SINGAPORE: In most offices across the island, it is a common sight to see employees not taking fire drills as seriously as they should, with some even lamenting that these are a waste of time.
This, despite the fact that fires are a very real threat and could have disastrous consequences in high-rise office buildings.
The same could be said for cybersecurity and all the training and policies that companies try to put in place, said Mr Erman Tan, president of the Singapore Human Resources Institute (SHRI), who used the analogy to explain the challenges that firms face in getting their staff to take cybersecurity seriously.
“People will think: 'Why do we have fire drills when we never encounter fires? It's the same for cybersecurity. People will always feel it will never happen to them, or it will never happen to their company."
While Singapore has one of the best infrastructure, technologies and legislation in place to deal with cyberthreats, it is no coincidence that the human factor — long seen as the weakest link in the chain, or the first line of defence — had contributed to some of the recent data breaches which made headlines here.
In June last year, Singapore suffered its worst-ever cyberattack where hackers broke into SingHealth's IT systems to steal the data of 1.5 million patients and records of the outpatient medication given to Prime Minister Lee Hsien Loong.
For example, an IHiS employee was singled out for misunderstanding what constituted a security incident and failed to comply with incident reporting processes. A senior manager of IHiS' security management department was also reluctant to raise the alarm to his superiors despite knowing about suspicious logins to the patient database, for fear of working "non-stop" to "deliver answers" to top management.
In another incident, the medical records of 14,200 HIV-positive people were illegally disclosed online by deported American fraudster Mikhy Farrera Brochez, whose partner Ler Teck Siang used to work at the ministry.
Ler, who was able to access the HIV registry as part of his work, was believed to have downloaded the information into a thumb drive, and later failed to retain possession of it.
Recognising the need for individuals to play their part in response to the growing cyberthreats, a new “digital defence” pillar was added to Singapore’s Total Defence framework on Feb 15.
As Singapore shores up its cyberdefences, all the best hardware and software that money can buy will not be able to fend off cyberattacks if the “peopleware” is lacking, experts pointed out.
Indeed, the latest public awareness survey by the Cyber Security Agency (CSA), released last year, indicated that many Singaporeans were still complacent when it came to cybersecurity issues.
Of the 2,035 respondents polled, about one-third stored their passwords in their computers or wrote them down, or used the same password for work and personal accounts.
The survey also revealed a slight dip in the respondents’ levels of concern towards cyberthreats, while over half of the respondents felt that cyberattacks such as malware and online scams would not happen to them.
Although there are many initiatives at the national level to raise cybersecurity awareness among the public, their effectiveness remains in question, said Dr Steven Wong, president of the Association of Information Security Professionals.
“While awareness of cybersecurity may have improved, such as the need to set a strong password, in reality … people may not be practising it," he said.
According to online security software vendor Norton, 978 million people in 20 countries were affected by cybercrimes in 2017. In Singapore, 5,430 cybercrime cases were reported in the same year — or 16.6 per cent of total crimes — while the CSA detected 23,420 phishing web addresses with a Singapore link.
Other forms of cyberattacks, such as website defacement and malware infections, were also on the rise.
Governments and private organisations worldwide are beefing up both their hardware and software to deal with the transnational threat, while changes to policies, internal guidelines, and legislation have been introduced.
A Smart Nation and Digital Government spokesperson from the Prime Minister’s Office said that the Government continuously reviews the architecture and cybersecurity of its systems in response to emerging threats and will also exploit new tools to deal with them.
“We adopt a ‘defence-in-depth’ approach so that an attacker would be impeded by multiple layers of cyberdefences from the perimeter to within our systems,” the spokesperson said.
Additional measures have also been added recently to better monitor the databases of critical government systems and detect breaches faster, the spokesperson added.
Experts stressed that while Singapore has one of the best infrastructure, technologies and legislation in place to counter the scourge of cyberattacks, all employees — especially the rank-and-file — have a vital role to play.
