Views

Cyber security not just Government's responsibility

Organisations must focus on technology, processes and people for cyber defence

Recognising cyber security as a key enabler for our digital future, the Government established the Cyber Security Agency (CSA) four years ago to provide dedicated and centralised oversight of Singapore's national cyber security functions.

CSA's mandate includes the protection of 11 Critical Information Infrastructure (CII) sectors. The Government also passed the Cybersecurity Act last year, which places legal obligations on CII owners to adopt mandatory cyber security measures in their systems and conduct regular risk assessments and audits on their CIIs.

However, cyber security is not, and cannot be, solely the government's responsibility.

To be effective in cyber defence, an organisation's effort must focus on three areas - technology, processes and people.

First, technology.

Organisations can adopt a "defence-in-depth" approach. Today, the norm is to monitor their perimeter to stop intruders from getting in.

As cyber attacks become prevalent, we must assume attackers may already be in our networks.

We have to change the way we design and monitor networks. This entails assessing what needs to be safeguarded and setting up layers of defence.

Organisations should implement technology to not only prevent but also detect and respond to cyber attacks.

This includes stronger encryption for data; heightened monitoring of database activity; and an integrated system to rapidly isolate and contain the infected systems.

Second, processes.

Cyber security should be viewed as a risk management issue that requires balancing between security, usability, and cost. It must be managed at the appropriate level of leadership.

Take two-factor authentication. It enhances security but causes inconvenience and diminishes user experience.

This can have a real impact on organisations, especially if applied in time-critical operations such as in hospitals.

Decisions that entail a trade-off between security, usability and cost must be made by leaders who have the accountability and oversight of operational and business imperatives.

Organisations should review their structure to ensure cyber security issues are flagged to the appropriate level within the leadership team.

Lastly, the people factor.

Responsibility for cyber security belongs to more than just the IT or security personnel.

Front-end users are often the weakest link, as sophisticated social engineering techniques combined with human error give threat actors the means to gain a foothold in the network.

Most cyber attacks are not highly sophisticated and can be averted by raising the basic level of cyber hygiene.

This involves developing a positive cyber security culture within the organisation, and raising the level of cyber hygiene for all staff - such as using strong passwords, patching software regularly and learning to spot signs of phishing.

The writer is Minister for Communications and Information, and is also in charge of cyber security. This is part of a keynote address delivered at a closed-door forum on May 21, further edited from a version that appeared in The Business Times yesterday.

Technology