Most firms face cyber incidents, but lack basic cyber-security measures: CSA study

Ransomware and social engineering tactics are among the most common cyber incidents faced by companies. PHOTO: ST FILE

SINGAPORE – A majority of companies lacked essential cyber-security measures recommended by the Cyber Security Agency of Singapore (CSA), even as four in five firms experienced a cyber-security incident each year, a new study has found.

Many respondents cited a lack of knowledge of cyber security, as well as concerns about costs and whether they would even be a target of cyber threats.

These were among the findings in CSA’s inaugural Singapore Cybersecurity Health Report, following a study of cyber-security adoption and the challenges that firms face.

The survey, which was released on March 28, was conducted between May and August 2023 and involved 2,036 organisations of all sizes across 23 industry sectors and more than seven non-profit organisation sectors.

Many firms missed out on basic cyber-security measures, CSA found, adding that any gap in implementation is “inadequate” and can expose them to cyber threats.

At least eight in 10 organisations encountered a cyber-security incident each year, according to the study.

Ransomware, in which fraudsters upload malicious software to freeze computer systems and demand payment from victims to restore access, was the most common incident encountered.

Businesses also frequently dealt with social engineering attacks, exploitation of misconfigured cloud systems and Denial of Service attacks, in which bad actors attempt to disrupt a network by spamming it with requests, preventing legitimate users from accessing it.

Nearly half of the businesses faced such cyber-security incidents several times a year, and 5 per cent of respondents said they experienced them several times daily.

At least 40 per cent of companies surveyed said they faced business disruption, reputational damage or data loss due to a cyber-security incident.

More than three in 10 respondents lost money from a cyber-security incident.

Measures lacking

The survey also found companies did not fully implement cyber-security measures that are deemed essential by CSA.

The five measures under the Cyber Essentials largely concern the auditing of data and software and training of personnel; the installation of antiviruses and secure settings; prompt software updates; back-ups for essential data; and having an incident response plan ready for cyber incidents.

Organisations adopted an average of around 70 per cent of the measures recommended, said CSA. Only one in three organisations have implemented at least three of the five categories of measures recommended.

Communications and Information Minister Josephine Teo introduced the survey to industry attendees in a speech on March 20 at the Istari Charter Asia-Pacific Cyber Congress, and said that partial adoption of essential security measures is inadequate.

“Unless all these essential measures are adopted, the organisations are exposed to unnecessary cyber risks. In CSA’s view, the passing mark should be set high enough to give assurance,” said Mrs Teo. “That means adopting the full package of essential measures in all of the five categories.”

She said then that small and medium-sized enterprises (SMEs) were “exceptionally weak” in virus protection and access control, which restricts access to sensitive data. Less than 20 per cent have adopted such measures fully.  

Up to 30 per cent of SMEs lacked incident responses and did not update their software regularly, according to statistics Mrs Teo gave then.

Companies cited a lack of knowledge and experience as the top challenge for businesses, which is understandable given how quickly cyber risks evolve, said CSA in its report.

Almost half of the respondents expressed scepticism about the likelihood of becoming targets of cyber attacks; others pointed to shortages in manpower and resources as hurdles in adopting stronger cyber-security protocols.

CSA chief executive David Koh said in a statement about the report: “Organisations should make cyber security a priority and take advantage of the funding support and resources available to catch up.

“Doing this only after an incident has happened will be much more costly.”

Join ST's Telegram channel and get the latest breaking news delivered to you.