“The public and private sectors are heavily invested in the staff handling cybersecurity, information technology (IT), and technical matters by updating their knowledge. However, it’s the normal users who are the weakest link,” said digital forensics specialist Ali Fazeli.
“You can have the best IT system, best IT talent, but it’s really difficult to protect the system and organisation against cyberthreats,” the founder of cybersecurity firm Infinity Forensics added.
In the public sector, for example, there are some 145,000 officers within the Singapore Public Service, who are hired across 16 ministries and over 60 statutory boards.
All public servants will undergo cybersecurity training, the Smart Nation and Digital Government Office said.
“More exercises will be conducted to sharpen our officers’ response to a cyber incident. Regular audits will ensure that gaps are discovered and addressed,” its spokesperson said.
Dr Ori Sasson, director of cyberintelligence firm S2T, said that the challenge for the Singapore Government is the sheer volume of data and the number of systems and employees under its charge. He said:
Attackers always have the benefit of attacking the weakest link, whereas the defenders have to defend everything they have, which is an asymmetric scenario.
Employees are especially vulnerable as the majority of cyberattacks begin with one simple phishing email, said Mr Phoram Mehta, head of information security at PayPal Asia Pacific.
For example, phishing, or fake, emails allegedly provided North Korean cyberattackers with a conduit to attack Sony Pictures and the central bank of Bangladesh in 2014. In the latter case, nearly US$81 million (S$109 million) was stolen in the cyberattacks.
Cyberattackers are also using the same tools used by cybersecurity experts, such as analytics and automation, to select their victims, Mr Mehta said.
“If you have over a hundred thousand different places to attack, which will you go after, PayPal or a food establishment?”
However, with proper training and the right culture in place, employees can make a difference in determining whether an organisation is cybersecure or vulnerable to cyberattacks.
“We don't need to teach (rank-and-file employees) the technical things, but we need to tell them how they can misuse their data, and what are the consequences and legal implications,” said Mr Fazeli of Infinity Forensics. “It can be basic training and doesn't need to be very deep.”
A ‘LAISSEZ-FAIRE ATTITUDE’
Most people have a nonchalant attitude when it comes to cybersecurity, noted Mr Tin Aung Win, vice-president of the Singapore Computer Society infocomm security chapter.
Mr Tin, who is also a lecturer at Nanyang Polytechnic’s School of Information Technology, said: “I think it is natural for the general public with no prior knowledge or experience of cybersecurity matters to have this attitude.”
“Even after a cyberattack such as the SingHealth incident, people may slowly go back to a laissez-faire mode after the incident is over,” he added.
Driving a mindset change is difficult as the results are not tangible, said SHRI’s Mr Tan. He said:
Cybersecurity changes are generally preventive measures so you don’t see the results, and it may cause complacency.
In a study by technology information website Comparitech this year, Singapore was ranked the 10th best country globally in cybersecurity, alongside Japan, France, the United States, Canada and the United Kingdom.
However, Singapore's ranking was weighed down by a high proportion of mobiles infected with malware, indicating a more lax attitude towards cybersecurity, noted Mr Kevin Fitzgerald, regional director for Asia at cloud-based accounting software platform Xero.
“Efforts to educate businesses on cybersecurity issues need to be continued and deepened as cybersecurity risk has often been deemed an IT issue, not a business risk that needs to be tackled with urgency,” he said.
READ: Stop playing the blame game in a cybersecurity breach, a commentary
Two professionals in the finance industry, who declined to be named, said while they had to go through e-learning courses and tests on cybersecurity on their companies’ intranet systems, they were not conducted under close supervision.
Local design consultancy Space Matrix’s close brush with a cyberscam showed how alert employees could make a difference. In April last year, two emails were sent to its chief financial officer and finance controller, purportedly from their chief executive officer (CEO), asking for S$200,000 to be transferred to an unknown bank account.
“The interesting part was that the emails were composed in a manner very similar to how I write emails,” Mr Arsh Chaudhry, CEO of Space Matrix said.
