Orient - The Official Magazine of the British Chamber of Commerce Singapore - Issue 67 July 2018 - Page 18 MATTERS OF OPINION: FACING UP TO THE CYBER SECURITY CHALLENGE Cyber security is back in the headlines this month with Singapore’s health system facing a breach of personal data in an attack on the SingHealth system affecting up to 1.5 million users. Ahead of September’s Singapore International Cyber Week, the British Chamber invited member companies to comment on the topic.
The need for government, policy makers, companies and individuals to consider cyber security in their strategic planning is steadily increasing. During September, Singapore will be hosting the Singapore International Cyber Week (SICW) to bring together industry experts and stakeholders. What are the key themes and recommendations that you believe need be addressed?
Reuben Sinclair Cyber Security Representative Singapore & SE Asia, Department for International Trade (DIT) Singapore
As Singapore seeks to increase its resilience to cyber attacks, recent news indicates that even the most advanced and well protected systems can be vulnerable. The SingHealth attack represented the most serious personal data breach in Singapore’s history. In the UK there is still high awareness of the impact of the NHS WannaCry incident last year.
As technology rapidly evolves, the challenge of protecting technology and information increases with threats becoming increasingly complex. This means that the cyber security strategies of governments, public sector organisations and businesses need to evolve to keep pace. We are seeing:
• More frequent and more sophisticated attacks • An increasing reliance on technology meaning higher impact of business interruptions – what was an annoyance twenty years ago can be catastrophic today • Substantial time and cost to resolve incidents – an average of 168 days to identify a data breach at an average cost of £2.48 million (SGD 4.5m). • Cyber security costs escalating, and budgets being affected by an increasing skills shortage What is the UK doing on the cyber security challenge? Significant security benefits are being derived from emergent technologies such as artificial intelligence, machine learning and quantum cryptography. Strong examples of this can be found at CSIT in Belfast, the UK’s Innovation and Knowledge Centre for Cyber Security, where research projects include; Device Authentication and IOT, Secure Ubiquitous Networking, Quantum Cryptography, Supply Chain Integrity and Operational Technology (OT) and Industrial Control Systems.
Additionally, the UK has opened two Cyber Innovation Centres in Cheltenham and London. These centres support companies developing the next generation of cyber technologies. The National Cyber Security Centre (NCSC) opened in London in February 2017 and works with both public and private sectors in building cyber security skills, developing innovative defences and helping to manage cyber incidents.
Together with the huge number of cyber innovators and start-ups and the assurance of services available via NCSC, this makes the UK a very compelling cyber security partner. With the adoption of GDPR we are going further to help organisations and citizens protect their information.
The Challenge extends beyond Technology But whilst technology can assist us, organisations are realising that this is not simply a technical problem. Most cyber risks are not caused by technology - they are caused by the way that humans interact with technology (in the SingHealth attack, early reports suggest that attackers initially gained accessed through the breach of a front-end workstation). So we recognise that for a fuller cyber defence we must look beyond technical solutions. Here are some of the key behaviours that will help us succeed:
• Educate staff, customers and citizens to be more aware of cyber threats • Focus on improving cyber hygiene (good practices and security procedures that keep systems and date safe) – 80% of incidents are caused by poor cyber hygiene • Create inventories of our systems and data - we cannot protect what we don’t fully understand • Separate critical or sensitive internal systems from public facing systems such as internet and email (or deploy solutions that render these safer from attacks such as phishing and other malware) • Accept that we will probably all experience a cyber security incident at some point – focus on building effective response capabilities and take advice from industry experts; • Consider the competitive advantages arising from cyber resilience • Look outwards at the threat landscape as well as inwards to our defences, consider security threat