By Richard Koh, Chief Technology Officer, Microsoft Singapore
This article was first published in The Business Times on 18 July 2018.
Many business and IT leaders whom I have spoken to agree that technology is a disruptive force – one that enables new business models, opens new sources of revenue and shapes entire industry landscapes. However, one of the biggest challenges in digital transformation is in ensuring security, privacy, and compliance.
As employees bring in devices, apps, and data into organisations, protecting company data becomes more important than ever before. In today’s digital world, traditional IT boundaries are fast disappearing and adversaries are continuously identifying new targets to attack. Against this backdrop, organisations that do not prioritise security face the risk of significant financial loss, damage to customer satisfaction and market reputation – as has been made all too clear by recent high-profile breaches.
The recent Singapore Cyber Landscape Report 2017 painted a clear picture of the cybersecurity risks that Singapore faced in the past year. What was interesting to note was that global incidents such as the mass defacement of WordPress websites, WannaCry and NotPetya ransomware attacks as well as the Yahoo! data breach seem to mirror the local cybersecurity incidents that we encounter here in Singapore.
While organisations in Singapore emerged relatively unscathed from the incidents that took place last year, the report revealed that there is still much work to do as we expect to see more attacks on business and individuals, growing threats to connected mobile devices, state-linked cyber actors to make bolder moves, weak links will be increasingly targeted, and more signs of artificial intelligence (AI) enabled cyberthreats and solutions being used in 2018.
This means that increasingly, cybersecurity cannot be an afterthought for organisations of all sizes here, as threats are becoming increasingly malicious, with potentially bigger impact on businesses as the threat landscape evolves.
The true cost of cybersecurity incidents – economic, opportunity and job losses
Earlier this year, Microsoft conducted a cybersecurity study in partnership with Frost & Sullivan, with the aim of providing business and IT decision makers with insights into the economic cost of cybersecurity breaches in Singapore and identify key gaps in organisations’ cybersecurity strategies.
The study, which was conducted with 1,300 business and IT decision makers across the Asia Pacific region, including 100 from Singapore, revealed that business and IT leaders often underestimate the business and economic impact of a cyberattack, and that what leaders see at the moment could merely be the tip of an iceberg. By calculating the direct, indirect and induced losses associated with a cybersecurity incident using the Frost & Sullivan economic loss model, the potential economic loss in Singapore due to these incidents can hit a staggering US$17.7 billion, amounting to 6 percent of Singapore’s total GDP at US$297 billion.
This also points to the idea that the direct losses incurred because of a cybersecurity incident – financial losses associated with a cybersecurity incident, including loss of productivity, fines, remediation costs, etc. – only form a part of the total. Indirect costs such as the opportunity costs to the organisation such as customer churn due to reputation loss; and the impact of a cyber breach to the broader ecosystem and economy, such as the decrease in consumer and enterprise spending also add up to form the bigger picture to reflect the true cost of cybersecurity incidents, which is often much larger than what most leaders imagine.
Prioritising security in your organisation’s digital transformation journey
With cybersecurity incidents being extremely costly for organisations of all sizes in Singapore – averaging US$13.8 million in economic loss for a large-size organisation and US$177,000 for a mid-size organisation, cybersecurity needs to be prioritised in an organisation’s digital transformation strategy in order to help lay the secure foundation for its continued growth in the future.
Each year, Microsoft invests in research and development, spending over a billion dollars, to discover ways to help organisations withstand and respond to cyberattacks through a unique combination of our intelligence, platform and partners. Drawing from our learnings, here are five cybersecurity best practices that can help organisations strengthen their cyber-defense in the digital world:
- #1: Prioritise cybersecurity as a digital transformation enabler: The disconnect between cybersecurity practices and digital transformation efforts creates frustration for employees. By positioning cybersecurity as a pre-requisite for digital transformation, not only does this keep the company safe through its journey, it also presents an opportunity for business leaders to abandon aging cybersecurity practices to embrace new methods of countering today’s cyber risks.
- #2: Invest in strengthening your security fundamentals: Over 90% of cyber incidents can be averted by maintaining the most basic best practices. Maintaining strong passwords, conditional use of multi-factor authentication against suspicious authentications, keeping device operating systems, software and anti-malware protection up-to-date and genuine can rapidly raise the bar against cyberattacks. This should include not just tool-sets but also training and policies to support stronger fundamentals.
- Maximise skills and tools by leveraging integrated best-of-suite tools. Contrary to popular belief that deploying a large portfolio of cybersecurity solutions will render stronger protection, our survey revealed that 29% of respondents with more than 50 cybersecurity solutions could recover from cyberattacks within an hour. In contrast, 38% with fewer than 10 cybersecurity solutions said that they can recover from cyberattacks within an hour. By reducing the complexity of your security operations through the use of integrated best-of-suite tools, this could be a great way to maximise your risk coverage without the risk of introducing too many tools and complexity to the environment.
- Assessment, review and continuous compliance: Assessments and reviews should be conducted regularly to test for potential gaps that may occur as the organisation is rapidly transforming. The board should keep tabs on not just compliance to industry regulations but also how the organisation is progressing against security best practices.
- Leverage AI to increase capabilities and capacity: With security capabilities in short supply, organisations need to look to automation and AI to improve the capabilities and capacity of their security operations. Current advancements in AI has shown a lot of promise, not just in raising detections that would otherwise be missed but also in reasoning over how the various data signals should be interpreted with recommended actions. Such systems have seen great success in cloud implementations where huge volumes of data can be processed rapidly.