Fortunately, the scam was detected due to the vigilance of his staff, who spotted the fictitious email address in both instances.
Mr Tan noted that cybersecurity solutions and IT talent are expensive. Thus, companies which are already grappling with a manpower crunch, especially small and medium-sized enterprises (SMEs), may put cybersecurity plans on the backburner.
“For SMEs, cybersecurity tends to take a backseat compared to revenue growth and productivity management,” Mr Pascal Henry, CEO of HREasily, a payroll software start-up, said.
Unfortunately, many private organisations will never discover that they have been compromised, and many will choose not to publicly disclose their breaches, said Mr Eric Hoh, Asia-Pacific president of cybersecurity company FireEye.
LEGISLATION NOT THE PANACEA
As the public and private sectors amass vast troves of personal information for Internet of Things devices, artificial intelligence, and analytics, the Government has introduced legislation governing cybersecurity, privacy and the misuse of such data, such as the Personal Data Protection Act (PDPA), the Cybersecurity Act, and the Computer Misuse Act.
While most parts of the PDPA do not apply to the Government, public agencies are governed by the Public Sector (Governance) Act (PSGA).
However, the PSGA does not grant the same rights to individuals under the PDPA, unlike Europe’s General Data Protection Regulation, which is considered the “gold standard” for data protection, said Mr Koh Chia Ling, managing director of law practice Osborne Clarke.
“The Singapore Government is not obliged, under either the PSGA or PDPA, to disclose to an individual how his personal data is being used or to whom it is being disclosed to,” Mr Koh pointed out.
“The inability of individuals to make such inquiries may restrict the level of constructive criticism that could be levied against the Government about its data handling processes.”
Experts and lawyers agreed that while Singapore is leading in cybersecurity laws, legislation is not the panacea for cybercrimes.
Nevertheless, building on the PDPA, laws should be fine-tuned to allow both public and private bodies to collect sensitive personal data only when absolutely necessary and retain it for the shortest period of time, said Mr Koh.
Even then, isolated and “non-personal” data can be easily pieced together to create a fuller picture, Dr Wong said.
For example, some organisations only store the last four alphanumeric characters of Singaporeans’ identity card for validation purposes. However, it is possible to mine for a person’s date of birth through social media and the web.
“If an individual tweets that he has just celebrated his 40th birthday in 2019, it is easy to guess that the year of birth is 1979,” Dr Wong said. “Thus, a hacker can piece together ‘S79_ _345G’ and just have to figure out the remaining two characters."
Mr Samuel Yuen, managing director of Yuen Law, said: “Before we legislate businesses to the death, we ought to consider if there is, in fact, a sustained and viable culture adopting the best practices for cybersecurity.”
Collaboration between governments, educational institutions, professional bodies and enterprises is needed, Dr Wong said, due to the “borderless” nature and evolving sophistication of cybercrimes.
He added: "Compliance is like mandating that all houses need to have a door. While having a door will make a house safer, it does not mean that the house is really safe.
“It is just the basic minimum protection and a lot more can be done to better secure the house.”
Mr Bryan Tan from law firm Pinsent Masons said: “We need to build our individual DNA, whether you are in government or not, on how to properly protect data.”
He added: “Relying on laws to solve cybersecurity (problems) is like trying to be a better cook by buying a new stove. It helps but is not the cure-all.”
WHAT INDIVIDUALS, COMPANIES CAN DO
Starting young, students are taught various aspects of cybersecurity as part of the Ministry of Education’s (MOE) cyberwellness education in schools.
MOE also works with parents and relevant agencies to monitor and review its cyberwellness syllabus regularly as the cybersecurity landscape evolves, said Madam Choy Wai Yin, Director of Guidance Branch, Student Development Curriculum Division at the ministry.
At the workplace, regular training sessions are also standard practice at companies such as Rackspace, Qlik, Carousell, PayPal and Xero.
For example, Xero employees, including the non-technical staff, are required to complete security modules on password security and phishing scams regularly.
