Opening Address by Senior Minister of State for Digital Development and Information Tan Kiat How at the SICW SG Cyber Safe for Enterprises Event on 17 Oct 2024

Published on 17 Oct 2024

SMARTER, SAFER, SIMPLER CYBERSECURITY FOR ENTERPRISES

Distinguished guests

Ladies and gentlemen

Introduction

1.     In May this year at ATxSG, I launched the Digital Enterprise Blueprint (DEB) which sets out our ambition for the next mile of digitalisation for Singapore’s enterprises.

2.     Cybersecurity features prominently in the DEB. A key focus area is to equip enterprises to be safer through improved cyber resilience even as they embrace digitalisation.

3.     We are building on a strong foundation. CSA has been supporting enterprises on securing their digitalisation journeys by providing resources such as cybersecurity toolkits, and providing funding support for SMEs through the Cybersecurity Health Plan.

a.     For example, CSA launched the Cybersecurity Health Plan, which is delivered by CISO-as-a-Service providers to support organisations starting out on their cybersecurity journey.

b.     These providers will perform a cyber health “checkup” on organisations and develop a plan to help them close their cyber hygiene gaps and prepare for Cyber Essentials certification. Eligible SMEs can enjoy up to 70% co-funding support for this service.

c.     I am heartened that there has been steady adoption of both the Cyber Essentials and more advanced Cyber Trust marks. To date, more than 370 organisations have attained either one of these certificates.

4.     However, the threat landscape continues to evolve, and we need to strengthen our tech ecosystem to support the safety of every enterprise, regardless of how far along they are on their digitalisation journey.

5.     Today, I will touch on three aspects:

a.     First, we want to make it simpler for SMEs to be safer and we will do so by harmonising our existing Government cybersecurity initiatives,

b.     Second, on how we help enterprises adopting cloud services to be cybersecure and we will do so by deepening our collaboration with cloud service providers and other relevant stakeholders, and

c.     Third, we are helping our enterprises to be smarter, by adopting AI in their digital services and digital architecture, and how can we help them to be cyber safe even as they do so.

 

Being safe will be even simpler for SMEs by harmonising our initiatives

6.     Let me start on the first aspect. Adopting good cybersecurity measures can be daunting for enterprises, especially SMEs. It requires significant resources to manage cyber risks, and many enterprises might not even know where to start.

a.     According to CSA’s 2023 cyber health survey, almost 60% of both businesses and non-profit organisations reported a lack of knowledge or experience to implement cybersecurity effectively. 60% is quite significant.

b.     We developed the Cyber Essentials and Trust marks as useful starting guides for enterprises, especially Cyber Essentials which is meant for the broad base of firms and organisations.

c.     We will align the Cyber Essentials mark with IMDA’s SMEs Go Digital programme to make it easier for SMEs to achieve the basic cybersecurity hygiene standard.

7.     Specifically, CSA, Enterprise SG and IMDA have come together to refresh the cybersecurity category of pre-approved solutions under the SMEs Go Digital programme.

8.     Pre-approved solutions under the refreshed cybersecurity category will now fall under two types of measures, “Secure/Protect” and “Backup”, which are two of the five categories of measures under CSA’s Cyber Essentials. Sometimes it is not a matter of if, but a matter of when. And when it happens, to be secure and resilient, and to be able to back up and continue your business operations is critical. Hence, this will align the scheme categories and bring them in sync.

9.     The refresh will also introduce a new integrated package for SMEs taking their first steps in cybersecurity. This integrated package provides support in multiple aspects of cyber hygiene such as virus and malware protection, firewall, and backup. This is particularly suitable for SMEs without existing cybersecurity solutions in place. And I believe that will be the bulk of our SMEs. This is an important step we are taking for SMEs - especially those that are beginning to look at their cybersecurity postures – to help them meet their cybersecurity hygiene standards as quickly as possible, and adopting an integrated solution that provides multiple aspects of cyber hygiene.

10.     For SMEs that have already begun their cybersecurity journeys, they may also consider standalone solutions, which will include new categories specifically for backups.

11.     These efforts make adoption simpler, even for organisations beginning on their digitalisation effort, while accounting for the different needs that businesses might have. In summary, we want to make it easier for SMEs to be cyber secure and cyber safe, even as they digitalise. Depending on their needs and where they are in their digitalisation and cybersecurity journey, we have packages available for them under the refreshed cybersecurity category of pre-approved solutions under SMEs Go Digital, coming together across different agencies and syncing up our initiatives.

 

Being safe on the cloud will be even simpler for SMEs through CSA’s collaboration with cloud service providers and other stakeholders

12.     The next aspect is how we are supporting the safe adoption of cloud services by enterprises.

13.     Cloud services are more commonly adopted by enterprises. According to IMDA’s Annual Survey on Infocomm Usage by Enterprises, almost a third of all Singapore’s businesses are now on the cloud.

