Just a third of Singapore firms adopt at least three key cybersecurity measures: survey

ONLY a third of organisations in Singapore have fully implemented at least three of five categories of measures considered as “cyber essentials”, a survey by the government’s cybersecurity body has found.

Local organisations recognise the importance of cybersecurity, but there is still “much room for improvement”, given the partial adoption of the measures, said the Cyber Security Agency of Singapore (CSA) on Thursday (Mar 28).

David Koh, chief executive of the agency, said: “While organisations have put in place some measures to protect their assets, this is not sufficient, given the increasing frequency and scale of cyber threats that we are facing today.”

The CSA launched its first Singapore Cybersecurity Health Report on Thursday. It noted that organisations in Singapore adopted an average of about 70 per cent of the measures in each of the CSA’s five categories of cyber essentials.

The categories are “assets”, “secure/protect”, “update”, “backup”, and “respond”.

Three-quarters of the organisations polled were aware of CSA’s national cybersecurity standards to help organisations prioritise the cybersecurity measures to be implemented.

GET BT IN YOUR INBOX DAILY

Start and end each day with the latest news stories and analyses delivered straight to your inbox.

Sign UpVIEW ALL

But CSA noted that partial adoption was inadequate, and unless all essential measures were adopted, organisations were still exposed to unnecessary cyber risks. This is especially since more than eight in 10 organisations encountered a cybersecurity incident in a year, and about half were hit several times a year, the report found.

The top categories of incidents include ransomware, social engineering scams and exploitation of cloud misconfiguration.

The report noted that these incidents almost always resulted in a negative impact: 99 per cent of the affected organisations reported a business impact, in areas such as business disruption, data loss and reputation damage.

A lack of knowledge and experience was the top challenge for non-adoption of cybersecurity measures; 59 per cent of businesses and 46 per cent of non-profits cited these as factors.

The second-biggest challenge was the perceived unlikelihood of being a target of cyberattacks.

Organisations also noted a lack of manpower and resources, low return on investment, and the lack of a budget for cybersecurity.

CSA said the cost of implementing cyber hygiene measures would typically be a small fraction of the cost of business disruptions, or recovery procedures following cyber incidents.

To implement cyber hygiene measures, CSA estimates that it would cost between S$1,800 and S$4,500 (including funding support) for small organisations with fewer than 20 end-points – devices that connect to a network and thus represent key vulnerable points of entry for cybercriminals.

Koh said: “Organisations should make cybersecurity a priority, and take advantage of the funding support and resources available to catch up. Doing this only after an incident has happened will be much more costly.”

The survey, carried out between May and August 2023, polled 2,036 small, medium-sized and large organisations on various aspects of cybersecurity, such as frequency of cyber incidents, types of business impact suffered and adoption levels of cybersecurity measures.