The Big Read: As more cyber attacks loom, Singapore has a weak ‘first line of defence’

First published on todayonline.com on 23 Feb 2019.

As Singapore shores up its cyber defences, all the best hardware and software that money can buy will not be able to fend off cyber attacks if the ‘peopleware’ is lacking, experts pointed out. Indeed, the latest public awareness survey by the Cyber Security Agency (CSA), released last year, indicated that many Singaporeans were still complacent when it came to cyber-security issues.

SINGAPORE – In most offices across the island, it is a common sight to see employees not taking fire drills as seriously as they should, with some even lamenting that these are a waste of time.

This, despite the fact that fires are a very real threat and could have disastrous consequences in high-rise office buildings.

The same could be said for cyber security and all the training and policies that companies try to put in place, said Mr Erman Tan, president of the Singapore Human Resources Institute (SHRI), who used the analogy to explain the challenges that firms face in getting their staff to take cyber security seriously.

“People will think: ‘Why do we have fire drills when we never encounter fires? It’s the same for cyber security. People will always feel it will never happen to them, or it will never happen to their company.”

While Singapore has one of the best infrastructure, technologies and legislation in place to deal with cyber threats, it is no coincidence that the human factor — long seen as the weakest link in the chain, or the first line of defence — had contributed to some of the recent data breaches which made headlines here.

In June last year, Singapore suffered its worst-ever cyber attack where hackers broke into SingHealth’s IT systems to steal the data of 1.5 million patients and records of the outpatient medication given to Prime Minister Lee Hsien Loong.

A Committee of Inquiry (COI) found that it was a result of lapses by employees who ignored warning signs of a potential breach, and vulnerabilities with the system.

For example, an IHiS employee was singled out for misunderstanding what constituted a security incident and failed to comply with incident reporting processes. A senior manager of IHiS’ security management department was also reluctant to raise the alarm to his superiors despite knowing about suspicious logins to the patient database, for fear of working “non-stop” to “deliver answers” to top management.

Minister for Communications and Information S Iswaran (C) speaks alongside Minister for Health Gan Kim Yong (3rd R) during a press briefing on the SingHealth cyber attack.

In another incident, the medical records of 14,200 HIV-positive people were illegally disclosed online by deported American fraudster Mikhy Farrera Brochez, whose partner Ler Teck Siang used to work at the ministry.

Ler, who was able to access the HIV registry as part of his work, was believed to have downloaded the information into a thumb drive, and later failed to retain possession of it.

Recognising the need for individuals to play their part in response to the growing cyber threats, a new “digital defence” pillar was added to Singapore’s Total Defence framework on Feb 15.

As Singapore shores up its cyber defences, all the best hardware and software that money can buy will not be able to fend off cyber attacks if the “peopleware” is lacking, experts pointed out.

Indeed, the latest public awareness survey by the Cyber Security Agency (CSA), released last year, indicated that many Singaporeans were still complacent when it came to cyber-security issues.

Of the 2,035 respondents polled, about one-third stored their passwords in their computers or wrote them down, or used the same password for work and personal accounts.

The survey also revealed a slight dip in the respondents’ levels of concern towards cyber threats, while over half of the respondents felt that cyber attacks such as malware and online scams would not happen to them.

Although there are many initiatives at the national level to raise cyber security awareness among the public, their effectiveness remains in question, said Dr Steven Wong, president of the Association of Information Security Professionals.

“While awareness of cyber security may have improved, such as the need to set a strong password, in reality… people may not be practising it,” he said.

Participants from various industry sectors take part in the 2017 edition of Exercise Cyber Star organised by the Cyber Security Agency of Singapore.

A Growing Threat

As millions of people and billions of devices come online over the next few years, cyber crimes are expected to continue its upward trajectory worldwide, fuelled by the explosive growth of Internet connectivity and speeds.

With efforts to boost Singapore’s digital economy and transform the island into a Smart Nation in full swing, the cyber threat has become especially pernicious.

According to online security software vendor Norton, 978 million people in 20 countries were affected by cyber crimes in 2017. In Singapore, 5,430 cyber-crime cases were reported in the same year — or 16.6 per cent of total crimes — while the CSA detected 23,420 phishing web addresses with a Singapore link.

Other forms of cyber attacks, such as website defacement and malware infections, were also on the rise.

Governments and private organisations worldwide are beefing up both their hardware and software to deal with the transnational threat, while changes to policies, internal guidelines, and legislation have been introduced.

A Smart Nation and Digital Government spokesperson from the Prime Minister’s Office told TODAY that the Government continuously reviews the architecture and cyber security of its systems in response to emerging threats and will also exploit new tools to deal with them.

“We adopt a ‘defence-in-depth’ approach so that an attacker would be impeded by multiple layers of cyber defences from the perimeter to within our systems,” the spokesperson said.

Additional measures have also been added recently to better monitor the databases of critical government systems and detect breaches faster, the spokesperson added.

Servicemen from the Singapore Armed Forces at the Cyber Security Ops Centre.

Experts stressed that while Singapore has one of the best infrastructure, technologies and legislation in place to counter the scourge of cyber attacks, all employees — especially the rank-and-file — have a vital role to play.

“The public and private sectors are heavily invested in the staff handling cyber security, information technology (IT), and technical matters by updating their knowledge. However, it’s the normal users who are the weakest link,” said digital forensics specialist Ali Fazeli.

“You can have the best IT system, best IT talent, but it’s really difficult to protect the system and organisation against cyber threats,” the founder of cyber-security firm Infinity Forensics added.

In the public sector, for example, there are some 145,000 officers within the Singapore Public Service, who are hired across 16 ministries and over 60 statutory boards.

All public servants will undergo cyber-security training, the Smart Nation and Digital Government Office told TODAY.

“More exercises will be conducted to sharpen our officers’ response to a cyber-incident. Regular audits will ensure that gaps are discovered and addressed,” its spokesperson said.

Dr Ori Sasson, director of cyber-intelligence firm S2T, said that the challenge for the Singapore Government is the sheer volume of data and the number of systems and employees under its charge.

He said: “Attackers always have the benefit of attacking the weakest link, whereas the defenders have to defend everything they have, which is an asymmetric scenario.”

Employees are especially vulnerable as the majority of cyber attacks begin with one simple phishing email, said Mr Phoram Mehta, head of information security at PayPal Asia Pacific.

For example, phishing, or fake, emails allegedly provided North Korean cyber attackers with a conduit to attack Sony Pictures and the central bank of Bangladesh in 2014. In the latter case, nearly US$81 million (S$109 million) was stolen in the cyber attacks.

Cyber attackers are also using the same tools used by cyber-security experts, such as analytics and automation, to select their victims, Mr Mehta said.

“If you have over a hundred thousand different places to attack, which will you go after, PayPal or a food establishment?”

However, with proper training and the right culture in place, employees can make a difference in determining whether an organisation is cyber secure or vulnerable to cyber attacks.

“We don’t need to teach (rank-and-file employees) the technical things, but we need to tell them how they can misuse their data, and what are the consequences and legal implications,” said Mr Fazeli of Infinity Forensics. “It can be basic training and doesn’t need to be very deep.”