14.     However, along with its widespread use, there has also been an increase in cyber threats targeting the cloud. Cybersecurity firm CrowdStrike reported a 75% increase in cloud intrusions in their 2024 Global Threat Report. In particular, the number of intrusions carried out by actors that were familiar with how to exploit the cloud more than doubled. As more of our enterprises get on the cloud, we have bad actors following suit, and they are also specialising in how to exploit the vulnerabilities in a cloud system. And we see a rise in such incidents.

15.     Cloud service providers have responsibility for the overall cybersecurity of their cloud services. But all enterprises need to ensure their own security within their own cloud environment.

16.     This means that enterprises still need to implement the necessary security controls and configurations to ensure that their digital assets on the cloud remain protected. I will use an analogy – the cloud service providers are almost like the security for the estate, but you have to provide your security for your own house, and that is the responsibility for each of us as homeowners. In the analogy of cloud services, each enterprise needs to protect your own cloud environment.

17.     It is important that businesses are equipped to work alongside their cloud service providers to secure their use of the cloud.

18.     Last year, CSA launched the Cloud Security Companion guides in partnership with the Cloud Security Alliance.

19.     These Guides make it simpler for enterprises to configure their cloud-based solutions, and they are designed to support companies for certification under the Cyber Essentials and Cyber Trust marks.

20.     We had the support of major cloud service providers, namely Amazon Web Services, Google Cloud, Microsoft, who published their guides specific to their respective platforms. I am glad to note that Alibaba Cloud and Huawei have joined us in publishing similar guides this year.

21.     The top five key cloud service providers in the market now all have companion guides. These guides complement Cyber Essentials and Cyber Trust marks by empowering our enterprises to be cyber safe when using the cloud.

22.     The Cloud Security Alliance has been an instrumental partner in the success of the Companion Guides, and we are taking our partnership one step further through mutual recognition.

23.     I am pleased to announce that there will now be mutual recognition for the CSA Cyber Trust Mark and the Cloud Security Alliance Security, Trust, Assurance and Risk (STAR) certification.

24.     In addition to the benefits of wider recognition between holders of both certifications, this agreement will also reduce the time and effort for STAR-certified organisations seeking certification under Cyber Trust, as there is cross-mapping and mutual acceptance of requirements between the certs. So it is important that organisations get on the cloud. We want them to be able to protect their digital assets. We are also doing so by bringing the different stakeholders together, not just cloud service providers, but partners like Cloud Service Al, to make it easier for our enterprises.

 

Being smart with AI can be safer for all enterprises

25.     The third aspect is how we are supporting enterprises to be cybersecure as they adopt AI.

26.     AI has the potential to support all manner of work, ranging from complex data analytics to the simple use of openly available large language models to answer simple queries.

27.     AI is not just for sophisticated users. We expect AI to become a common feature of all enterprises in the future.

28.     As organisations accelerate their adoption of AI, it is important to ensure that their use of AI is safe and secure. There are risks arising from the use of AI as it can introduce vulnerabilities into enterprise environments if not adequately secured. For example, prompt injection attacks can lead to the model leaking confidential data, or manipulating the model to produce undesired outcomes such as releasing its parameters.

29.     However, the adoption of AI, though rapid, is still relatively nascent. This means that organisations have the opportunity to build safety and security into their use of AI from the start, from the outset. Because it’s emergent, new and nascent, it is better for us to put the safeguards in now, rather than wait till we have legacy infrastructure and start using many of these functionalities and capabilities. It is timely for us to act now.

30.     This is why the Government has been working with industry partners to improve enterprise awareness of risks, and how to implement safeguards into our use of AI.

a.     Nationally, we have recently released a Model Governance Framework for Generative AI, that seeks to foster a trusted AI ecosystem.

b.     CSA has released Guidelines and a Companion Guide on securing AI systems, to support system owners in their adoption of AI. Inputs from relevant local and international partners have been incorporated. We want these guidelines to be a practical document for enterprises to reference. We are not interested in having a very high-level, conceptual, and elegant document with a lot of theory – that’s not our purpose. We want something that is practical, pragmatic, and can be used easily by enterprises. That is our intent.

 

Conclusion

31.     In conclusion, I want to thank the partners and stakeholders who have participated and contributed to securing our digital space, as well as our enterprises in Singapore for your strong partnership and strong support. We could not do this by ourselves. It is not just the Government or organisations - it is an ecosystem coming together, which is not to be taken for granted. It is not everywhere that you find such partnerships in different markets and jurisdictions. The Singapore Government believes in working together very closely. The ecosystem partners, tech service providers, companies, associations, government regulators, and government users are coming together for a common objective of securing cyberspace.

32.     I thank all of you once again for your support. There is a lot more work to be done, but we are continuing to build on the foundation, one layer at a time. If you have ideas, feedback or suggestions, please feel free to let my colleagues know.

33.     I look forward to your continuous support and collaboration, and I wish all of you a productive seminar. Thank you.

+++++

 


 

Report a Cybersecurity Incident

SingCERT encourages the reporting of cybersecurity incidents as it enables us to better understand the scope and nature of cyber incidents in Singapore. This will enable us to issue alerts or advisories on relevant threats, and assist a broader range of individuals and organisations.
Report Incident