Have the right checks and balances in place when it comes to cyber security.
Singaporean companies are making it too easy for cybercriminals to access their greatest assets by not understanding which assets within their organisations drive value and focusing their efforts on protecting these assets.
As the Cyber Security Agency (CSA) of Singapore’s just released Cyber Threat Landscape Report 2019 highlights, “cyber-attacks have already become more prevalent, with an upsurge of malicious cyber activities locally,’ which means that local business” need to be increasingly vigilant.
Tyler Capson managing director – Asia at asset advisory company EverEdge said, COVID-19 has forced many companies to quickly adopt technology and enable new ways of working, without necessarily having all the right checks and balances in place when it comes to cyber security.
“While cyber/network security systems are absolutely critical, before companies hook up the alarm, they need to better understand what they are trying to protect,” he said. “Cybercrime cases now accounting for more than a quarter of overall crime in Singapore, which means that management teams and directors need to start focusing their efforts towards protecting those assets which are business critical and that give the company its competitive edge.”
Cyber-crime is predominantly focused on targeting a company’s intangible assets, which include such things as data, content, intellectual property, confidential information, trade secrets, and products designs. These assets typically represent more than 87 per cent of company value and by their very nature, tend to be digital, which makes them ripe for the picking by sophisticated cybercriminals, said Capson.
Faced by such a significant threat, Singapore companies are investing hundreds of thousands of dollars and person hours to create network security systems. However, the reality is that these systems are often rendered useless when faced with human error that creates a chink in the company’s armour, or when they are faced with targeted cyberespionage attacks.
With COVID creating an environment where many employees are now working from home, many companies have not had the time or ability to put policies or processes in place to protect their confidential information or digital assets. As the CSA has indicated in its report, this is likely to lead to ‘threat actors capitalising on the new opportunities to gain unauthorised access to users’ data or the organisations’ networks’.
Tyler added, “COVID has led to many companies opening up remote access to their network so that employees can work from home. However, with the majority of data breaches resulting from the carelessness of employees or third-parties with access to information, companies must now quickly move to institute policies and processes to proactively identify, protect and monitor access to their trade secrets, know-how and critical confidential information.”
To do this, EverEdge recommends companies and directors take the following steps, ensuring they can also answer these key questions:
- Identify and value your intangible assets
- What are my intangible assets?
- What is the value of each of these assets? (Both to me and in the hands of someone else)
- Audit your assets
- How and where is our confidential information stored?
- Who has access to our confidential information? (both internally and through third-parties)
- Who else would want our assets and why?
- Assert ownership of assets
- Do we have chain of title and proof of ownership of our assets in order to help provide potential legal recourse if these assets are compromised?
- Policies, Process, & Education Programmes
- Do we have risk mitigation policies and processes in place to protect our most valuable assets?
- Are our efforts focused on protecting our most valuable assets?
- Is there widespread understanding and adherence to our policies and processes?
Management teams and directors need to get smarter about how they approach cybersecurity and ensure that attention and effort is focused on protecting those assets that are truly business-critical, said Capson.
“This requires companies to first understand what they are trying to protect,” he said. “If this step in the process is missed, it is unlikely that a company will have the right measures in place to protect its assets, which is essentially like issuing an open invitation for cybercriminals to come and take what they want.”
