While the majority of organizations in Singapore believe that cyber security is important and seek guidance from IT security experts, almost all (91%) of them are still at the early stages of security preparedness, according to a survey conducted by Quann and IDC. The survey identified significant gaps in security device deployment, cyber awareness, resources and preparedness for attacks, making these organizations vulnerable to cyber attacks.
Mr. Foo Siang-tse, Managing Director at Quann, said: “The findings are worrying but they don’t come as a surprise. Many companies are simply not investing enough in IT security, despite the obvious threats. The lack of investment in security infrastructure, professional services and employee training makes them extremely vulnerable. The recent WannaCry and Petya ransomware incidents are just the tip of the iceberg. Companies need to recognise that having a comprehensive security plan, comprising detection systems, robust processes and equipped individuals are critical in enabling them to detect threats early and mitigate their impact.”
The Quann IT Security End User Study 2017 found that, while basic IT security features such as firewalls and antivirus are widely deployed by Singapore organizations, more than half (56%) of them do not have Security Intelligence and Event Management Systems to correlate and raise alerts for any anomalies in a timely manner. 54% do not have a Security Operations Centre (SOC) or a dedicated team to proactively monitor, analyse and respond to cyber security incidents that are flagged by the systems. The lack of proper monitoring systems and processes means that anomalies picked up by security devices could go unattended and malware may reside and cause damage within corporate networks for long periods.
The survey also found that 40% of Singaporean respondents either do not have incident response plans to protect their organization’s networks and critical data in the event of a cyber attack. Only one-third (33%) of them exercise their incident response plans.
Cyber criminals usually target non-IT employees who are seen as the weakest link in cyber security. However, only 33% of the Singapore organizations require all employees from the CEO down to take part in IT security awareness training.
Many organizations (75%) do not have a dedicated IT security budget and planning process. Most respondents said that they have a security lead but they are not a dedicated resource and have other responsibilities at the same time. They also do not have round-the-clock security support, with 32% having security support only during work hours, and 25% only during the work week.
Cyber security is also a major concern for business continuity professionals, with cyber attacks and data breaches featuring as the top two threats yet again in the Business Continuity institute's latest Horizon Scan Report. 88% and 81%, respectively, of respondents to a global survey expressed concern about the potential for a disruption caused by one of these events.
With cyber attacks evolving at an unprecedented speed, there is a need for organizations to invest in security resources, increase the frequency and expand the reach of IT security training to keep pace with the cyber threats.
The survey also reveals a low level of engagement from senior leadership in formulating IT security strategies. The majority (91%) of respondents consult security executives, but only 16% of them will invite the executives to Board meetings and involve them in risk assessment.
Mr. Simon Piff, Vice President of IDC Asia/Pacific’s IT Security Practice, said: “Not all C-Suites in Asia are fully conversant with the fundamentals of a robust cyber security strategy and the appropriate investments. Cyber security investments are akin to military spending – we do it in the hope that we would never have to use the tools. They need to understand that this is not a business ROI with immediate, visible returns. However, the consequences of not taking a proactive approach now could lead to legal disputes, customer dissatisfaction, and even loss of jobs and careers at all levels in the organization.”