by Woon Teck, Managing Director, Risk Advisory division, RSM Singapore
The ransomware cyber-attack that took place in May 2017 was unprecedented in scale and affected more that 230,000 computers in 150 countries. The indiscriminate attack on hospitals and government agencies exploited known vulnerabilities in old systems of Microsoft Windows operating systems. Cyber security now supersedes all technology risks for businesses, and this attack shows many have not yet responded to the threat. From the vantage point of RSM’s global network, I have witnessed, first-hand, how businesses, regulators and criminals have adapted to this phenomenon around the world. Some markets boast sophisticated technology and regulations, while others have restricted access to digital infrastructure. No matter where you look, however, there is one constant. In the arms race between cyber criminals and experts, neither party ever draws far ahead.
Saying that, few markets have surpassed Singapore when it comes to cyber security. Holding large amounts of its citizens’ personal data, Singapore’s public institutions have suffered data breaches in the past and so now take the issue very seriously. This attitude has filtered down to business. Each business operating in Singapore must abide by a technology risk management framework and follow a cyber security checklist. My team are responsible for auditing businesses to ensure they are adhering to these rules.
While regulation varies from country to country, best practice is being shared globally by forward thinking businesses. My colleague, Thilen Pillay, Regional Divisional Director at RSM South Africa, noted: “In mid and North Africa, multinational corporations that have head offices in the developed world will often require their African offices to adhere to the same regulations, whether they are imposed by the company or the state, as the head office.” This has been the driving force behind the development of cyber security in a region where the infrastructure and education around cyber security is still in its infancy.
The latest wave of regulations look not just at cyber protection, but at transparency around security breaches. In Singapore, the government has implemented a strict 48-hour notification window in the event of a data breach. But even in countries where notification rules are not in place, there is good reason to communicate quickly and clearly with customers. As my colleague Gregor Strobl, Partner at RSM Germany explained: “The potential damage to a company’s reputation from losing customer data far outweighs the financial damage caused by a breach or the subsequent fine the company may receive.”
There are two industries, the world over, that are cited as being the most targeted by cyber-attacks: healthcare and financial services. Both hold large amounts of sensitive personal data and are frequently pursued as a result. The financial services sector is perhaps the more obvious target of the two as these businesses hold financial information which can be used in identity theft and even to extract money directly from victims’ bank accounts. The healthcare sector, on the other hand, is a more complex target. Sheila Pancholi, Partner at RSM UK described individual healthcare data as being “10x more valuable on the dark net as financial information.”
With their large customer bases, the retail and telecoms sectors are also lucrative targets for criminals. However, this isn’t to say that other sectors are immune. Indeed, as Greg Vetter, Healthcare Consulting Principal at RSM USA said: “middle market firms in any industry are at risk because they perceive their threat as being lower than that of big business.” Complacency comes second only to a lack of education as a driver of cyber risk. It is a green light to cyber criminals.
There is no single solution to cyber risk, the dangers vary from region to region and industry to industry. In countries with a strong manufacturing base, the increased automation of production lines leads to concerns over sabotage. If production lines are stopped, revenue stops. In service-driven economies, meanwhile, it is essential that data encryption is of the highest level. However, all the regions around the world share one constant; education is the most important aspect of cyber-security. You can have all the tech and assurances in the world but it only takes one human error to leave your company vulnerable. Government regulation can push the issue up the business agenda but until your business instils cyber education throughout the organisation it will all be in vain.
Singapore is ahead of the curve when it comes to cyber security. Regulations are tighter and businesses are smarter, but criminals are keeping up. Put cyber security education and awareness at the centre of your company’s training agenda, develop an internal security forum and, most important of all, start with the assumption that you are being targeted. Making the prudent investments today might just safeguard your reputation, your clients and your business.