As we gear up to become one of the world’s first Smart Nations, are we also opening ourselves up to a whole plethora of cybersecurity risks without realising it?
The Internet of Things (IoT) is now being touted globally as the next big wave of technology, and Singapore wants to ride it in a similarly big way.
The InfoComm Development Authority (IDA) first launched its Smart Nation Initiative on 24 November last year, with a sharp focus on connectivity, Big Data and IoT. The initiative has already launched such endeavours as the telco-driven island-wide high-speed Internet connectivity project, the SMART-NUS Shared Computer Operated Transport driverless cars, as well as the Jurong Lake District Smart Nation trial.
Singapore has been priming itself for the IoT revolution even before the Smart Nation initiative was announced. The nation is listed as the third most globally connected country in the 2014 DHL Global Connectedness Index, having purchased 4.6 million connected devices in the same year, according to industry reports.
But more connected devices also means greater exposure to online security threats, and consumption of technology at a pace like ours may potentially cripple the nation if a major cyber-attack should happen to us.
Fall of the Defences
The Total Defence strategy that Singapore adopted for the last half-century has worked brilliantly as it banks on its most valuable resource – its people – to play their part for the nation’s defence. But now that the country looks to build its Smart Nation vision, it is becoming obvious that Singapore’s Total Defence does not quite cover everything.
Imagine Singapore falling victim to a concerted rogue cyber-attack by an underground group such as Anonymous, or even a terrorist outfit like ISIS, causing mass failure in all the IoT technology we have taken for granted – smart cars, refrigerator, smartphones. Banking institutions carrying our personal account data are also targeted and breached, causing a huge ripple effect on our economy, rendering the money that we carry in our wallets to worthless pieces of paper. The economy, even the government, would come grinding to a halt. Millions would lose their life savings, plunging the nation into a dystopian city. All these can happen anytime, if Singapore isn’t already well-prepared in terms of cyber security, right now.
What has happened in the past?
And cyber-attacks have already been happening on our shores. Singapore has been experiencing data breaches and phishing incidents in the last couple of years, notably with Standard Chartered Bank in December 2013, the government’s SingPass database in June 2014, both M1 and K-Box in September 2014, Nanyang Polytechnic in February 2015, and most recently, the Mazda Singapore website breach in July 2015.
Companies are especially vulnerable, given the rapid spread of corporate technology without very much thought into protecting the technology. This is very much so especially with the e-commerce and m-commerce industry, as the nature of their business involves handling of sensitive customer information, yet the focus on security seems to be neglected. In Singapore, the problem is even more deep-rooted because of a shortage of skilled cybersecurity professionals, due not only to a sudden surge in demand for such skills but also a lack of awareness about the sector.
Cyber-attacks are also expensive. According to a study done by Ponemon Institute in May 2015, the average cost of cleaning up after a breach – even if no data has been compromised, as with the incident involving Mazda – can cost organisations between USD$100,000 to USD$29 million. The cost depends on the number of records compromised, and taking into account the costs for reputation damage, legal action, downtime, business lost, compensation, as well as crisis management.
Measures in place to deter attacks
Preventive cyber security solutions applied at multiple levels, therefore, are far more cost-effective. While attacks can happen to anyone at any time, preventive measures can reduce the success rate of these attacks, and should be adopted as a very necessary part of the organisation’s service offerings for their customers.
There is now also IoT certification, providing secure and organized access management for companies adopting mobile technology to increase employee productivity and response efficiency.
A common misconception is that cyber criminals only target large companies and financial institutions in order to gain great yields from each of their attacks. With cyber attacks, the risks are low as attacks are largely automated processes, run with unsophisticated tools. As such, hackers often target smaller businesses or start-ups as they have lower budget of adequate cyber security measures. The public needs to understand that cybersecurity is more relevant to them than they think.
Singapore is slowly moving towards matching up to global cybersecurity innovations. However, more can be done to better protect our nation against infrastructure-crippling attacks.
Awareness and Education
Awareness will be the first step to achieve public knowledge of cyber security and to date there isn’t an effective campaign in place.
- Perhaps relevant agencies can step up by organising a campaign with a recognisable mascot. We have seen mascots from different Singapore campaigns from before (Singa the Courtesy Lion, Sharity Elephant and Captain Green), educating the young and old through lighthearted yet effective messages, and cyber security awareness spread through such campaigns as well.
- The government’s Pioneer Generation movement has been very effective in educating the older generation on the initiatives and policies, and a cybersecurity-focused campaign should follow suit.
- Besides the recently concluded government-led Hackathon@SG 2015, local tertiary institutes such as Nanyang Polytechnic, Singapore Polytechnic and recently Temasek Polytechnic, have also partnered with cyber security firms to launch training schools for polytechnic students and professionals. Wide-scale corporate education should be conducted with institutions and consultancy agencies as well.
Research and Development
Support on research and development on cybersecurity needs to be enhanced as well.
- With institutes like A*STAR set up in Singapore to be the forefront of biology research in Asia, cyber security research institutes should be set up as well to tap on the collective intelligence of the greatest minds of preventive technology and protocol development.
- Moreover, cybersecurity tools and techniques have to be tailored based on localised data gathered within specific locales in order to effectively tackle regional threats, and R&D institutes set up here will greatly boost Singapore’s cybersecurity technology ahead of our SEA peers, while developing more great minds and talents for this field at the same time.
Companies which handle sensitive databases should take charge of cybersecurity as their first priority.
- Much like insurance and legal budgets, small companies should have adequate budgets for cyber security countermeasures in place. Digital certifications and encryption services should be applied on their assets to protect the sensitive information.
- Crisis recovery teams or skills should be available in a company’s IT department, to aid in recovery in the event of a breach. Companies can train their employees to be equipped with such skills through conducting workshops internally or with external vendors.
Rethinking Total Defence in the new Tech Age
It may take years to successfully build a stronghold in cyberspace to counter attacks, but this is an important investment to strengthen the infrastructure for Singapore’s foray into IoT adoption and becoming a Smart Nation.
More importantly, Singapore’s strong corporate environment also means businesses need to weigh in on cybersecurity efforts, not only to counter the costs of managing attacks, but as an integral contributing partner to maintaining Singapore’s status as Asia’s business hub.
Singapore clearly needs an extensive cyber security strategy. Cyber security is already a global issue with nearly half the world online and set to see 26 billion connected devices by the year 2020. In fact, the United States Department of Defence recognised the need for information defence since 1995; then Air Force Chief of Staff Gen. Ronald R. Fogleman declared cyber security as the next dimension of warfare.
In the rush to get connected to the world, we have to protect what information we expose ourselves, lest the world connects us to something that may do our Smart Nation in.
About Ashlee Ang
Ashlee is a content writer at Cyber Secure Asia where she writes about introductory topics on cyber security and cyber-related happenings in Singapore & South East Asia.