Most Singapore firms experienced data breach, worried over 5G deployments

A majority 96% of businesses in Singapore admit to experiencing a data breach over the past year, while 98% have expressed security concerns about digital transformation initiatives and 5G deployments. Amongst those that have such worries, 55% believe these will facilitate more “destructive” cybercrime activities while 54% say they will create more opportunities for cyber attacks. 

Another 34% believed 5G and digital transformation would lead to a lack of visibility over their organisation’s network, revealed a survey commissioned by security vendor Carbon Black. Conducted by research firm Opinion Matters, the study polled more than 250 chief information and security officers in Singapore, across various verticals including financial, healthcare, government, and retail. 

According to the survey, 93% of local businesses saw an increase in cyber attacks in the past 12 months and 92% described such incidents to be more sophisticated. 

Some 93% of respondents also noted an increase in attack frequency, with most of these in the government and food and beverage sectors. In addition, 33% of manufacturing and engineering companies as well as 54% of healthcare providers reported an increase of between 25% and 50% over the past year. Another 56% of financial services institutions reported a 51% to 100% increase in the frequency of cyber attacks. 

Just below half, 42% said they experienced a breach once, while 34% reported at least five security breaches. Fifteen respondents had been breached at least 10 times. 

However, the average number of breaches reported by Singapore respondents dropped to 3.82, compared to 3.98 clocked in Carbon Black’s January 2019 report. Government and local authority agencies, though, saw a high average number of breaches at 7.06 per year. 

Amongst those that experienced a security breach, 48% of Singapore companies admitted incurring financial damage but 9% declined to describe the financial impact on their company. Another 83% acknowledged there was damage to their brand reputation after reporting a breach, including 60% who described they suffered “some to severe” negative effects following a breach. This figure was a higher 75% amongst government organisations as well as 67% of engineering and manufacturing companies. 

The study identified ransomware attacks as the most successful, accounting for 29% of breaches in Singapore, followed by phishing and web application attacks, which contributed 19% and 9% of successful breaches, respectively.

Despite the high volume of cyber attacks, 84.5% of organisations here expressed more confidence in their ability to thwart such attempts now than they were a year ago. Some 95% pointed to threat hunting as a reason for their improved defences, including 40.5% that described a “significant protective effect”. 

Almost all, at 99%, Singapore companies planned to increase their security budgets over the next year. 

However, they would find it challenging to recruit and train security specialists, with 67% of respondents describing such efforts as tougher compared to a year ago. Recruitment, in particular, was found to be a lot more difficult by 44% of financial services companies, while 19% of government organisations agreed. 

Carbon Black’s head of security strategy Rick McElroy said: “It appears businesses are adjusting to the ‘new normal’ of sustained and sophisticated cyberattacks. Greater awareness of external threats and compliance risks have also prompted businesses to become more proactive about managing cyber risks as they witness the financial and reputational impacts that breaches entail.”

Pointing to the anxiety around mission critical initiatives such as 5G deployments, McElroy added: “A larger attack surface and greater dependency on digital infrastructure means the risks of malicious attack are amplified, and businesses are concerned this will mean more opportunities for cybercrime and the development of more effective and destructive methods.

“There is concern these emerging threats will require bigger security teams drawn from a talent pool that is small, and subject to intense competition, as more organisations compete for limited resources,” he said, noting that this would push businesses to adopt tools such as artificial intelligence and automation to improve the visibility of their networks. 

Need to manage security risks in IT supply chains 

In a separate statement Tuesday, the Monetary Authority of Singapore (MAS) urged the need for financial institutions to implement “effective multi-layered” defence to combat growing risks in IT supply chains, which were increasingly targeted by cybercriminals. Such measures should include source code reviews, system integrity checks, and network anomaly detection, the industry regulator said as part of findings from its Cyber Security Advisory Panel. Established in 2017, the group advises MAS on strategies to ensure robust cyber resilience amongst local financial institutions.

The report added that these businesses should have “good situational awareness” of the threat landscape and urged continued collaboration between MAS and the industry to bolster cyber monitoring and surveillance capabilities within the sector. 

The panel said: “Poor risk culture was often cited as a contributing factor during cyber incidents…the board and senior management of financial institutions should set clear expectations for cyber risk culture and monitor and assess how well the desired risk management culture is operating across the organisation.”

RELATED COVERAGE

Singapore sees drop in common security threats, but foresees more data breaches

Cyber Security Agency says the number of common cyber threats, including website defacements and phishing, dipped in Singapore last year, but expects to see more frequent data breaches and disruptive attacks against the cloud in the near future.

Singapore updates guidelines on data breach notification and accountability

Expected to be included as part of the upcoming amendment to the country’s data protection law, the new guidelines state businesses must take no more than 30 days to investigate a suspected breach and notify authorities 72 hours after completing their assessment of the breach.

SingHealth breach review recommends remedies that should already be basic security policies

The review committee also finds IT staff to be lacking in cybersecurity awareness and resources and SingHealth’s network misconfigured with security vulnerabilities, which helped hackers succeed in breaching its systems.

Key takeaways from Singapore healthcare data breach

No system is infallible and cybersecurity breaches are inevitable, but Singapore needs to do better in mitigating the risks and following through on its pledge to safeguard citizen data.

Singapore Airlines data breach affects 285 accounts, exposes travel details

Singapore carrier points to “a software bug” as the cause of the breach that occurred when changes were made to its website, compromising personal data of 285 customers including seven whose passport details were exposed.

READ MORE HERE