Singaporeans have been at the brunt of two massive cybersecurity breaches at the end of October. 1.1 million RedMart user accounts were reported stolen in a Lazada breach and put up for sale, and 400,000 Singaporeans on Eatigo were among the 2.8 million affected in a similar incident on 30th October. 

With a population of 5.7 million in Singapore, these two major breaches are a wake-up call to take cybersecurity seriously. The seriousness of this issue is compounded with people signing up to more digital services, and businesses in Singapore moving and expanding their processes digitally in response to the COVID-19 pandemic.

A 2016 cybercrime report states that cybercrime has grown from US $3 trillion dollars in 2015, and by 2021, will cost the world more than US $6 trillion annually. As the proliferation of cyber attacks ramps up, so has the need for quality cybersecurity professionals.

A cybersecurity team works through multiple roles and responsibilities that a business needs to cover their bases, and different companies start at different points in their cybersecurity readiness journey. Cybersecurity positions across the world grew by 350% from 1 million positions in 2013 to 3.5 million in 2021. Yet, reports have shown that fewer than 1 in 4 are qualified for the task at hand. With that in mind, here are some of the considerations that businesses should consider when putting their cybersecurity team together.

Different technology domains require different expertise

As we move towards newer domains such as IoT, blockchain, and cloud technology, the security requirements change. No individual can handle all of it on their own; identify the technologies that the company has, to get a better idea of who you need in the team.

We try to understand what’s next for cybersecurity in Southeast Asia

Experience and competency

Basic knowledge of penetration testing on machines and networks is a must. The cybersecurity professional must be familiar with basic web application attacks and common attack vectors such as phishing, email spoofing, etc. Having experience in development will help in understanding attacks better. The cybersecurity professional must have practical experience in the specific field, and it is important to ensure that certifications are up to scratch.

Cyberattacks do not follow a 9-5 schedule

Due to the severity of security breaches, the general work timing of 9-5 does not apply to cybersecurity professionals, if a security breach is identified or something appears suspicious, they can be called upon immediately. When it comes to averting a crisis, time is of the essence.

The in-house cybersecurity team doesn’t work in isolation, their effectiveness can be bolstered by getting the rest of the organisation on board, as well as through assistance from cybersecurity service providers. Companies should keep the following points in mind. 

Cybersecurity is nothing without awareness

Your cybersecurity is only as strong as your weakest link, and though members of your cybersecurity team are equipped and knowledgeable about the possible dangers, it can be undone by people in the organisation that hackers target through social engineering. Security awareness training should be conducted to educate everyone to be aware of attacks such as spear phishing, and email spoofing. 

Understanding the social engineering life cycle. Image courtesy of Pentester Academy

Stress test in a controlled environment regularly

Periodically testing the resilience of a company’s cybersecurity measures is crucial. Having a red team (attacker) and blue team (defender) to test the systems in a controlled environment helps with that. The red team’s job is to find ways to exploit and reveal vulnerabilities. Though the blue team can be in-house, the red team is normally hired outside of the company with the skills to exploit security vulnerabilities but without the knowledge of the protection that the company has to mimic the reality of an attack as closely as possible.

Consider a bug bounty programme

Microsoft has spent US $13.7 million in the last 12 months on bug bounty programs. Bug bounty programs have gained popularity over the years, platforms such as HackerOne and Bugcrowd have garnered more traction and bug bounties come across as a means of crowdsourcing a company’s cybersecurity needs. Companies have to weigh the cost and benefit of bug bounties. On one hand, hacker groups and individuals are motivated to find and report security flaws at a fraction of the cost of a real attack rather than selling them to malicious parties. On the other hand, it is costly to have that as the only option. A bug bounty program is a great supplement, but it should not be seen as a replacement for an in-house cybersecurity team.

Cybersecurity professionals will be a staple to any reputable company

It costs Singaporean companies on average SG $1.7 million per breach, and the damage does not end with a financial loss. It also affects the reputation of the company and the trust that any existing or potential customers might have, and can even lead to legal proceedings. Sometimes it can take the company years to recover from a severe cyberattack.

Cyberthreats are increasing at an alarming rate with greater sophistication and will continue to do so in the future. Sometimes attackers might gain access to a system and spend months waiting for the right time. With larger companies having more complex infrastructures, it might not be possible to detect the presence of the attacker right away. 

Thus the value of having trained cybersecurity professionals is significant and with businesses becoming more digitalised, it is imperative that with any digital initiatives that businesses undertake, cybersecurity should be top-of-mind, not an afterthought.

This article was contributed by Vivek Ramachandran, Founder & CEO of Pentester Academy

About the author

Vivek Ramachandran is the Founder, CEO of Pentester Academy. We now train thousands of customers from government agencies, Fortune 500 companies, and smaller enterprises from over 90 countries.

Vivek has been researching Wi-Fi security for over a decade. He discovered the Caffe Latte attack, broke WEP Cloaking, conceptualized enterprise Wi-Fi
Backdoors, created Chellam (Wi-Fi Firewall), WiMonitor Enterprise (802.11ac monitoring), Chigula (Wi-Fi traffic analysis via SQL), Deceptacon (IoT Honeypots) and others. He is the author of multiple five star rated books on Wi-Fi security which have together sold over 20,000+ copies worldwide and have been translated to multiple languages.

He is a regular speaker/trainer at top security conferences such as Blackhat USA, Europe and Abu Dhabi, DEFCON, Brucon, Hacktivity and others. Vivek’s work on wireless security (Caffe Latte attack) has been quoted in BBC online, InfoWorld, MacWorld, The Register, IT World Canada and others.