State of IT risk in Singapore

State ofIT risk in Singapore
by Allan Tan — December 6, 2023
The ISACA Singapore and Frost & Sullivan Cyber Security Survey 2023 warned that 86% of companies in Singapore are identified as being at risk of cybersecurity incidents. This finding underscores the pressing need for businesses to prioritise cybersecurity measures and protect their digital assets.

Frost & Sullivan director and head of the Asia Pacific Cyber Security Practice, Kenny Yeo, says Singapore faces two broad trends that are impacting the state of digital risk. Among respondents to the first, 83% are accelerating cloud adoption over the past 12 months. Further, 87% said they are pursuing a cloud-first strategy or have production projects in the cloud. “Organisations are also going multi-cloud to scale capacity and increase technical capabilities quickly.

But with this push towards cloud, many organisations are still not protecting their cloud adequately,” warned Yeo.

He added that organisations are also facing greater complexity, dealing with digital transformation projects, while maintaining business-as-usual (BAU) and legacy systems. He posits this means new and existing cyber security solutions must work together, with data residing in multiple siloes.

“This, unfortunately, leads to more organisations getting hit with cyber incidents. This is not just an enterprise issue, but also a personal individual challenge as well, as you can see from multiple scams hitting the vulnerable and unaware digital users."

Kenny Yeo
Kenny Yeo
Andrew Lim, managing director for ASEAN at Kyndryl, says Singapore’s strongregulatory environment, advanced infrastructure, and skilled workforce set a high standard.

That said, DPM Heng Swee Keat, speaking at the Singapore International Cyber Week 2023, said the key to fully harnessing technology as a force of good lies in forging partnerships across borders and sectors. This is particularly important as other ASEAN nations seek to enhance their tech utilisation.

The ASEAN Cybersecurity Cooperation Strategy holds the potential to unite the region, as it seeks to foster trust, enhance cyber readiness, and facilitate international cooperation for a safer and more prosperous digital environment.

Impact on enterprise security strategies

Asked how the trend is impacting enterprises’ IT and security strategies, Jenny Tan, president of ISACA Singapore Chapter, says with the high level of cloud adoption, data protection should be one of the key IT and Security Strategies.

She conceded a lack of visibility on this front as an issue going against organisations’ efforts to maintain high degrees of cybersecurity readiness.

“In our recent ISACA SG Survey, it was noted that one of the most challenging efforts is to have senior management buy-in as most still think that the security effort is only at the technical pursuit.”

Jenny Tan
She added that the survey results also showed that most enterprises who adopted cloud solutions think that they have transferred their security risks to the cloud service providers.

“With this survey outcome in mind, we can assume that enterprises may not put in much effort to review their existing security strategies to deal with their shift in IT resource management,” she commented.

In a separate study, Lim described an intriguing paradox: 88% of respondents expressed confidence in their organisation’s preparedness for adverse events, while 92% reported experiencing such events in the last two years.

It is this disconnect, notes Lim, that underscores the importance of enterprises prioritising boardroom discussions on IT risk, enabling top-down organisational alignment and supporting necessary changes to ensure cyber-enabled systems can remain operational during adverse events.

“With this strategic shift, enterprises are seeking to minimise system disruptions and their potential impact on a brand’s productivity, reputation, and financial performance,” said Lim.

Persistent cyber vulnerability of SG enterprises

At the C-Engage Convention , CIOs and security professionals participating as guests’ panellists acknowledged the importance of cybersecurity across organisations, industries, and governments. But the journey towards this level of recognition has not been smooth sailing, nor is it still.

Market analyst firm Canalys forecasts global cybersecurity spending (including enterprise products and services) to reach US$223.8 billion in 2023, with growth in the delivery of cybersecurity services outpacing product shipments.
Source: Canalys 2023
Canalys says persistent heightened threat levels will keep cybersecurity high on the list of investment priorities for organisations.

“But not all planned projects will be signed off, as pressure mounts on budget holders to scrutinise spending and focus only on the most pressing cybersecurity needs to minimise the risk of breaches.”

Tan posits organisations’ vulnerability will continue to persist in the years ahead attributing the key reasons to lack of talents and continuity of talents in an organisation, lack of security prioritisation by the Board and senior management, and high compliance costs in implementing security strategies.

Where vulnerabilities lie

Source: ISACA Singapore and Frost & Sullivan Cyber Security Survey 2023
Reflecting on the 5th annual ISACA Singapore and Frost & Sullivan enterprise security survey, Yeo says unpatched systems, unrelenting phishing email attacks, and third-party supplier compromise as well as data leakages accounted for much of the sources of the attacks that enterprises, governments and consumers faced in 2023.

“Top hygiene factors like vulnerability management and a systematic patching regime are number one, with the most popular vector of attack being phishing emails,” he elaborated.

Kyndryl’s Lim says talks with IT decision-makers and risk and compliance professionals, suggested that the ongoing global IT skills shortage may be a concern, but it doesn’t not top the list. The most frequently cited challenge by respondents was the inability to recover systems and data from encrypted, clean backups when dealing with adverse events.

“We encourage them to consider investing in automating and orchestrating recovery processes, assessing and establishing how best to mitigate human error in restoring from backups, and to test incident response plans repeatedly and often.”

Andrew Lim
Andrew Lim

Accountability and responsibility should cut both ways

At the national level, there is recognition in Singapore that cybersecurity is a collective responsibility. Yeo acknowledges that any IT solution or cyber security tool has vulnerabilities because imperfect humans are involved in its development.

“Too often technology is the primary focus for organisations in their cyber security protection, but training and enabling people is also crucial, along with coming up with policies and processes anticipating a breach as well.”

“Cyber security is something that everyone in the organisation needs to pay attention to, not simply the technical team, but the board of directors, senior management to line staff too,” said Yeo.

Recent Posts