SINGAPORE – A majority of companies lacked essential cyber-security measures recommended by the Cyber Security Agency of Singapore (CSA), even as four in five firms experienced a cyber-security incident each year, a new study has found.
Many respondents cited a lack of knowledge of cyber security, as well as concerns about costs and whether they would even be a target of cyber threats.
These were among the findings in CSA’s inaugural Singapore Cybersecurity Health Report, following a study of cyber-security adoption and the challenges that firms face.
The survey, which was released on March 28, was conducted between May and August 2023 and involved 2,036 organisations of all sizes across 23 industry sectors and more than seven non-profit organisation sectors.
Many firms missed out on basic cyber-security measures, CSA found, adding that any gap in implementation is “inadequate” and can expose them to cyber threats.
At least eight in 10 organisations encountered a cyber-security incident each year, according to the study.
Ransomware, in which fraudsters upload malicious software to freeze computer systems and demand payment from victims to restore access, was the most common incident encountered.
Businesses also frequently dealt with social engineering attacks, exploitation of misconfigured cloud systems and Denial of Service attacks, in which bad actors attempt to disrupt a network by spamming it with requests, preventing legitimate users from accessing it.
Nearly half of the businesses faced such cyber-security incidents several times a year, and 5 per cent of respondents said they experienced them several times daily.
At least 40 per cent of companies surveyed said they faced business disruption, reputational damage or data loss due to a cyber-security incident.
More than three in 10 respondents lost money from a cyber-security incident.
Measures lacking
The survey also found companies did not fully implement cyber-security measures that are deemed essential by CSA.
The five measures under the Cyber Essentials largely concern the auditing of data and software and training of personnel; the installation of antiviruses and secure settings; prompt software updates; back-ups for essential data; and having an incident response plan ready for cyber incidents.
Organisations adopted an average of around 70 per cent of the measures recommended, said CSA. Only one in three organisations have implemented at least three of the five categories of measures recommended.
Communications and Information Minister Josephine Teo introduced the survey to industry attendees in a speech on March 20 at the Istari Charter Asia-Pacific Cyber Congress, and said that partial adoption of essential security measures is inadequate.
