Singapore companies are unprepared for cyber
attacks, a survey by Quann reveals
- Almost all (91%) of the
surveyed Singapore companies are in the early stages of security
preparedness - More than half (54 percent) of
the Singaporean respondents do not have a Security Operations Centre to
monitor their networks and security devices for suspicious traffic - Almost half (49 percent) have
not conducted any form of IT security awareness exercise
Singapore – 4 July
– While a majority of the surveyed companies in Singapore believe that
cyber security is important and seek guidance from IT security experts, almost
all (91 percent) of them are in the early stages of security preparedness,
according to a survey jointly conducted by Quann,
a leading Managed Security Services Provider in Asia Pacific, and research firm
IDC. The survey identified significant gaps in security device
deployment, cyber awareness, resources and preparedness for attacks, making
these companies vulnerable to cyber attacks.
– While a majority of the surveyed companies in Singapore believe that
cyber security is important and seek guidance from IT security experts, almost
all (91 percent) of them are in the early stages of security preparedness,
according to a survey jointly conducted by Quann,
a leading Managed Security Services Provider in Asia Pacific, and research firm
IDC. The survey identified significant gaps in security device
deployment, cyber awareness, resources and preparedness for attacks, making
these companies vulnerable to cyber attacks.
The inaugural Quann
IT Security End User Study 2017, covering 150 senior IT professionals from
medium-to-large companies based in Singapore, Hong Kong and Malaysia, aims to
understand the cyber security strategies of these organisations as well as
their preparedness and vulnerability to cyber attacks.
IT Security End User Study 2017, covering 150 senior IT professionals from
medium-to-large companies based in Singapore, Hong Kong and Malaysia, aims to
understand the cyber security strategies of these organisations as well as
their preparedness and vulnerability to cyber attacks.
Mr. Foo Siang-tse,
Managing Director, Quann,
said: “The findings are worrying but they don’t come as a surprise. Many
companies are simply not investing enough in IT security, despite the obvious
threats. The lack of investment in security infrastructure, professional
services and employee training makes them extremely vulnerable. The recent
WannaCry and Petya ransomware incidents are just the tip of the iceberg.
Companies need to recognise that having a comprehensive security plan,
comprising detection systems, robust processes and equipped individuals are
critical in enabling them to detect threats early and mitigate their impact.”
Managing Director, Quann,
said: “The findings are worrying but they don’t come as a surprise. Many
companies are simply not investing enough in IT security, despite the obvious
threats. The lack of investment in security infrastructure, professional
services and employee training makes them extremely vulnerable. The recent
WannaCry and Petya ransomware incidents are just the tip of the iceberg.
Companies need to recognise that having a comprehensive security plan,
comprising detection systems, robust processes and equipped individuals are
critical in enabling them to detect threats early and mitigate their impact.”
Lack of adequate
security features to monitor and detect cyber attacks
security features to monitor and detect cyber attacks
While basic IT
security features such as firewall and antivirus are widely deployed by the Singapore
companies, more than half (56 percent) of them do not have Security
Intelligence and Event Management Systems to correlate and raise alerts for any
anomalies in a timely manner.
security features such as firewall and antivirus are widely deployed by the Singapore
companies, more than half (56 percent) of them do not have Security
Intelligence and Event Management Systems to correlate and raise alerts for any
anomalies in a timely manner.
Also, 54 percent of
the Singaporean respondents do not have a Security Operations Center (SOC)
or a dedicated team to proactively monitor, analyse and respond to cyber
security incidents that are flagged by the systems.
the Singaporean respondents do not have a Security Operations Center (SOC)
or a dedicated team to proactively monitor, analyse and respond to cyber
security incidents that are flagged by the systems.
The lack of proper
monitoring systems and processes means that anomalies picked up by security
devices may go unattended and malware may reside and cause damage within
corporate networks for long periods.
monitoring systems and processes means that anomalies picked up by security
devices may go unattended and malware may reside and cause damage within
corporate networks for long periods.
“Companies may
consider working with an experienced cyber security partner to design, build
and manage a 24/7 on premise Security Operations Center that can quickly detect
threats. Another option is to engage a Managed Security Services Provider
(MSSP) that can provide a comprehensive suite of services, including 24/7
monitoring, regular vulnerability assessment and penetration testing and
incident response and forensics,” Mr. Foo added.
consider working with an experienced cyber security partner to design, build
and manage a 24/7 on premise Security Operations Center that can quickly detect
threats. Another option is to engage a Managed Security Services Provider
(MSSP) that can provide a comprehensive suite of services, including 24/7
monitoring, regular vulnerability assessment and penetration testing and
incident response and forensics,” Mr. Foo added.
Ill-prepared in the
event of cyber attacks
event of cyber attacks
The survey also finds
that 40 percent of Singaporean respondents either do not have incident response
plans to protect the companies’ networks and critical data in the event of a
cyber attack. Only one-third (33 percent) of them practise their incident
response plans.
that 40 percent of Singaporean respondents either do not have incident response
plans to protect the companies’ networks and critical data in the event of a
cyber attack. Only one-third (33 percent) of them practise their incident
response plans.
Cyber criminals
usually target non-IT employees who are seen as the weakest link in cyber
security. However, only 33 percent of the Singapore companies require all
members of the organisation—from the CEO down—to take part in IT security
awareness training.
usually target non-IT employees who are seen as the weakest link in cyber
security. However, only 33 percent of the Singapore companies require all
members of the organisation—from the CEO down—to take part in IT security
awareness training.
