Nine out of 10 (91%) of the surveyed Singapore companies are in the early stages of security preparedness. More than half (54 percent) of the respondents do not have a Security Operations Centre to monitor their networks and security devices for suspicious traffic.
Almost half (49 percent) have not conducted any form of IT security awareness exercise.
While a majority of the surveyed companies in Singapore believe that cyber security is important and seek guidance from IT security experts, 91 percent of them are in the early stages of security preparedness, according to a survey jointly conducted by Quann, a leading Managed Security Services Provider in Asia Pacific, and research firm IDC. The survey identified significant gaps in security device deployment, cyber awareness, resources and preparedness for attacks, making these companies vulnerable to cyber attacks.
The inaugural Quann IT Security End User Study 2017, covering 150 senior IT professionals from medium-to-large companies based in Singapore, Hong Kong and Malaysia, aims to understand the cyber security strategies of these organisations as well as their preparedness and vulnerability to cyber attacks.
Mr. Foo Siang-tse, Managing Director, Quann, said: “The findings are worrying but they don’t come as a surprise. Many companies are simply not investing enough in IT security, despite the obvious threats. The lack of investment in security infrastructure, professional services and employee training makes them extremely vulnerable. The recent WannaCry and Petya ransomware incidents are just the tip of the iceberg. Companies need to recognise that having a comprehensive security plan, comprising detection systems, robust processes and equipped individuals are critical in enabling them to detect threats early and mitigate their impact.”
While basic IT security features such as firewall and antivirus are widely deployed by the Singapore companies, more than half (56 percent) of them do not have Security Intelligence and Event Management Systems to correlate and raise alerts for any anomalies in a timely manner.
Also, 54 percent of the Singaporean respondents do not have a Security Operations Center (SOC) or a dedicated team to proactively monitor, analyse and respond to cyber security incidents that are flagged by the systems. The lack of proper monitoring systems and processes means that anomalies picked up by security devices may go unattended and malware may reside and cause damage within corporate networks for long periods.
“Companies may consider working with an experienced cyber security partner to design, build and manage a 24/7 on premise Security Operations Center that can quickly detect threats. Another option is to engage a Managed Security Services Provider (MSSP) that can provide a comprehensive suite of services, including 24/7 monitoring, regular vulnerability assessment and penetration testing and incident response and forensics,” Mr. Foo added.
The survey also finds that 40 percent of Singaporean respondents either do not have incident response plans to protect the companies’ networks and critical data in the event of a cyber attack. Only one-third (33 percent) of them practise their incident response plans. Cyber criminals usually target non-IT employees who are seen as the weakest link in cyber security. However, only 33 percent of the Singapore companies require all members of the organisation—from the CEO down—to take part in IT security awareness training.
Absence of dedicated security manpower
Many Singapore companies (75 percent) do not have a dedicated IT security budget and planning process. Most Singaporean respondents said that they have a security lead but he/she is not a dedicated resource and has other responsibilities at the same time. They also do not have round-the-clock security support, with 32 percent having security support only during work hours, and 25 percent only during the work week.
With cyber attacks evolving at an unprecedented speed, there is a need for organisations to invest in security resources, increase the frequency and expand the reach of IT security training to keep pace with the cyber threats.
Cyber security not on the Board’s agenda
The survey also reveals a low level of engagement from senior leadership in formulating IT security strategies. A majority (91 percent) of Singaporean respondents consult security executives, but only 16 percent of them will invite the executives to Board meetings and involve them in risk assessment.
Mr. Simon Piff, Vice President of IDC Asia/Pacific’s IT Security Practice, said: “Not all C-Suites in Asia are fully conversant with the fundamentals of a robust cyber security strategy and the appropriate investments. Cyber security investments are akin to military spending – we do it in the hope that we would never have to use the tools. They need to understand that this is not a business ROI with immediate, visible returns. However, the consequences of not taking a proactive approach now could lead to legal disputes, customer dissatisfaction, and even loss of jobs and careers at all levels in the organisation.”
Source: Media Release