SINGAPORE: More of our personal data and financial information are moving online as Singapore moves forward to a digital-first, Smart Nation environment. Yet, recent cyberattacks here have planted seeds of doubts in some people's minds about the ability of institutions to safeguard such data and, more tangibly, money.
These recent cyberattacks included Singapore’s most serious personal data breach affecting 1.5 million citizens including Prime Minister Lee Hsien Loong, and fraudulent iTunes transactions leaving dozens of Apple customers hundreds if not thousands of dollars lighter in their wallets.
Meanwhile, the Securities Investors Association (Singapore) this month realised it was a victim of a data breach that saw about 70,000 members’ personal particulars illegally accessed and copied in 2013 - about five years after the fact.
It's a threat that has been looming for years. To better understand what businesses were dealing with, Nanyang Technological University (NTU) launched its Cyber Risk Management (CyRIM) project in May 2016. It was supported by the Monetary Authority of Singapore, Cyber Security Agency of Singapore and five partners from the insurance industry.
The project aims to use the data generated to understand how the insurance industry here is able to offer cyber insurance products that could help underwrite the risks involved, the varsity said then.
And the man leading the CyRIM project, Professor Shaun Wang, is not surprised that the number of cyberattacks is growing.
Channel NewsAsia spoke to the academic to find out more on his thoughts about cybersecurity, risk management and why it is prudent - and not at all counter-intuitive - for people to still keep some cold, hard cash stashed away for a rainy day.
Q: Why do you think there is a rise in cyberattacks today?
Prof Wang: We used to have people rob banks. Why? Because that’s where the money is. Nowadays, people don’t actually have to go and physically rob a bank. They can do that online and there are lots of people out there - we don’t see them - that are very active (in doing so).
In fact, if someone physically robs a bank, it is pretty much captured through video, CCTV and all that. Online stealing, or cyberattack, or hacking - these leave very little trace. And it’s cross-border, making such cases hard to pin down.
And because of the very low enforcement rates in catching these hackers, there’s a mushrooming, flourishing underground market … especially in parts of the world where people don’t have other means of making a living.
Q. Amid that backdrop, will Singapore banks get robbed the way the Bangladesh central bank did in 2016?
Prof Wang: The Bangladesh bank case, where hackers got away with US$81 million, actually spoke very loudly that cybersecurity is a very global issue and is also cross-border (in nature).
Singapore, like other countries, is not immune from such attacks.
That said, the financial sector as a whole has learnt from such incidents. Going back to the Bangladesh bank heist, the money was subsequently transferred to the casinos in Philippines and some money was recovered. Big fines were also imposed on Philippines banks involved in the hack.
This shows the financial sector has learnt from its mistakes. People don’t have to panic because the system - especially for money transfers - is now more resilient and there is a waiting period before money is released on request.
Singaporean consumers, in particular, don’t have to worry about their bank accounts getting hacked and emptied as there are layers of protection to prevent such attempts.
The banking system here is very strong, for instance, in terms of multi-factor authentication, and that is actually very effective to reduce risk because it’s not just having a password but you also have to have your phone with you.
Q: Are you sure we don’t have to turn to a very low-tech life hack: Hiding our money in Milo tins?
Prof Wang: No. There’s no need to go to that extreme.
However, I would recommend every household to have some cash on hand. Because one scenario is not so much the hacking of bank accounts and stealing of money, but it’s business disruption. That’s a more realistic scenario.
If you have a major disruption - this might not be in Singapore but from other places - and in order to avoid confusion and panicking, people having money at hand will make life a lot easier.
One way of reducing risk is to build redundancy. Redundancy means yes, we’re moving into digital payments, but in order to have redundancy, I want to make sure there’s a hard copy of my bank account stored in a safe, so that I don’t forget them. And also to have some cash, so if there are a few days of business disruption, I still have money to buy bread.
That would actually be helpful for the country, as it would mean avoiding a lot of unnecessary stress.
Q: Much stock has been put into teaching our young to use the Internet safely and, in doing so, increase the overall awareness of online risks. Do you think enough is being done?
Prof Wang: I have to say that Singapore is quite advanced in terms of equipping young people in cybersecurity skills.
One thing to note, though: Singaporeans are very responsible. Elsewhere, not so much. People can go and be a hacker themselves, just to try. Here, it’s not easy to do that.
Israel, for example, is very strong in cybersecurity, and the people there think there’s nothing wrong to explore things (like their system networks) - that’s part of national defence.
Q: Would teaching young children how to hack create a more resilient people in today’s digital world then?
Prof Wang: From a business point of view, and from the effectiveness of education stance, that’s very good. I think we should do that. But I think it should be supervised.
For young kids, the best way of learning is to learn by doing.
However, we want to make sure that the kids, once they learn a skill, that they will actually do responsible things, rather than try and move to the (dark) side. So, yes, they need to be 100 per cent supervised, but (hacking) is an essential skill and, in a global environment, one that would give them a competitive edge.
Singapore is quite proactive in terms of supporting education programmes, but it’s also about culture: How do we empower students to be more creative?
There’s no such thing as here are the things (to note for cybersecurity), and once you know it, you know how to defend.
Cybersecurity is a game between defender and attacker, and the best defenders, they have to be creative. There isn’t a kind of guidebook that says if you do these things, then you’re all set. The best talents in cybersecurity are those people who are very creative and explore new things.
It’s like police and thief in the digital age - the best ones know how to think like criminals.