This past year’s high-profile cyber attacks grabbed the attention of boardrooms in Singapore, putting cyber risk at the top of board directors’ agenda. But new research shows a paradox. Although a much higher percentage of Singaporean board members believe they are investing adequately in cybersecurity compared to their peers worldwide, they rank last in terms of their preparedness to handle attacks.
Findings from Proofpoint’s Cybersecurity: The 2023 Board Perspective report found that 79% of directors in Singapore believe that their board views cybersecurity as a priority, compared to 73% globally. Additionally, 86% feel they have made adequate cybersecurity investments, significantly higher than the 70% global average.
Despite their investment of time and resources, board members in Singapore feel the least prepared to cope with targeted attacks than in other countries: 81% view their organisation as unprepared vs. 53% globally. Furthermore, this year’s report also found a significant increase in the number of directors in Singapore who believe their organisation is at risk of a material cyberattack (89% vs. 66% last year).
The year-over-year changes indicate that awareness and funding do not translate into cyber preparedness. The changing threat landscape is likely one of the reasons for this disconnect, especially due to the growing number of phishing attacks. In 2022, the Singapore Cyber Emergency Response Team received 8,500 reports of attempted phishing attempts, more than double the number of cases in 2021.
High-profile cyber attacks that have been hitting closer to home are also contributing to the unease in the boardroom. The breach of Singapore Telecommunications Z74 Ltd subsidiary Optus, for instance, exposed the data of 10 million Australians, 40% of that country’s population. Recently, Optus was hit with a class-action lawsuit on behalf of 100,000 affected consumers, illustrating the potential long-term implications of these types of incidents.
Emerging threats, including generative artificial intelligence (AI), exacerbate the challenges that boards face as well. In Singapore, 78% of board members view generative AI tools such as ChatGPT as a security risk.
See also: Becoming an adaptive leader in the age of technology
Organisations are starting to explore the repercussions of this nascent technology, as it is becoming clear that threat actors can use it for nefarious purposes in a multitude of ways. Targeted email fraud is a big concern because these AI tools can deliver much more convincing phishing emails in multiple languages. AI-enabled deepfake technology is also constantly improving, escalating the risk of C-suite impersonation for perpetrating cyber crimes such as account takeover and fraud. As generative AI tools become more widely available and cybercriminals look to benefit from open-source generative AI, the threat landscape will see a tremendous shift.
The great news is that nearly all Singaporean directors (97%) expect to see their cybersecurity budgets increase in the next 12 months. But are they investing in the right defences? To bridge the disconnect between cybersecurity investments and organisational preparedness, boards need to focus on the areas that will make the biggest impact. Yet their limited expertise prevents them from making effective cyber risk decisions.
Improving and expanding the board of directors’ cybersecurity knowledge is the first step to appropriate cybersecurity resource investment. Since every organisation is different, board members must understand their organisation’s unique challenges and the specific threats they must address.
See also: Why the return-to-office wave is a wake-up call for businesses
Pushing for more productive conversations
Directors cannot improve their cybersecurity posture alone; they need to forge a strategic alliance with their Chief Information Security Officer (CISO). Yet this is an area of struggle. Only 59% of surveyed directors in Singapore say they interact regularly with their CISO. While this is a great improvement from last year’s 37%, it still means that nearly half of boardrooms lack strong relationships with their security leaders.
Even when boards communicate regularly with their security leaders, the two sides may not speak the same language. CISOs are getting better at translating cyber risk into business risk, but a big gap remains. If CISOs discuss risk with board members from an IT-centric perspective, the board may not feel comfortable enough about their knowledge to ask better questions as the information might be too technical.
Directors cannot leave it up to CISOs to bridge this gap — they must take the initiative to get up to speed on cybersecurity matters. While this process will have a steep learning curve, it is necessary to ensure they are making effective decisions. Education will enable them to ask pointed rather than boilerplate questions and push their CISO toward a more productive dialogue.
As they seek to boost their expertise, boards should avoid a “one-size-fits-all” approach to this endeavour. Any educational program needs to reflect the organisation’s business model, goals, risk profile, and risk appetite. This is especially important as the threat landscape evolves, the risk environment grows more complicated, and the business priorities change.
While it is understandable that bigger budgets and additional cyber resources are among their top three wishes, board members need to first ensure they are adequately allocating the funds and resources they already have. Better education and stronger relationships with CISOs will give board members the confidence that they are moving in the right direction to protect their organisation, people, and data.
Jennifer Cheng is the director of Cybersecurity Strategy for Asia Pacific & Japan at Proofpoint