Experts stressed that while Singapore has one of the best infrastructure, technologies and legislation in place to counter the scourge of cyber attacks, all employees — especially the rank-and-file — have a vital role to play.
“The public and private sectors are heavily invested in the staff handling cyber security, information technology (IT), and technical matters by updating their knowledge. However, it’s the normal users who are the weakest link,” said digital forensics specialist Ali Fazeli.
“You can have the best IT system, best IT talent, but it’s really difficult to protect the system and organisation against cyber threats,” the founder of cyber-security firm Infinity Forensics added.
In the public sector, for example, there are some 145,000 officers within the Singapore Public Service, who are hired across 16 ministries and over 60 statutory boards.
All public servants will undergo cyber-security training, the Smart Nation and Digital Government Office told TODAY.
“More exercises will be conducted to sharpen our officers’ response to a cyber-incident. Regular audits will ensure that gaps are discovered and addressed,” its spokesperson said.
Dr Ori Sasson, director of cyber-intelligence firm S2T, said that the challenge for the Singapore Government is the sheer volume of data and the number of systems and employees under its charge.
He said: “Attackers always have the benefit of attacking the weakest link, whereas the defenders have to defend everything they have, which is an asymmetric scenario.”
Employees are especially vulnerable as the majority of cyber attacks begin with one simple phishing email, said Mr Phoram Mehta, head of information security at PayPal Asia Pacific.
For example, phishing, or fake, emails allegedly provided North Korean cyber attackers with a conduit to attack Sony Pictures and the central bank of Bangladesh in 2014. In the latter case, nearly US$81 million (S$109 million) was stolen in the cyber attacks.
Cyber attackers are also using the same tools used by cyber-security experts, such as analytics and automation, to select their victims, Mr Mehta said.
“If you have over a hundred thousand different places to attack, which will you go after, PayPal or a food establishment?”
However, with proper training and the right culture in place, employees can make a difference in determining whether an organisation is cyber secure or vulnerable to cyber attacks.
“We don’t need to teach (rank-and-file employees) the technical things, but we need to tell them how they can misuse their data, and what are the consequences and legal implications,” said Mr Fazeli of Infinity Forensics. “It can be basic training and doesn’t need to be very deep.”