As we move into the digital era, cyber security is becoming increasingly important to companies - especially as more are falling prey to cyber attacks.
However, a recent survey by Quann and IDC found that almost all companies in Singapore (91%) are still in the early stages of security preparedness.
Surveying 150 senior IT professionals from medium-to-large companies based in Singapore, Hong Kong and Malaysia, the report revealed that Singaporean companies are ill-prepared in the event of cyber attacks - 40% of Singaporean respondents lack incident response plans to protect the companies’ networks and critical data in the event of a cyber attack; and only a third (33%) practise their incident response plans.
Unsurprisingly, cyber criminals usually target non-IT employees who are seen as the weakest link in cyber security. However, only 33% of the Singapore companies require all members of the organisation—from the CEO down—to take part in IT security awareness training.
At the same time, only three quarters of Singapore companies (75%) do not have a dedicated IT security budget and planning process. While most companies do have a security lead, he/she is not a dedicated resource and has other responsibilities at the same time. Companies also lack round-the-clock security support - 32% have security support only during work hours, and 25% only during the work week.
The survey also revealed a low level of engagement from senior leadership in formulating IT security strategies. A majority (91%) of Singaporean respondents consult security executives, but only 16% of them will invite the executives to board meetings and involve them in risk assessment.
Simon Piff, vice president of IDC Asia/Pacific’s IT security practice, said: "Not all C-Suites in Asia are fully conversant with the fundamentals of a robust cyber security strategy and the appropriate investments. Cyber security investments are akin to military spending – we do it in the hope that we would never have to use the tools.
"They need to understand that this is not a business ROI with immediate, visible returns. However, the consequences of not taking a proactive approach now could lead to legal disputes, customer dissatisfaction, and even loss of jobs and careers at all levels in the organisation."
Additionally, the survey revealed that companies still lack adequate security features to monitor and detect cyber attacks.
While basic IT security features such as firewall and antivirus are widely deployed by the Singapore companies, more than half (56%) of them do not have security intelligence and event management systems to correlate and raise alerts for any anomalies in a timely manner.
Also, 54% of Singaporean respondents do not have a security operations center (SOC) or a dedicated team to proactively monitor, analyse and respond to cyber security incidents that are flagged by the systems.
Foo Siang-tse, managing director, Quann, said: "The findings are worrying but they don’t come as a surprise. Many companies are simply not investing enough in IT security, despite the obvious threats. The lack of investment in security infrastructure, professional services and employee training makes them extremely vulnerable.
The recent WannaCry and Petya ransomware incidents are just the tip of the iceberg. Companies need to recognise that having a comprehensive security plan, comprising detection systems, robust processes and equipped individuals are critical in enabling them to detect threats early and mitigate their impact."
Photo / 123RF