Cyber threats can be as devastating to a country as physical security risks. This recognition prompted Singapore to initiate a joint participation, enlisting the government, enterprises and individuals to enhance the nation's information security competencies and resilience against cyber attacks.
After unveiling its S$70 million (US$46 million) Infocomm Security Masterplan 2 (MP2) in April 2008, the local government has worked more closely with the private sector and individuals to combat emerging cyber threats over the next five years.
MP2's initiatives include the 2008 launch of the Association of Information Security Professionals (AISP), aimed at raising the standing, professionalism and trust of infocomm security professionals in the country.
AISP President Gerard Tan said the organization's launch has enhanced realization among corporations of the importance to "professionalize" the IT security industry.
Prior to the AISP's formation, much of the drive, formal initiatives and awareness programs relating to cyber security, came mainly from the government, particularly through the Infocomm Development Authority of Singapore (IDA) and Monetary Authority of Singapore (MAS), Tan said in an e-mail interview.
"Now there is a [formal] body to bring those in the private and public sector together to pursue a common interest [to combat cyber threats]," he said of the AISP, which is led by the private sector and backed by the Singapore Computer Society and IDA.
Since its formation, the AISP has focused on creating professional development programs such as its Academic seminar series, to help its members develop their information security knowledge and skills, he explained.
It has also reached out to other information security bodies such as the (ISC)2, with which it signed an Affiliated Local Interest Group (ALIG) collaborative agreement. Through this, the AISP has become the local body designated to help (ISC)2 watch over the professional interests of its certified information system security professionals (CISSP) members in Singapore, Tan said.
To assist the National Infocomm Competency Framework (NICF) Technical Committee to develop Singapore's Information Security Competency Framework, he noted that the AISP co-chairs a steering committee overseeing the development of the Information Security Body of Knowledge, which is an IDA project currently in progress.
Stree Naidu, regional vice-president of Tumbleweed APAC and Japan, praised the government's efforts to build awareness in this market. "[We] have noted a rising trend of increased cyber security awareness among businesses, especially over the last year," Naidu told ZDNet Asia in an e-mail.
Reputation gets security boost
"During uncertain economic times, reputations of companies are at stake," he added. "Any involvement in legal suits and loss of customer confidence could quicken a company’s demise. Hence, companies are adopting a cautious approach and re-looking security risks."
In Singapore, according to Naidu, a company that manages its security well can stand to reap economic benefits.
"Many companies are starting to sit up and take note of such implications," he said.
Lawrence Ong, regional security business manager at Datacraft Asia, said through efforts under MP2, the government and larger enterprises in Singapore's financial services, manufacturing and logistics and education sectors, have well-established IT security best practices.
Tan noted that in October 2008, the MAS, Singapore's Accounting and Corporate Regulatory Authority (ACRA) and the Singapore Exchange (SGX), issued "a landmark publication" titled Audit Committee Guidance Committee Guidebook for Audit Committees in Singapore.
It highlights a guideline that calls for a company's audit committee (AC) to request the management team and internal auditors to identify critical IT systems and functions supporting the financial reporting processes, Tan said. It underscored a need to assess the adequacy of the controls in these systems, he said.
"It is also worthy to note that the guidance…states that 'for companies whose key operations are reliant on sophisticated integrated systems, the AC should consider having a member who is knowledgeable about IT systems and controls, or organize a panel of experienced persons to review IT areas'," he added.
These guidelines are "groundbreaking" in Singapore and possibly in many other parts of the world, he noted, because for the first time, IT controls and security have been "clearly identified as a key area of risk" that must be addressed by the ACs in Singapore, Tan said.
"The ramifications are clear," he noted. "The importance of IT and information security and controls are now formally recognized, and cannot be ignored by the boards and management of companies."
Good news for experts
The next logical step will be the private sector's call for better training and recognition of information security professionals, and in due course, certification and regulation, Tan said.
This means a "significantly brighter future" for those looking to becoming IT security professionals in Singapore, he added.
When that happens, industry observers feel these professionals will have their work cut out for them.
According to Datacraft's Ong, local small and midsize businesses (SMBs) in the manufacturing, retail, tourism and hospitality fields are usually more vulnerable to cyber crime because they typically do not have any IT security functions in place.
Ang Chye Hin, Asean director of sales at SonicWall said: "Many local SMBs are still lagging behind in their understanding of Web-based threats, and are largely uncertain on how to deal with cyber security breaches."
Naidu stressed that while Singapore companies have taken a proactive approach to adopting fundamental cyber security measures, threats are evolving every day.
"New techniques such as image spam and botnet attacks, can easily bypass existing filters, and outbound content is monitored far less often," he explained.
Local companies need to further educate their employees and train them to manage such threats appropriately, he suggested. For example, IT departments may look into refresher courses on computer forensics to help them tackle security breaches.
"Companies today are extremely vulnerable when confronted with malware and organized crime syndicates," Naidu said. "Ignorant users…and the complexity of such threats continue to pose a great challenge."
Agreeing, Ang noted that many companies choose to "sit on the fence" when it comes to investing in cyber protection, and end up having to scramble for remedial measures when disaster strikes.
"But, by that time, it is usually more costly to rebuild or retrieve the company's data, not to mention the loss of proprietary information and intellectual property that are crucial to the business," he said.
Ong advised such companies to conduct an IT risk assessment to determine which of their critical business processes are most dependent on IT; the business impacts when these IT systems are unavailable; and how long their business can operate without the IT system before "intolerable consequences" occur.
The assessment will help organizations prioritize resources to support IT security, he added.
