Organisations are constantly confronted by the threat of cyber attacks targeting their IT systems and data. Without a strong culture of cyber resiliency, more will fall prey to such attacks. Companies must therefore adopt a mindset that they may be compromised any time, and that data will fall into the wrong hands.
At a recent ISCA Breakfast Talk, Ramesh Moosa, EY ASEAN and Singapore Forensic and Integrity Services Leader, and Francis Choy, Director, Forensic and Integrity Services, Ernst & Young Advisory Pte Ltd, shared insights into the evolving cyber threat landscape, key regulations on cybersecurity and data privacy, and leading practices in cyber incident response.
Cyber crimes have risen rapidly during the COVID-19 pandemic as cyber threat actors seek to exploit the disruption caused by the pandemic. Concern about cyber attacks among business leaders is also rising. The “EY Global Board Risk Survey 2021” reveals that 48% of boards believe cyber attacks and data breaches will more than moderately impact their business in the next 12 months. And, only 9% of boards are extremely confident that the cyber attack mitigation measures presented to them can protect the organisation from major cyber attacks.
Mr Moosa also highlighted the more stringent data protection regulations that organisations have to comply with, such as having to report data breaches within 72 hours of identifying a breach.
Nowadays, when an organisation becomes a victim of a cyber incident, there are often visible indicators in the public domain as the heavy reliance on technology means that the incident is likely to disrupt operations including somewhere along the external value chain. How the organisation manages the breach, accounts to its stakeholders and regulators, and recovers its systems and operations will be critically judged and amplified by social media. If it fumbles at managing the cyber incident, such as appearing to be evasive about the loss of personal data or internal control failures, it will be cast in a negative light.
As organisations are in a constant state of possible compromise, they must be ready to handle the worst-case incidents. Here are some key steps to consider:
1) Know what you are protecting and up against: Conduct cyber risk assessments and identify key threat scenarios, key data assets and critical systems;
2) Plan and conduct dress rehearsals: Develop cyber incident response playbooks for each threat scenario and conduct simulation drills across the organisation;
3) Be ready to call in the experts: Establish retainer agreements with IT forensic, legal, and/or public relations experts, in the absence of inhouse expertise;
4) Assume you have been compromised: Conduct threat hunting exercises and threat intelligence gathering;
5) Quantify and insure potential losses: Assess potential impact and financial losses for key threat scenarios. Consider cyber insurance to offset these losses.
By Nil (Singapore)