetting costs involved with recovery after a cyber-related security breach or similar event. Cyber insurance can serve as part of your business risk management plan
3. Building up Internal Capabilities
To reiterate, a cybersecurity plan is a long-term commitment. Your cybersecurity team’s capabilities need to be upgraded over time. Therefore, your business may wish to leverage SME Digital Tech Hub specialists who provide cybersecurity advice to SMEs as well as Cyber Security Agency of Singapore (CSA) programmes to train and up-skill fresh and mid-career professionals for cybersecurity job roles. To further enhance enterprise resilience against cyber threats, businesses can also leverage the Capability Development Grant should they wish to adopt standards like ISO 22301 (Societal Security – Business Continuity Management Systems) or ISO 27001 (Information Security Management Systems)
As your business transitions to an increasingly digitised operating environment, you need to be aware that cybersecurity needs to be part of your digital plan. Otherwise, you are more likely to face a security breach and the associated financial, legal and reputational problems.
Are you keen to get started or enhance your business’ cybersecurity plan? Talk to us and find out how RSM can help you.
Partner and Industry Lead, Technology, Media & Telecommunications
+65 6594 7876