In Aug 2020, the Cybersecurity Public Awareness Survey 2019 reported that 28 percent of respondents had experienced at least one cyber incident in the past 12 months. Interestingly, while 82 percent said they were concerned about their computer being controlled by hackers illegally, only 32 percent felt this was likely to happen to them.

In Southeast Asia, the top four cyberattacks were unintentional downloads of dubious files, malicious attachments from online email services, browser extensions activity, and malicious communications with command and control (C2C) servers.

Threats in Singapore

Cyberattacks have been on the rise in Singapore since 2017, following the breaches of SingHealth, Sephora, AXA Insurance, Uber, and Red Cross, alongside the leaking of Singapore HIV data and security scares at the Ministry of Defence and Singapore Armed Forces. Singapore has become a hotbed for hackers due to the wealth of data available, with even Prime Minister Lee Hsien Loong on the target list.

A report by the Cyber Security Agency (CSA) of Singapore stated that the frequency and sophistication of cyber threats in Singapore, such as website defacements, phishing incidents, and malware activities, rose in 2019. Cybercrime accounted for more than a quarter of all crimes in Singapore in the same year.

The average cost of a cybersecurity attack for organisations in Singapore stands at approximately S$1.7 million per breach, housing the highest estimated costs stemming from a breach across Asia Pacific, ahead of markets such as Australia, Hong Kong, India, Indonesia, Malaysia, New Zealand, and Thailand. A McAfee Cyber Resilience Report estimated that costs from respondents in Singapore were more than double that of the next highest country in Asia Pacific, identified as Indonesia, with financial implications at about S$785,000 per breach.

Cyber threats in Singapore during COVID-19

The report by CSA also noted that cyber-attackers are exploiting the panic and fear caused by the COVID-19 pandemic; “such malicious cyber activities emerged globally in late December 2019 and may persist beyond 2020.” Cyber-security vendors observed that successful Covid-19-themed phishing attacks were on the rise through the first few months of 2020.

The report also noted a global rise in cyber threats capitalising on the COVID-19 pandemic to target frontline organisations, businesses, and individuals. The attackers range from cyber criminals seeking financial gain to groups attempting to gain access to classified information.

“As one of the most connected countries in the world, Singapore remains a target for cyberattacks and cybercrime,” said CSA chief executive David Koh. “Threat actors have continued to evolve their tactics, resulting in an intensification of malicious cyber activities in 2019. It is important for us to shake off the ‘it will not happen to me’ mindset, stay vigilant, and take steps to protect ourselves online so that we do not become the next victim.”

The CSA will launch a Safer Cyberspace Masterplan to better protect Singaporeans and enterprises in the digital domain. During the COVID-19 pandemic, CSA will also be raising cybersecurity awareness and promoting the adoption of cybersecurity measures. Examples include television programmes in dialects, as well as virtual talks and videos targeted at the various audiences. This will be critical at a time when so many daily functions have gone digital because of social distancing.

The state of cybersecurity in Singapore

According to the CSA report, for phishing activity, 47,500 Singapore-hosted phishing URLs were detected in 2019, a sharp increase from 16,100 in 2018. Local businesses that fell victim included technology firms, banking and financial organisations, and e-mail service providers. The Immigration & Checkpoints Authority, Ministry of Manpower and Singapore Police Force were the most hit government organisations.

For ransomware attacks, CSA received 35 reports in 2019, up from 21 cases the previous year. Victims of ransomware attacks were largely from the travel and tourism, manufacturing, and logistics industries.

“Across the region, Singapore has performed well in terms of maintaining its high position for having the least number of cyber threats blocked relative to its neighbours, regardless of whether they are internet-borne or local in nature,” said Yeo Siang Tiong, general manager at Kaspersky Southeast Asia.

“These noteworthy results are commendable, and we have to give a nod on how public and private institutions in the country are working together actively to keep the digital aspect of the Republic safe and secured,” he added.

However, the series of cybersecurity incidents, including the leakage of personal data of 2,400 Ministry of Defence personnel and the Sephora hack, showed that Singapore continues to be a key target.

Separately, a 2020 Global Threat Intelligence Report by technology services firm NTT found that 29 percent of attacks in Singapore in 2019 targeted the education sector, particularly higher education institutions. The education sector was the second most-targeted by hackers after the government sector, attracting 38 percent of all attacks.

Mr Neville Burdan, NTT’s director of cybersecurity in Asia-Pacific, said in the government sector, attackers are primarily looking to disrupt critical infrastructure, or for classified information. However, education institutions are seen as “softer targets” as they may not have enough advanced security protocols to fend off the cyberattacks.