Absence of dedicated
security manpower
security manpower
Many Singapore
companies (75 percent) do not have a dedicated IT security budget and planning
process. Most Singaporean respondents said that they have a security lead but
he/she is not a dedicated resource and has other responsibilities at the same
time. They also do not have round-the-clock security support, with 32
percent having security support only during work hours, and 25 percent only
during the work week.
companies (75 percent) do not have a dedicated IT security budget and planning
process. Most Singaporean respondents said that they have a security lead but
he/she is not a dedicated resource and has other responsibilities at the same
time. They also do not have round-the-clock security support, with 32
percent having security support only during work hours, and 25 percent only
during the work week.
With cyber attacks
evolving at an unprecedented speed, there is a need for organisations to invest
in security resources, increase the frequency and expand the reach of IT
security training to keep pace with the cyber threats.
evolving at an unprecedented speed, there is a need for organisations to invest
in security resources, increase the frequency and expand the reach of IT
security training to keep pace with the cyber threats.
Cyber security not on
the Board’s agenda
the Board’s agenda
The survey also
reveals a low level of engagement from senior leadership in formulating IT
security strategies. A majority (91 percent) of Singaporean respondents
consult security executives, but only 16 percent of them will invite the
executives to Board meetings and involve them in risk assessment.
reveals a low level of engagement from senior leadership in formulating IT
security strategies. A majority (91 percent) of Singaporean respondents
consult security executives, but only 16 percent of them will invite the
executives to Board meetings and involve them in risk assessment.
Mr. Simon Piff, Vice
President of IDC Asia/Pacific’s IT Security Practice, said: “Not all C-Suites
in Asia are fully conversant with the fundamentals of a robust cyber security
strategy and the appropriate investments. Cyber security investments are akin
to military spending – we do it in the hope that we would never have to use the
tools. They need to understand that this is not a business ROI with immediate,
visible returns. However, the consequences of not taking a proactive approach
now could lead to legal disputes, customer dissatisfaction, and even loss of
jobs and careers at all levels in the organisation.”
President of IDC Asia/Pacific’s IT Security Practice, said: “Not all C-Suites
in Asia are fully conversant with the fundamentals of a robust cyber security
strategy and the appropriate investments. Cyber security investments are akin
to military spending – we do it in the hope that we would never have to use the
tools. They need to understand that this is not a business ROI with immediate,
visible returns. However, the consequences of not taking a proactive approach
now could lead to legal disputes, customer dissatisfaction, and even loss of
jobs and careers at all levels in the organisation.”
IDC IT Security Index
Assessment
Assessment
IDC and Quann assessed
the surveyed companies’ level of preparedness to cyber attacks and categorised
them into four stages, with Basic Defence being the least mature. The
stages of the index are based on IDC’s understanding of the range of organisational
maturity globally, and is ranked against a globally established methodology.
the surveyed companies’ level of preparedness to cyber attacks and categorised
them into four stages, with Basic Defence being the least mature. The
stages of the index are based on IDC’s understanding of the range of organisational
maturity globally, and is ranked against a globally established methodology.
For each stage, the
IDC IT Security Index addresses how capabilities across the five lenses — risk
and governance, cyber security awareness, technology and architecture, resourcing,
incident response and remediation — should change to foster the security
maturity needed to compete in the new era of digital transformation.
IDC IT Security Index addresses how capabilities across the five lenses — risk
and governance, cyber security awareness, technology and architecture, resourcing,
incident response and remediation — should change to foster the security
maturity needed to compete in the new era of digital transformation.
The key
characteristics of the four maturity stages are:
characteristics of the four maturity stages are:
Stage 1 – Basic
Defence
Defence
IT security is perceived
as an ancillary function and investments are restricted to the bare minimum.
Compliance and governance distract from the day-to-day running of the business.
There is limited capability to defend from anything but the most basic form of
attack. No crisis response planning has been put in place.
as an ancillary function and investments are restricted to the bare minimum.
Compliance and governance distract from the day-to-day running of the business.
There is limited capability to defend from anything but the most basic form of
attack. No crisis response planning has been put in place.
Stage 2 – Tactical
Knowledge
Knowledge
There is a minimal
strategy for IT security and key technological solutions put in place. Whilst
IT security is something that the IT team considers as important, the rest of
the business consider it an issue only for the IT department. Senior management
is lacking in engagement and understanding of critical systems and data.
strategy for IT security and key technological solutions put in place. Whilst
IT security is something that the IT team considers as important, the rest of
the business consider it an issue only for the IT department. Senior management
is lacking in engagement and understanding of critical systems and data.
Stage 3 – Strategic
Intent
Intent
IT security is
understood to be a concern for both the business as well as IT, with a
dedicated lead. There is a clear delineation of security roles, and a
Governance, Risk and Compliance (GRC) framework in place. While outsourcing is
a consideration, it is kept minimal, and most technology and architecture are
done in-house.
understood to be a concern for both the business as well as IT, with a
dedicated lead. There is a clear delineation of security roles, and a
Governance, Risk and Compliance (GRC) framework in place. While outsourcing is
a consideration, it is kept minimal, and most technology and architecture are
done in-house.
Stage 4 – Advanced
Execution
Execution
A CISO is designated
in the organisation, with clearly defined reporting lines to CEO. There are
internal and external applications of IT security policies, and a well-informed
workforce that understands the issues. A clear response strategy is in place
and fully documented.
in the organisation, with clearly defined reporting lines to CEO. There are
internal and external applications of IT security policies, and a well-informed
workforce that understands the issues. A clear response strategy is in place
and fully documented.
For the LATEST tech updates,
FOLLOW us on our Twitter
LIKE us on our FaceBook
SUBSCRIBE to us on our YouTube Channel!
