CSA Releases Key Findings from Singapore Cybersecurity Health Report 2023

Report found that local organisations recognised the importance of cybersecurity and have adopted an average of about 70% of essential cybersecurity measures, but CSA urged for full adoption so that organisations would not be exposed to unnecessary cyber risks

[28 March 2024] The Cyber Security Agency of Singapore (CSA) released the key findings of its first Singapore Cybersecurity Health Report today. The survey, conducted between May and August 2023, polled 2,036 small, medium and large organisations on various aspects of cybersecurity, such as frequency of cyber incidents encountered, types of business impact suffered and adoption levels of cybersecurity measures. The aim of the survey is to establish the current status of cybersecurity in local organisations and guide CSA’s efforts. The cybersecurity and resilience of these organisations are important, as they provide products and services that people use and define the online experiences of Singaporeans.

Majority polled were aware of national cybersecurity standards but adoption levels can be improved

2. The findings showed that local organisations recognised the importance of cybersecurity and were taking steps to protect themselves. This is evident as the survey asked about the specific measures that these organisations adopted in five categories¹, and the organisations adopted an average of about 70% of the measures in each of the categories.  

3. Further, the findings showed that 75% of organisations polled were aware of CSA’s cybersecurity certification programmes Cyber Essentials and Cyber Trust, which are national cybersecurity standards to help organisations prioritise cybersecurity measures to be implemented. 

4. However, CSA believes that partial adoption of measures is inadequate, and unless all essential measures are adopted, organisations are still exposed to unnecessary cyber risks. Adopting the full package of essential measures in all five categories will enhance organisations’ cybersecurity holistically. Therefore, there is much room for improvement, as only one in three organisations have fully implemented at least three of the five categories of measures in Cyber Essentials. For more details, please refer to page 7 of the Report.  

Lack of knowledge/experience is the top challenge faced by organisations, CSA has introduced initiatives to help

5. When it comes to the reasons for non-adoption of cybersecurity measures, organisations cited a lack of knowledge/experience as the top challenge (59% for businesses, 56% for non-profits). This is understandable given the increasing and fast-evolving cyber risks, which has also contributed to the shortfall in cyber professionals. The second biggest challenge was the perceived unlikelihood of being a target of cyber-attacks (46% for businesses, 49% for non-profits). Other challenges cited were a lack of manpower/resources (39% for businesses, 37% for non-profits), low return-of-investment (36% for businesses, 31% for non-profits), and the lack of budget (31% for businesses, 27% for non-profits). For more details, please refer to Report (page 9).  

6. That said, it is critical for organisations to fortify their cyber defences comprehensively, as over eight in 10 organisations encountered a cybersecurity incident in a year, with about half encountering it several times a year. Some of the top categories of incidents were ransomware, social engineering scams, and exploitation of cloud misconfiguration. For more details, please refer to Report (page 5).

7. These incidents almost always result in a negative impact, with 99% of the organisations which encountered an incident reporting that they suffered a business impact. The top three business impacts cited were business disruption (48% for both businesses and non-profits), data loss (46% for businesses, 60% for non-profits) and reputation damage (43% for businesses, 44% for non-profits). Others included financial loss (31% for businesses, 34% for non-profits) and costs incurred from incident response measures (27% for businesses, 24% for non-profits). For more details, please refer to Report (page 6). 

8. The estimated cost of implementing cyber hygiene measures in Cyber Essentials for a small organisation with less than 20 end-points, after accounting for the funding support available in CISOaaS and the Infocomm Media Development Authority’s SMEs Go Digital Programme, ranges from about $1,800 to $4,500.  While this amount is not small for a small and medium-sized enterprise (SME), it also needs to be seen in comparison to the cost of cyber incidents.  The amount is typically a small fraction of the cost of business disruptions or recovery procedures due to cyber incidents, the impact of which may also be extended beyond affected organisations to their customers and suppliers.

Comprehensive support by CSA, including the new Cybersecurity Health Check 

9. It is important for the entire cybersecurity ecosystem – including the government, academia and businesses – to work together to maintain the trust and resilience of our digital systems. CSA is committed to providing stronger support to these organisations to help them overcome these challenges. To encourage organisations to implement all the essential cyber measures, it has introduced a slew of initiatives in recent years, as listed below. More information can be found under the SG Cyber Safe Programme. 

(a) Cybersecurity resources to raise organisational awareness – These free, tailored toolkits provide information on cybersecurity issues and threats, and enable organisations to adopt cybersecurity measures pertinent to their job roles, such as business leaders, IT teams and employees. There are also Cloud Security Companion Guides, which help organisations to understand the cloud security measures to pay attention to as enterprise adoption of cloud computing rises.    

(b) Cybersecurity Health Plan delivered by CISO-as-a-Service (CISOaaS) consultants – This is an initiative where SMEs can engage cybersecurity consultants to develop tailored cybersecurity health plans and close their cyber hygiene gaps to be able to attain Cyber Essentials certification. Funding support is available for eligible organisations. Since this was launched in 2023, 55 SMEs have benefitted from the initiative.

(c) Cybersecurity certification i.e. Cyber Essentials and Cyber Trust – These create recognition for organisations that invest in cybersecurity. Funding support is available for eligible organisations. Since this was launched in 2022, more than 180 organisations have been Cyber Essentials-certified, and more than 60 have been Cyber Trust-certified.

10. CSA has also worked with the Infocomm Media Development Authority to launch the Cybersecurity Health Check for organisations to assess their cyber hygiene, benchmark themselves against industry peers, and access resources to address the gaps. This self-assessment tool was developed based on the cyber hygiene measures in Cyber Essentials. After answering a short questionnaire, organisations will receive a cybersecurity health report and recommendations on the next steps. CSA encourages all organisations to use this tool and tap on the CISOaaS initiative to improve their cybersecurity where necessary, to embark on the journey of attaining the Cyber Essentials or Cyber Trust certification.   

11. Mr David Koh, Chief Executive of CSA, said, “The findings show that while organisations have put in place some measures to protect their assets, this is not sufficient given the increasing frequency and scale of cyber threats that we are facing today. Organisations should make cybersecurity a priority and take advantage of the funding support and resources available to catch up. Doing this only after an incident has happened will be much more costly.”   

The Singapore Cybersecurity Health Report 2023 is available at www.csa.gov.sg/cyberhealthreport and the Cybersecurity Health Check can be accessed at https://www.csa.gov.sg/cyberhealthchecktool.

---------

¹ The five categories listed in CSA’s Cyber Essentials, i.e. “Assets”, “Secure/Protect”, “Update”, “Backup”, and “Respond”. 
² The Health Check will be accessible online at 0800hrs on 28 March 2024.

About the Cyber Security Agency of Singapore