The company also conducts internal checks and external audits as part of the information security management system ISO 27001 certification, Xero’s Mr Fitzgerald said.
To ensure the effectiveness of such training and briefings, Dr Wong suggested that companies conduct periodic internal campaigns where internal “hackers” try to test their employees’ cybersecurity awareness.
“A reward scheme can then be used for the survivors of such ‘attacks’ to create more awareness of good cybersecurity practices in the organisation,” he said.
An “assumed breached” mentality is also crucial, said Mr Andrew Mahony, regional director for commercial risk solutions at Aon's financial services and professions group.
“Organisations that refuse to acknowledge, or consider that they are immune to, cybersecurity risks are less likely to have an incident response plan in place," said Mr Mahony.
While it may sound defeatist to recognise that breaches are inevitable, FireEye’s Mr Hoh said that rapid detection and containment can prevent damage and reduce the impact on businesses.
According to a survey on cybersecurity perceptions and practices conducted by LogRhythm last year, less than half of the 751 companies polled worldwide could detect a major security incident within an hour. This dropped to around 30 per cent when it came to containing major cybersecurity threats within an hour.
Adopting machine learning technologies such as artificial intelligence and automation will help, suggested Mr John Lim, manager at Nanyang Polytechnic’s School of Information Technology.
Companies such as PayPal and Carousell currently adopt artificial intelligence and analytics to combat fraud at scale. PayPal, which processed a payment volume of US$578 billion last year, or US$17,022 worth of transactions per second on average, had a fraud rate of only 0.28 per cent, while Carousell's fraud rate fell by 44 per cent after implementing these technologies, coupled with new HR policies.
“PayPal is moving away from detective and reactive measures to be more predictive and preventive, allowing us to detect and correlate anything suspicious, and then stop it before it even becomes an attack,” Mr Mehta of PayPal said.
READ: Our convenience is coming at a (security) cost, a commentary
For SMEs, migrating their infrastructure to a major cloud-based service provider will allow them to tap the latter’s cyberdefences, said Mr Lucas Ngoo, Carousell's co-founder and chief technology officer.
The Government also has the SMEs Go Digital programme offering advice and subsidies for pre-approved cybersecurity solutions.
MINIMISING DATA COLLECTION: ‘CAN’T LOSE WHAT YOU DON’T HAVE’
Web security expert Troy Hunt, who created the “Have I been pwned?” data breach search website said companies should also consider segregating duties to prevent employees from having carte blanche to access data.
“When collecting data, do you really need the person’s name, their identity card numbers or their addresses?” Mr Hunt said.
Echoing what Mr Koh said about minimising data collection, Mr Hunt added: “This speaks to the very important principle of ‘you cannot lose what you do not have’. We just need to figure out what is the right amount (of data) to justify the benefits (of efficiency and convenience).”
At software company Qlik, confidential information is compartmentalised so that each employee can only access information that is relevant to his or her job scope, said the company’s head of legal, Asia-Pacific, Mr Daniel Sun.
SHRI’s Mr Tan reiterated that just like a terror attack in Singapore is considered to be a matter of “when” and not “if”, cyberattacks are also inevitable.
To develop a culture of cybersecurity awareness, companies need to tweak their human resources (HR) and IT policies, such as basic training during the onboarding and orientation phase for new employees, and regular training and briefings for their existing staff.
He added: “Business leaders need to show their commitment to cybersecurity, too. It cannot be led just by the IT or HR departments, which are usually bogged down by other projects and the daily grind.”
A change of mindset is needed, reiterated Ms Joanne Wong, senior regional director for Asia-Pacific at security intelligence company LogRhythm.
“Security is not the responsibility of one department but a collective responsibility across all departments. More needs to be done in creating such awareness,” she said.
Agreeing, Mr Tin of the Singapore Computer Society stressed that organisations should make a conscious and sustained investment in education, training and drills, with those at management level given visible roles related to cybersecurity.
“I still do not see most organisations take cybersecurity as a key business factor, (it’s) just as an audit checklist,” said Mr Tin.