While a majority of the surveyed companies in Singapore believe that cyber security is important and seek guidance from IT security experts, almost all (91%) of them are in the early stages of security preparedness, according to a survey jointly conducted by Quann and IDC.
The survey covered 150 senior IT professionals from medium-to-large companies based in Singapore, Hong Kong and Malaysia.
“The findings are worrying but they don’t come as a surprise. Many companies are simply not investing enough in IT security, despite the obvious threats,” said Foo Siang-tse, managing director of Quann.
Foo said the lack of investment in security infrastructure, professional services and employee training makes them extremely vulnerable. The recent WannaCry and Petya ransomware incidents are just the tip of the iceberg.
While basic IT security features such as firewall and antivirus are widely deployed by the Singapore companies, more than half (56%) of them do not have Security Intelligence and Event Management Systems to correlate and raise alerts for any anomalies in a timely manner.
Also, 54% of the Singaporean respondents do not have a Security Operations Center (SOC) or a dedicated team to proactively monitor, analyze and respond to cyber security incidents that are flagged by the systems.
The lack of proper monitoring systems and processes means that anomalies picked up by security devices may go unattended and malware may reside and cause damage within corporate networks for long periods.
The survey also finds that 40% of Singaporean respondents either do not have incident response plans to protect the companies’ networks and critical data in the event of a cyber attack. Only one-third (33%) of them practise their incident response plans.
Cyber criminals usually target non-IT employees who are seen as the weakest link in cyber security. However, only 33% of the Singapore companies require all members of the organization—from the CEO down—to take part in IT security awareness training.
Many Singapore companies (75%) do not have a dedicated IT security budget and planning process. They also do not have round-the-clock security support, with 32% having security support only during work hours, and 25% only during the work week.