Singapore is leaving other countries in the dust when it comes to cybersecurity preparedness, according to a new government survey.
The Cyber Security Agency of Singapore (CSA) State of Cybersecurity Report 2023 surveyed 2,036 small, medium, and large organizations, across 23 industries, about various aspects of their cybersecurity: breaches faced, business impacts, measures implemented, and the like. It found that, on average, organizations have implemented just over 70% of the requirements needed to obtain a “Cyber Essentials” certification. The certification includes five categories of national cybersecurity standards: “Asset”, “Secure/Protect”, “Update”, “Backup” and “Respond”.
The 70% is far from perfect, CSA pointed out, and some of the other results were cause for further concern. But when ranked on a curve, Singapore organizations are doing quite well compared to the rest of the world.
“Governments and businesses can take a leaf out of Singapore’s agenda and focus on proactive protection, public education and discussion of cybersecurity initiatives at the highest levels of government,” says Stephanie Boo, senior vice president at Singapore-based Menlo Security.
Why Singapore has the advantage
In contrast to the CSA results, let’s look at Cisco’s 2024 Cyber Security Readiness Indexpublished last week.
In a survey of 8,000 business and cybersecurity leaders in 30 countries, Cisco assessed that only 3% of organizations have a “mature” level of security preparedness “necessary to be resilient to modern cybersecurity risks.” 71% of organizations were classified as being “educational” (below average) or “beginner” (just starting to implement security solutions).
When it comes to Singapore’s markedly better results, Boo says: “Big government policies and the ability to implement them in a small country are a couple of contributing factors.”
“However, credit also goes to a very computer-savvy population, with a highly digitized economy and a thoughtful, problem-solving approach to breaches. When the country experienced a violation in 2018instead of continuing business as usual, the government has instituted an Internet separation where computers connecting to business applications are isolated from the Internet,” he says. “For the many breaches that have made headlines in the United States, we have not seen a coordinated solution or mandate from other governments.”
Now the bad news
However, the CSA report also included some troubling findings.
More than eight in ten Singapore organizations have experienced a cybersecurity incident during the year, and half have experienced multiple incidents. Of these, 99% suffered a business impact, with the most common consequences being business interruption, data loss and reputational damage.
Singaporean business leaders have also been found to suffer from the same recurring mental blocks that IT professionals struggle with, no matter where they are in the world. When it came to why they didn’t implement security measures, beyond a lack of knowledge and experience, respondents – 46% of businesses, 49% of nonprofits – often expressed the belief that they were unlikely to be targeted of a cyber attack. They also admitted that cybersecurity is a low priority in their organizations (38% and 44% respectively) and cited a perceived lack of return on investment (36% and 31%).
CSA highlighted the irony of these arguments in a fact sheet, pointing out that the cost to meet Singapore’s Cyber Essentials threshold for a small business ranges from around $1,800 to $4,500.
“The amount is typically a small fraction of the cost of business disruptions or recovery procedures due to cyber incidents, the impact of which can also extend beyond the affected organizations to their customers and suppliers,” according to the agency.
Boo notes that, in general, small businesses don’t have the resources to address security from a business case perspective.
“Small businesses focus on the nuts and bolts of running their business and don’t have the bandwidth or foresight to consider business tools from security to business,” Boo says. “The best way to educate small businesses is to provide training through the channels they already use, such as the bank, credit card company or telecommunications provider. It’s also important to keep it simple and focus on business benefits rather than complexity of cyber threats.”