He added that the education sector is attractive because of the volume of computer resources available, and how attackers can gain unauthorised access to mine cryptocurrency or spread ransomware. They are also after valuable data like projects that companies are funding or government-funded research, or people’s details and credentials which can be sold on the dark web.

Difficulty in identifying phishing emails

Phishing remains a popular way for cyber attackers to target victims. The Cybersecurity Public Awareness Survey 2019 showed that about two-thirds of respondents knew what phishing was.

Of these two-thirds:

• 86 percent were able to identify phishing emails promising attractive rewards
• 57 percent were able to identify emails with suspicious attachments
• 55 percent were able to identify emails using urgent or threatening language
• 53 percent were able to identify emails requesting for confidential information
• BUT only four percent could identify all the phishing emails correctly.

Mobile Transactions are Up While Use of Antivirus Remains Low

The survey also found more respondents use their personal mobile devices for online transactions, from 73 percent in 2018 to 80 percent in 2019. However, only 47 percent installed security applications in their mobile devices. This is despite 85 percent indicating they understood the risks of not having security apps, and 64 percent saying they knew how to use them.

What Singapore is doing to meet cybersecurity challenges

Staffing challenges

An initiative is the Cybersecurity Career Mentoring Programme developed mutually by Singapore Computer Society (SCS) and Cyber Security Agency (CSA). The programme aims to help aspiring young professionals and tertiary students on their cybersecurity career journey.

IndSights Research spoke to a few ICT (Information and Communications Technology) companies, including those in the business of cybersecurity. The general sentiments are that it is sometimes challenging to find tech-talents with industry-specific domain knowledge and deep technical skills, such as cybersecurity professionals with engineering experience or threat-hunting specialists. There is also the difficulty in recruiting at higher levels such as for a director. It would be interesting to see how much impact the mentoring programme would make and how SCS and CSA would measure this impact.

Building capabilities

In February 2020, the Singapore government said it would set aside S$1bn over the next three years to build up its cyber and data security capabilities, to safeguard citizens’ data and critical information infrastructure (CII) systems.

As digitisation becomes more pervasive, Singapore’s deputy prime minister and finance minister Heng Swee Keat said that the CSA is preparing for the next level of cybersecurity with the growing use of artificial intelligence (AI), cloud computing and the internet of things (IoT). The announcement came on the back of a CSA masterplan unveiled in October 2019. Developed together with industry partners, the masterplan details the development of capabilities to secure operational technology (OT) systems and plans to set up an OT cybersecurity information sharing and analysis centre.

Cybersecurity labelling scheme

The CSA is introducing the Cybersecurity Labelling Scheme (CLS) for network-connected smart devices. The first of its kind scheme in Asia-Pacific and will provide different levels of cybersecurity ratings to help consumers make informed choices about the security features of the smart devices they purchase.

The scheme will be aligned to global security standards for consumer IoT products. The CSA hopes to incentivise manufacturers and product suppliers to develop products with recognised and improved security features through this.

Cyber threats trends in Singapore

So, what trends should we expect in the future for cybersecurity in Singapore? In its Singapore Cyber Landscape 2019 report, the CSA noted the rise in cyber threats targeted at various local industries, such as e-commerce, banking, and finance. The cyber threats included common malicious activities such as website defacements, phishing incidents and malware infections. The report identified two trends that are expected to increase the cybersecurity “attack surface”:

1. The transition by organisations into cloud computing, and
2. Security risks associated with working from home in the post-pandemic “new normal”.

Other trends expected to have an impact on cybersecurity include artificial intelligence (AI), 5G, the surge in IoT devices, and quantum computing.

Huang Shao Fei, president of Cybersecurity Chapter at SCS, assessed the security threats set to impact the city-state. “The most dangerous concerns in the market today are supply-chain cybersecurity threats, in addition to unconventional, chain-linked threats that do not depend on one single attack vector. In particular, supply-chain threats include Tier 2 and Tier 3 suppliers and sub-contractors that could compromise security, with organisations being the last one to find out they’ve been compromised.”

Huang continued, “Machine learning, while relatively nascent at this stage, has great potential in detecting supply-chain and non-conventional threats. Also, blockchain technology has the potential to mitigate some supply-chain risks…”.

In conclusion, it is a sound strategy to have a comprehensive cybersecurity plan embracing all parts of the organisation, regardless of cyber threat trends. The litmus test of any security investment lies in whether it delivers value to the organisation’s mission and priorities. McAfee Cyber Resilience Report  found that 92 per cent of Singaporean organisations revealed plans to invest more in cybersecurity in 2020. All businesses should consider investing in cybersecurity, if not already doing so.