Why building cyber resilience needs more than just technology

As the world moves towards a digital-first future, we need to confront a new matrix of emerging risks that could amount to a cyber-pandemic if left undealt with, according to the World Economic Forum (WEF).

The threat of cybercrime in Asia has reached an all-time high as we face fifth-generation cyber attacks that have grown in complexity and magnitude. In a 2022 IBM study, Asia was found to be the most targeted geography of 2021, racking up 26 percent of all global attacks on organisations.

Critically, the WEF’s Global Cybersecurity Outlook 2022 report has identified a perception gap between business executives and security leaders on whether their organisations are secure. Some 92 per cent of business executives believe that their organisations are cyber resilient, while only 55 per cent agree that they have taken adequate measures to safeguard their organisations.

On top of that, the recent spike in phishing attacks targeting individuals in Singapore has sounded alarm bells for more stringent cyber security measures and public education. Statistics from Check Point Research show that cyberattacks in Singapore rose by a whopping 145 per cent in 2021 compared to the year before.

Much is at stake when organisations and individuals are inadequately prepared to navigate a growing minefield of cyberattacks. Stronger safeguards need to be in place to navigate cyber risk. Here’s a holistic look at how we can tackle the mounting threat of cybercrime. Large corporations and small and medium-sized enterprises (SMEs) alike have faced intensifying cyber threat in the past years.

For SMEs, such an attack could represent much more than a setback. Cyberattacks on SMEs could place the business owners in jeopardy as well as their customers’ personal data.

Data from Cisco showed that 68 per cent of SMEs in Singapore believed that a serious cyber incident could spell the end of their business as they typically lack the financial capacity and capabilities to recover from an attack.

The importance of SMEs to Singapore’s economy is hard to overlook, with these businesses contributing a significant amount to the nation’s gross domestic product and employing the majority of the local workforce.

Adding to the point, Singaporeans lost at least S$633.3 million to scams last year. These attacks are technologically sophisticated and executed with organised tactics, taking the form of recruitment, e-commerce or social media impersonation scams.

Banking-related phishing cases are the most prominent and have made financial institutions pay renewed attention to how they can tackle the issue. Though some banks have offered restitution to their customers on a goodwill basis, cyber experts warn that customers cannot solely rely on such remedial measures over the long term as they are not sustainable for the banking ecosystem.

Customers must remain vigilant and take active steps to protect themselves, including staying up to date on the latest scam tactics to identify phishing attempts, verifying the authenticity of claims before taking further action, and safeguarding personal information.

As counter-intuitive as it may sound, it is becoming more apparent that cyber risk management cannot be addressed solely by technology with the growing sophistication of cyber scams and the mounting costs of addressing ransomware attacks.

Not only are hackers demanding higher ransom, the total cost of addressing such attacks is growing. In fact, a recent study by Sophos showed that the average cost of an attack, including business downtime, lost orders and operational costs has more than quadrupled in Singapore from US$832,423 in 2020 to US$3.46 million in 2021.

Most SMEs – which often already face difficulties in securing access to capital – need extra financial support to recover from the growing cost of cyberattacks. These include costs for data restoration, forensic investigation, legal defence and making reparations to customers.

More are turning towards cyber insurance to mitigate some of these cyber risks. In fact, Cisco reported that nearly three-quarters of SMEs in APAC have increased their spending on cyber insurance, recognising that a safety net to help cushion the financial impact of an attack is crucial on top of a robust plan.

Insurers are responding to the complexity of cyber threats by offering more targeted protection. The most important features of a comprehensive policy that business leaders should look out for are: third-party protection, remediation, helpline support and business interruption coverage.

Personal cyber insurance offering individuals coverage for phishing incidents is also gaining traction with ubiquitous digital lifestyles.

While legislators continue to place an emphasis on cyber hygiene and vigilance, the growing cyber exposure in our daily lives and the potential financial loss stemming from such attacks could render cyber insurance as commonplace as health insurance.

As we transition towards a digital-first environment, remote work and the digitalisation of operational processes can make defending against cybercriminals more complex.

Organisations must adopt a holistic cybersecurity strategy that entails enhancing cloud resiliency, monitoring insider threats, consolidating technology vendors, white hacking to test vulnerabilities and having regular cyber exercises to anticipate possible disruptions.

Organisations can also consider enlisting the community’s support by setting up a dedicated hotline so that the public can report to them directly if they detect any suspicious scams related to the business.

Given Singapore’s Smart Nation roadmap and ambitions to become a global financial hub, rising cyberattacks have also prompted action from the Government to play a bigger role in managing cyber risk.

Last year, the Cyber Security Agency launched a series of tool kits for enterprises, which provide guidance on cyber-security issues tailored for senior business leaders, SME owners, as well as employees.

Legislation has also been stepped up, with more companies encouraged to double down on cybersecurity with heavier fines for those who fall prey to data breaches. A potential area authorities should now explore is issuing heavier sentences for online platforms that fail to conduct background checks on its online sellers as a deterrent.

In today’s digital era where individuals can buy virtual property and digital currencies are now hot commodities, opportunities for cyber criminals will grow in tandem with our growing exposure.

Ultimately, the best offence is a good defence. To win the battle against cyberattacks, SMEs and individuals need a holistic strategy focusing on protection and prevention rather than recovery.

An edited version of this article has been published in The Business Times on 2 June 2022.

The article was contributed by Andrew Taylor, SVP, Financial Lines, MSIG Singapore and MSIG Hong Kong.