Cybersecurity: Why, How and the Future

The speakers of Kopi Chat Deep Dive: Generation Cyber from left to right (Steven Lim, Senior Solutions Consultant (WorldPay), Calvin Ng, Deputy Director, Technology Division, Cyber Security Agency of Singapore (CSA), Mr Nga Chee Wei, CEO of CapVista, Mr Wilson Tan, Director of the Singtel Cybersecurity Institute, Matthias Chin, Founder of Banff Cyber and the moderators (Lucy Chan and Nikolas Tay) from NUS Greyhats, an information security interest group, at the sides.

Cybersecurity is one of the key enablers of Singapore’s vision of a Smart Nation. As there is increasing inter-connectivity between digital systems and devices, a single cyberattack can have devastating consequences across various sectors.

Singapore’s cybersecurity strategy, which requires collective action from stakeholders across the government, industry, academia and communities, will build a resilient and trusted cyber environment.

“A combination of a competition and professional cybersecurity workforce, robust processes and state-of-the-art technology is necessary to drive Singapore’s cybersecurity strategy.” said Mr Calvin Ng, Deputy Director, Technology Division, Cyber Security Agency of Singapore (CSA).

He was speaking at the Kopi Chat Deep Dive: Generation Cyber on 8 November, organised by BLOCK71 Singapore and moderated by NUS Greyhats. Joining him at the session on cybersecurity trends, risks and opportunities and the subsequent panel discussion were Mr Wilson Tan, Director of the Singtel Cybersecurity Institute, Mr Nga Chee Wei, CEO of CapVista, Matthias Chin, Founder of Banff Cyber and Steven Lim, Senior Solutions Consultant (WorldPay).

If you didn’t manage to attend the session, read the following section for the key takeaways!

Q and A

How have your organisation’s systems evolved with the cybersecurity landscape?

“Hackers are becoming more sophisticated. So the question is how do you augment the analyst’s role with technology to make his work process more efficient “ — Wilson

“We need to know that today we are treading in a unfriendly world. Our priority is to defend our critical assets. We need to understand the threats before we allocate the resources to protect them. For small businesses, they are part of the supply chain and they are important too. [In the handling of incident] Once we have dissected the problems, we will know what are the defences to employ. There is a spectrum of strategies we can use to protect our assets.” — Calvin

“In this fast paced industry, we are collaborating with partners, including start-ups, to tackle challenges. We need to work together to create a whole that is greater than the sum of its parts.” — Chee Wei

What follow-up measures does your organisation take when responding to such developments (e.g. WannaCry, HeartBleed, Petya)?

“Ransomware attacks in Singapore are not as bad compared to other countries. CSA is trying to bring the awareness that you need to have protective measures to defence againstcyberattack and one of the ways that CSA engage incident is to issue an advisory” — Calvin

“From an organizational business perspective, the question to ask is, do we know if anyone is probing my website or network? The moment you have an IP address, a website, a PC, you are potentially exposed and need to take proactive measures as best as you can.” — Matthias

What are the important skillsets needed for one to enter the field of cybersecurity?

“ We need people with varied skill-sets such as social science and humanities. A combination of expertise will enable more accurate and comprehensive solutions to be built to counter attacks.” — Chee Wei

“There is a transition in the skills needed. Previously, the skills needed were to understand programming languages but now technology has advanced to do that. One should have a security mindset and a thought process which can be applied to various domains. Cybersecurity cuts across a lot of domains so one must have different perspectives.” — Calvin

“From my previous experience, attackers only need three commands to launch an attack and the defender has to look through tonnes of code to find out where it has been exploited. It is really a tough job for the defender. The key question is, is there a way to automate cybersecurity defences so that it is simple and affordable for the masses?” — Matthias

“Fraudsters are sophisticated, while they cannot crack a defence today, they will crack it the next week. Hence, solutions need to be dynamic to deal with them. While machine learning can help to ameliorate this, there must still be a human operator to drive and manage the process.” — Steven

Besides the panel discussion, there was a showcase of cybersecurity start-ups (e.g. Horangi Cybersecurity, Insider Security, WebOrion) during the event.

Are cybersecurity solutions being piloted by start-ups or more in the sphere of research?

“I would encourage start-ups to mix with researchers. Researchers can come up with solutions but they do not penetrate the industry fast enough. There are many opportunities for cross-fertilisation and for researchers and start-up to bridge this gap.” — Calvin

A famous adage that humans are the weakest link but most solutions are technology-based. Is there a human-based approach to cybersecurity?

“You cannot do away with human fallibility. Phishing is still the easiest way for hackers to get information. Most people will delete or file away a suspicious email but increasingly, we are training people to report such instances. It is important to raise the awareness of cybersecurity measures in people.”— Wilson

How can one inculcate cybersecurity awareness in a start-up?

“First, we need to adopt a security by design approach in everything we do. Second, we need to create a mindset of putting security first. If security can be taken as a commodity, like how trust is taken as a commodity, for example, you can rate your Uber driver based on his reliability, people will start to take it seriously.”— Wilson

How would your company justify cybersecurity spending?

“The Cybersecurity Bill is to bring responsibility and accountability from an critical infrastructure perspective. People must know that important services can be compromised if cybersecurity measures are not in place and someone must be accountable. For small companies, they are too focused on delivering products and might not focus on cybersecurity. It is possible that their business might crash due to an attack. Businesses must be aware of what assets they want to protect and then they can project the appropriate cybersecurity spending.” — Calvin

“The challenge for start-ups is that there are too many things to do and there is not enough resources. As a start-up founder, you must cascade this mindset to the rest of your team. It starts from the top, it is hard for an engineer to approach a founder on this subject. Another way is to look for solutions that are affordable for startups eg. WebOrion. Hackers are not all out to get you unless you are a really easy or soft target. If your start-up has some basic defences in place, they will give it a try and if they are unable to get through, they will move on to other easier targets.” — Matthias

For more great entrepreneur themed articles delivered weekly to your inbox, subscribe to the BLOCK71 newsletter here!

NUS Enterprise nurtures entrepreneurial talents with global mindsets, while advancing innovation and entrepreneurship at Asia’s leading university.