05 Nov 2015
SPEECH BY DR YAACOB IBRAHIM, MINISTER FOR COMMUNICATIONS AND INFORMATION AND MINISTER-IN-CHARGE OF CYBER SECURITY, AT THE NATIONAL SECURITY CONFERENCE 2015 ON 27 OCTOBER 2015, AT 9.10 AM, AT THE GRAND BALLROOM, GRAND COPTHORNE WATERFRONT HOTEL
Ladies and Gentlemen
Good morning. I am pleased to join you at the National Security Conference today.
2. Cyber threats are a large and growing business risk, across the region and the world. Recognising this, Singapore is increasingly focused on addressing cyber threats. At GovernmentWare 2015 earlier this month, I announced that the Singapore Government is taking reference from Israel and South Korea and will be looking into setting aside 8-10% of our total ICT expenditure for cyber security for government ICT projects. I have also asked CSA to study how this can be institutionalised beyond the Government Critical Infocomm Infrastructure sector. As we study this, businesses should also ask themselves: “How much am I prepared to invest in cyber security?”
Investing in Cyber Security
3. Notice I use the word ‘invest’ deliberately. In the 21st century, spending to build up a business’ cyber defences is no longer just about trying to prevent potential losses, whether monetary or reputational, that may be suffered from a successful attack. A forward-looking business will also adopt strong cyber security measures as a means to stay ahead of evolving threats. On the one hand, it insures the business against devastating cyber attacks that may bring it down at one fell swoop. On the other hand, in the present day when cyber attacks are part of daily life, good security adds value by boosting stakeholders’ trust and customers’ confidence in entrusting the business with their valuable data. This, in turn, can translate into a competitive advantage for the business.
4. Companies worldwide are recognising this, and are putting more of their attention and resources into cyber security. For example, PWC’s Global State of Information Security Survey 2016 finds that between 2014 and 2015, boards of directors have become increasingly involved in discussions on information security strategies, and security spending has correspondingly increased by 24%.
5. I advise local businesses to do the same, and not be left behind. An area where firms can focus more on is cyber security-by-design. Cyber security measures should be considered at the outset when putting systems and networks in place. This pre-emptive, proactive approach will go towards ensuring that these systems and networks are well-protected.
Focusing on ‘Peopleware’
6. To be fully secure, businesses will need to protect themselves against vulnerabilities in three main areas – hardware, software and ‘peopleware’. It is not enough to only rely on enhancing hardware and software systems to counter the latest cyber threats. Businesses will also need to build up ‘peopleware’, by equipping their employees with the awareness, tools and capabilities to handle these threats. Unfortunately, many businesses will emphasise hardware and software, but fewer will also focus on ‘peopleware’. Do not forget Edward Snowden. To take an example, SBF’s recent dipstick survey found that only about 20%1 of local businesses regularly conduct training for their employees on cyber security.
7. I would strongly urge businesses to correct this situation. When it comes to security, people matter as much as software and hardware, if not more. A fortress may have thick and strong walls, but will still be vulnerable to attack if the guards carelessly leave the gate open. Similarly, careless or ignorant employees can severely weaken a business’ defence against cyber threats. All it takes is for someone to access an unsafe email or URL; to use weak passwords; to disclose company information without proper safeguards, or to lose a company device.
8. This is not idle rhetoric, but an unfortunate fact. IBM’s Cyber Security Intelligence Index 2014 estimated that 95% of all cyber security incidents investigated by IBM involved human error. In such an environment, a business can and should no longer operate in faith that it is secure so long as its hardware and software systems are updated.
9. Investments in ‘peopleware’ will only lead to a more secure environment for the organisation if two challenges are overcome. Firstly, boards and management teams face other pressing demands for resources. In the face of this, it is sometimes not easy to sustain investment in ‘peopleware’ as a consistent business priority. Secondly, businesses need to constantly be resourceful in finding ways to equip their employees with relevant knowledge and tools, and engage them to stay vigilant against shifting threats. These are real and serious challenges for local companies. 98% of businesses in SBF’s dipstick survey claim concern about the vulnerability of their business to a cyber-attack, yet 79% of these concerned businesses also cite resource, manpower, budget or workload constraints as hindering their employee education efforts.
10. While they may appear daunting, I am optimistic that our businesses have what it takes to overcome these challenges. An important step in achieving this is to make sure that programmes for employees are practical and scalable. For example, simple steps such as giving employees regular advisories on how to deal with the latest cyber threats may go a long way towards keeping them aware and ready to counter these threats. Such practices do not require large IT departments or budgets, but can be adopted fairly easily, even by SMEs. Efforts such as the Employee Cyber Security Kit, launched today by SBF and the National Security Coordination Secretariat with CSA’s support, will also help businesses to keep their workforce savvy about cyber security.
11. Another step is to learn from the experience of others in the business community, and from expert practitioners. Platforms for knowledge sharing such as this year’s National Security Conference are helpful in this respect. This year’s conference will focus on minimising vulnerabilities, especially on the ‘peopleware’ front. I would encourage businesses to take in the ideas and insights from today’s discussions, and turn them into long-term solutions that address their unique needs.
12. In conclusion, businesses today can no longer afford to see cyber security as a luxury, but need to treat it as a business priority. Strong cyber security capabilities can provide a distinct competitive edge. However, this requires much work, in strengthening hardware, software, and especially ‘peopleware’. I look forward to the discussions for the day, and I hope they will energise businesses to make that effort to stay ahead in the 21st century.