Smart Nation. Digital transformation. Fintech. Cybersecurity. These are the buzz words that have been making headlines and dominating the current news cycle in Singapore. They come on the back of the recent government budget announcement on the Singapore government aggressively pushing industries onto digital platforms.
But while the digital push is being implemented, IDC’s IT Security MaturityScape report for Asia Pacific, excluding Japan, revealed that a significant number of organizations are operating at the lowest states of IT security readiness. The region’s organizations are not prepared for the additional risks that accelerated digital transformation brings.
This is in line with the sentiments of the chief of the Monetary Authority of Singapore (MAS), who warns that the next financial crisis may be triggered by a cyberattack.
Cyber-attacks are here to stay. As the walls get larger and fences get higher, cyber-attackers just get better at climbing them
Low preparedness in Asia
Crime follows the money and cybercrime is no exception. As more and more digital services are being offered by banks and financial institutions, more opportunities open up for cyber criminals to strike. The MAS warns that emerging technologies are a double-edged sword. While they help reduce risks, they also open up new avenues for risks like cyber-attacks.
Cyber-attacks take on many forms. However, the end goal is always the same – to acquire capital as well as confidential and sensitive information. Looking at news reports of recent attacks, it is fair to conclude that many financial institutions and corporates are not prepared for a major cyber security breach.
Amid increased spending and raised awareness, security leaders are still struggling to fight the asymmetric war against cyber criminals. Organizations need to map out their “crown jewels” and ensure these assets are properly protected.
This necessitates investing in superior detection and response capabilities, which play a crucial role in helping organizations prepare for cyber threats.
Naturally, Chief Information Security Officers and Chief Information Officers especially of banks and financial institutions have identified cyber security or cyber-threats as their top priority. But IDC reports that the low level of capabilities in IT security most Asia Pacific organizations operate in is not surprising, due to the legislative environments these organizations operate within.
It is important to realize that cyber security is a never-ending process. Cyber-attacks are here to stay regardless of the extent you adopt protection measures or the investments you continue to make.
The adoption of security measures does not deter threat actors from attacking. Indeed, as the walls get larger and fences get higher, cyber-attackers just get better at climbing them. With each passing day, they become ever more sophisticated.
Threat actors continue to use the traditional methods of injecting malware into the networks to attack. However, they are also looking beyond the perimeter and shifting their attacks to social media and the organization’s other online assets.
This is a critical attack-vector for threat actors, as more and more banks and corporates are shifting services to digital platforms.
On top of understanding how threat actors operate, it is necessary to engage third-party cybersecurity experts and to develop internal cybersecurity departments within the organization to improve and better gauge cyber readiness.
To stay ahead of the cyber warfare, financial institutions and corporates also need to realize that they require technology that allows them to have on-going protection beyond their perimeter, to identify potential threats before they materialize. There is no longer real efficiency in relying on one-off compliancy auditing.
Being compliant does not mean being safe
Compliancy audits do provide a good baseline, but more must be done. Companies should invest in solutions that allow them to continuously test themselves, check their cyber posture and measure their cyber readiness to keep abreast of the threats.
It is essential to acquire and develop capabilities for early detection and targeted threat intelligence, allowing financial institutions and corporates to prepare and scale their defenses. Armed with the knowledge of what exactly these threat actors are thinking, what their goals are and how they plan to achieve them provides a crucial head start when deciding how to deal with these threats before they become crises.
Instead of spreading the budget thinly across all channels, organizations should identify the crown jewels and allocate additional investments in protecting the core of the enterprise
On top of threat intelligence, organizations need to arm themselves with ongoing assessments of their cyber hygiene and readiness. Such solutions provide ongoing automatic simulations and continuous assessment of the organization and its third party vendors, providing real-time assessment of the organization’s cyber security posture.
But with the vast selection of security solutions available, organizations need to be strategic about the kinds of security investments they make. Not every institution is exposed in the same way.
Before budgeting, they need to have the intelligence and understanding of relevant threats and shift their efforts and focus on where these attacks are happening. Instead of spreading the budget thinly across all channels, organizations should identify the crown jewels and allocate additional investments in protecting the core of the enterprise.
While investing in IT security is important, looking inwards is equally important. Having a department that can address and improve responsiveness post a cyber-attack is crucial. Organizations can lose a lot of customers and money during down time caused by a successful cyber-attack.
Having a standard operation procedure in place, so that every attack is dealt with by a pre-determined action plan, that has every staff knowing what to do and their responsibilities helps the organization bounce back quickly.
While vast sums of money have been invested on cybersecurity over the past few years, it is evident that risk exposure has been growing faster than these investments, meaning the gap is quickly widening.
Financial Institutions and corporates need to make cybersecurity a top priority. Trust is the major currency every customer and investor trades in. They want to have the confidence that they are dealing with a secure organization.
When institutions consider this, they can appreciate the true value of their cybersecurity investments. In the long run, these will lead to enhanced profitability and stability.
About the Author
Elad Ben-Meir is Vice President at CyberInt, which specializes in cyber intelligence and protection of online activities of client companies.