Each of us has a role to play in cybersecurity. What are we doing to protect ourselves against cyber attacks?
Here are the harsh facts that we have to face. SingHealth’s databases were breached in mid-2018 and millions of Singaporeans, private citizens, and government officials alike, have had their personal details accessed.
The past few years have seen organisations as high reaching as the Ministry of Defence (MINDEF) suffer from data breaches. As many as 11 critical sectors in the country have been told to review their security protocols and external connection access.
In short, critical data is under attack, citizens are left with more questions than answers, and cybersecurity remains shrouded in mystery. Sounds pretty grim, right?
As is often the case in the world we live in, the headlines are more sensational and scarier than the news itself. Yes, Singapore has been the victim of a few damaging cyber attacks with SingHealth being the latest and largest. But there are three critical pieces of information we need to bear in mind when evaluating the real state of affairs when it comes to cybersecurity.
We Only Hear About the Failures, Not the Successes
There are hundreds of thousands if not millions of cyber attacks taking place globally on a yearly basis. With the military prowess of Singapore in Southeast Asia (SEA) and the greater Asia Pacific (APAC) region in conjunction to its critical place within the global financial, maritime, and aviation systems, no doubt a heavy load of those attacks are passing through our digital borders as well. Our security forces cannot be reasonably expected to reveal each successful defense of a cyber attack when we consider the sheer volume of attacks taking place.
Preemption is the Best Defense
Singapore is not sitting on its hands waiting for the next attack in order to do something. The Cyber Security Awareness Alliance is comprised of some of the largest entities from both the private and public sectors with a shared objective to make Singapore safer. As per their mission statement:
“The Alliance comprises representatives from the government, private enterprises, trade associations and non-profit organisations. As a collaborative body, the Alliance amalgamates efforts from its members by bringing together different strengths and resources. The aim of the Alliance is to:
- Build a positive culture of cybersecurity in Singapore, where cybersecurity becomes second nature for all Internet users;
- Promote and enhance awareness and adoption of essential cybersecurity practices for both the private and public sectors.”
The Problem is Global, Not Local
Enterprises and consumers are struggling with cybersecurity on a global scale. As stated previously, hundreds of thousands if not millions of attacks are taking place via Web site defacement, phishing, malware infections, and more. There were dozens of high-profile cyber attacks in 2017 alone.
Efforts are already underway to take more of a regional and global approach to this problem. In March 2018, Prime Minister Lee Hsien Loong commented on the importance for closer cooperation amongst ASEAN nations when speaking to a plenary session at the ASEAN-Australia Special Summit. The Prime Minister was quoted as saying that “It can have a drastic impact on our populations,
for example in terms of critical infrastructure; and it can be insidious—undermining the trust which holds our societies together, for example through fake news.”
There is a shared interest in securing our digital lives and thankfully Singapore is far from alone in that battle. So there is clearly a digital threat that we all face and there are various things being done to address them. Who exactly does the burden of responsibility rest upon and what needs to be done from here? While the answer to the latter depends on the group of people we are discussing, the answer to the former is “everyone”.
1) The Government
While it is always easy to just point our fingers at the government, as has been commented on previously, the government is taking action in ways that we may be aware or unaware of. The Cybersecurity Strategy document made available to the public via the Cyber Security Agency of Singapore (CSA) is certainly one piece of evidence indicating the seriousness with which the government is approaching this topic.
2) Enterprises and Service Providers
Traditional solutions to two factor authentication (2FA) for the enterprise market are not enough. Simply put, there are too many potential flaws when it comes to SMS and voice tokens. These problems are well-known and well-documented for anyone who wants to have a look.
Does this mean small-and medium-sized enterprises (SMEs) should avoid 2FA entirely? Absolutely not! Some security is better than zero security but that is only step one.
The second step is demanding more from your 2FA service providers. There are some truly fascinating developments taking place in the industry such as using sonic vibrations to authenticate a device and user.
What we are trying to do at Twizo is to make 2FA as simple as possible both in terms of general integration as well as by providing our SME partners with a wide range of solutions to choose from. While there is no hermetic seal against digital threats, any layer of defense
that we can add between us and malicious actors is better than operating solely on hope.
Innovation amongst 2FA providers and cybersecurity companies aside, enterprises must make the decision to adapt and adopt. If we question the numbers and take a look at the industry, we may not like what we see.
- How many SMEs have a digital security strategy?
- How many SMEs restrict staff from accessing unnecessary or dangerous external connections from work devices?
- How many SMEs conduct audits of internal privacy policies and practices?
- How many SMEs have a dedicated staff member to manage internal guidelines for cybersecurity and data privacy?
Innovation and adoption work hand-in-hand. Service providers must make 2FA and other cybersecurity solutions more accessible while SMEs must make the decision to take the topic seriously.
As consumers we must all demand that our service providers take action on this topic. Choose providers that offer better security. Give your providers feedback on your security expectations.
Unfortunately enterprises more often than not only act either in the face of consumer pressure or after the fact. We must encourage them to preempt the next attack by taking action today.
Thankfully there are various signs of the industry starting to wake up.
This battle is not just about SingHealth data or MINDEF records. This battle is about everything we store online which is increasingly becoming, quite literally, “everything” in today’s world.
As CSA chief Mr David Koh rightly noted: “It is important for the public and small businesses to be more diligent about protecting their digital lives and assets, to improve our collective safety in cyberspace. As seen from the spate of ransomware campaigns over the past year, small businesses and individuals are often the victims of such indiscriminate attacks.”
Copyright © 2019 Singapore Institute of Management