Cyber security has never been more important and pressing than today. Business leaders need a practical strategy to adequately manage cyber risks. Innovate interviews Tan Peng Wei, NUS-ISS’ Chief of IT Strategy & Management Practice, to reveal how.
Q: What is the state of cyber security today and should we be concerned?
The world is becoming more connected every second. The Internet of Things (IoT) and popular initiatives, like smart city and autonomous vehicles, are paving the way for an increasing number of sensors and devices to be wired together to track and share information. Today, virtually every modern facility and system, from power plants and mega-factories to trains and smart homes, has a digital brain that takes over dull and mundane tasks in exchange for smooth and perfect operation. Take the healthcare industry for example. Medical and assistive devices are connected to the Internet and patient records uploaded online. Pharmacies are dispensing drugs based on digital authorisation and prescription. These and more recent advances have made healthcare an IT darling. IoT has crept into our lives in so many ways that we may not even be aware of it. What all these bode is that we are becoming more vulnerable to cyber threats as each device and connection online represents an opportunity for cyber crime or prank. Cyber attacks nowadays have also become sophisticated and inventive, like parcel scam and ransomware, and typically with sinister objectives – extortion, theft and even terrorism. Unfortunately, most people are simply too ill prepared for a cyber strike.
Q: Will that not deter technology adoption?
With cyber attack, it is no longer an issue of ‘if’ but ‘when’. One of the hot topics now is the Singapore government’s recent decision to delink Internet access for public servants from next May. Many have found this a surprising, if not regressive, move for ultra-progressive Singapore. I prefer to see this as a stark wake-up call for all of us. As the saying goes, desperate time calls for desperate measures. The government’s decision sends home a clear and strong message that the cyber threats are very real and we should not make light of it. Humans will always be the weakest link in cyber security, and with repeated news about data breaches, it’s easy to become desensitized to cyber threats after a while. Segmentation is a practical way to mitigate exposure to malicious links in fraudulent emails that could lead to ransomware and other forms of security breach. Something gives, of course. There would surely be inconveniences as habits would have to change and processes rethought. But I am confident a balance would be found, as always, between security and efficacy. As for the rest of the world, it would take more than cyber attacks to slow the insatiable global demand for more information and the prosperity it promises. Technology adoption may suffer from time to time from spouts of attacks but the world will press on, undaunted, to embrace the digital future.
Q: Will the Singapore government’s approach be viable for corporations?
I don’t think it’s an approach for everyone, especially dot-coms that have to engage and service customers, and organisations that rely on connectivity, nimbleness and innovation for competitiveness. We have simply moved too far ahead to stop short on our tracks. Rather, I think organisations should start by identifying areas of vulnerabilities and the mission-critical data to be protected, and devise suitable strategies to safeguard them. Let’s say you keep several sets of jewellery at home for daily wear, you will probably do the sensible thing and keep the precious heirlooms in the safe while leaving the costume jewellery within easy reach. Likewise, a practical approach to cyber security would be to decide on the high-priority assets that need to be protected, and to build a better safe for such data. It has become an imperative to build awareness at four levels of the organisation:
1. Business leaders
2. Cyber security professionals
3. ICT experts and project managers
4. General users
Q: How can an organisation go about building awareness at these four levels?
At the senior management level, business leaders could acquire the ability to understand the potential cyber risks at play, selectively identify the proprietary assets that need to be protected, create the right organisational culture, set out the policies for data classification and sharing, and decide on the resources allocated for data protection. The responsibility of developing the technical strategies and action plans to avert the ‘time bombs’ and the ability to react and recover from any cyber attack resides with the cyber security professionals. To be effective gurus, they must have the skills and proficiency to deal with a full spectrum of possible risk scenarios while keeping pace with the latest cyber security trends. For the ICT experts and project managers, they must learn what is needed to build cyber security defences in both the current and new digital solutions for the organisation. Last but not least, the day-to-day user – the organisation’s first line of defence. Every employee should know about basic preventive practices, so that they have a clear understanding on what to look out for. Being careful with passwords, recognising suspicious attachments or links in emails, performing regular data back-ups etc. are good examples of cyber security practices. In short, to safeguard the organisation against cyber attacks, everyone has a role to play.
Q: That sounds like we have to keep our eyes open at all times. What is your advice to companies that have yet to take any steps in cyber readiness?
Start immediately – the digital arms race is on! As companies internationalise and economies become borderless, the challenges of cyber security are significantly multiplied. In Singapore alone, the government expects to help some 35,000 to 40,000 companies of all sizes to venture overseas in 2016. As corporations put their guards up, you can expect the cyber attacks to intensify in very innovative ways as they are totally uninhibited by social conventions and everything is game to them. Step up awareness and be prepared for probable scenarios. Put up your antennae, learn from others and adapt quickly. If you do come under attack, focus on recovery and fortification to reassure stakeholders.
Need help with cyber readiness? Start a conversation with Peng Wei at isstpw@nus.edu.sg.