New security drivers change Singapore biz strategies

SINGAPORE--The rise of social media, IT consumerization and mobile computing is changing the enterprise security landscape and organizations here do demonstrate awareness of the potential business risk. But while local businesses are taking appropriate measures to protect themselves, they do not have holistic security strategies in place that are robust enough to deal with the threats, according to new findings from a Symantec survey.

The IT security vendor said significant industry trends were driving security concerns among businesses in the region. As organizations deal with the proliferation of smartphones and tablets in the enterprises, along with the popularity of social media, they also grapple with new security challenges.

Some 52 percent of Singapore organizations polled in the survey identified social media and the consumerization of IT as areas that increased the difficulty of providing cybersecurity. Fifty percent pointed to mobile computing.

Additionally, 58 percent of the respondents named hackers as their top concern among evolving threats, while 50 percent pointed to insider threats and 50 percent highlighted cybercriminals.

Another 50 percent listed targeted attacks that zeroed in on specific organizations for political or economic reasons such as Stuxnet.

Conducted via phone interviews in April and May this year, the survey polled 200 companies in Singapore to explore the state of cybersecurity efforts of organization of all sizes. Globally, 3,300 employees across 36 countries were surveyed, of which 1,600 respondents were from 12 Asia-Pacific countries which, apart from Singapore, also included China, Hong Kong, India, Indonesia, Japan, Malaysia and the Philippines.

"Growing adoption of technologies such as social media, mobile computing and the consumerization of IT has brought about new security challenges for Singapore enterprises, even as companies are ramping up their cybersecurity efforts," said Tan Yuh Woei, country manager of Symantec Singapore.

He added that while it was clear attackers were using "more targeted, sophisticated and silent tactics" to steal data and wreak havoc, organisations must be aware and address the risks brought about by internal unintentional actions that might cause breaches.

In the past 12 months, 67 percent of Singapore organizations said they experienced cyberattacks, which was a slight increase from last year's 66 percent. However, while 20 percent cited an increase in the frequency of attacks--compared no increase reported last year--fewer companies experienced losses from such attacks this year, at 95 percent, down 5 percent from 2010, Symantec revealed.

Local businesses continued to experience cyberattacks though, with 17 percent experiencing them on a regular basis, 67 percent seeing attacks in the past 12 months, and 20 percent noting that the frequency of attacks were on the rise. The top attack vectors highlighted were social engineering, malicious codes and unintentional internal actions.

Some 95 percent of Singapore companies saw losses from cyberattacks from downtime suffered, theft of customer's identity information, and theft of other corporate data. Some 83 percent of losses translated to monetary costs incurred from lost time and productivity, revenue and costs to comply with regulations after an attack.

Awareness present, strategies not so
Singapore businesses believed keeping their operations and information secure was of prime importance, with 44 percent indicating that cybersecurity was somewhat or significantly more important now than it was a year ago.

While local companies faced a variety of risks including natural disasters, traditional crime and terrorism, respondents ranked cyberattacks as their top concern, followed by IT incidents caused by insiders and internally generated IT-related threats. The top three concerns were related to data and network security.

To address security pitfalls, Singapore businesses were increasing staffing levels and budgets for their IT department, adding the most staff in network security, user training and awareness and risk management. Bigger budgets were also pumped to boost security initiatives in network, Web security and security for private cloud.

Based on their own assessment, 54 percent of respondents said they were doing somewhat or extremely well in addressing routine security measures, followed closely by demonstrating compliance which was highlighted by 52 percent of local companies. Some 51 percent said they were doing likewise for security attacks or breaches.

However, Singapore respondents were not doing as well in pursuing strategic security initiatives or innovative security measures, Kwee Anping senior technical consultant of Symantec Singapore told ZDNet Asia in a phone interview.

He observed that organizations put a lot of emphasis on network security and risk management but were lacking in terms of focusing on IT policies to govern how companies conducted IT security business. Kwee explained that without IT policies, it would not be possible to prioritize a baseline of risks due to what was lacking in their business.

Asked if Singapore organizations saw returns on investment (ROI) in security, he noted that most organizations saw security as "non-revenue generating".

"Intangible benefits of investment in security are really looking at securing their brand names, reputation and trust gained from doing business with their customers and partners," he said. "These are the benefits, rather than monetary returns."

"To defend themselves against such rapidly evolving threats, it is critical for businesses to deploy innovative security solutions and best practices that the industry is delivering to stay protected both externally and from within," Tan added.