Singapore consumers are feeling the impact of record data breach costs

Ransomware assaults and other cyberthreats are no longer exclusive to the digital world. They now overflow into the physical world with negative effects on the outside world.

When it comes to operational challenges, few mistakes are as costly as data breaches. Just one exploited vulnerability can lead to millions in damages, not just due to upfront disruption, but a loss of confidence from consumers and potential compliance liabilities. 

How ready are Singapore enterprises for a major cyberattack? 

• Prior to the COVID-19 pandemic, Singapore enterprises have been through similar episodes in the past albeit on a smaller scale such as SARS in 2003 and H1N1 in 2009.  Through lessons learned from these past episodes, some companies have devised business continuity measures and continued to refine them over time with regular exercises to familiarize their employees with the response plans.  While these measures may not completely mitigate the effects of COVID-19 when it struck due to its far-reaching implications which may not have been foreseen prior. It is clear that companies that have considered and practiced their responses during “peace-time” would be in a far better position to deal with the business implications of COVID-19.    
• The state of readiness of Singapore enterprises against the effects of a major cyberattack such as ransomware.  Companies that have kept up with the rapid developments in the cyber threat landscape and continued to hone their defenses as well as practice their responses in cyberspace would be far better off in responding to a major cyber attack than another company that does not do that.  
• Cyber resilience is the ability to keep operating even if hackers penetrate your defences.  As with COVID-19, having ‘vaccination’ is key to our response to a major cyberattack.  In cyberspace, implementing Zero Trust architectures holistically with relevant solutions and processes as well as adopting the ‘Assume Breached’ mindset is the ‘vaccination’ enterprises need to safeguard themselves against ‘cyber pandemics’ such as the proliferation of ransomware that many enterprises need to contend with today” he explained.  “While it may not totally prevent an enterprise from being ‘infected’ by malware, having such vaccination drastically reduces the probability of an enterprise being fatally affected.
• However, malware in cyberspace mutates just like viruses in real life too.  It is, therefore, crucial for enterprises to always review if the efficacy of the ‘vaccination’ is waning and if ‘boosters’ i.e. additional counter-measures are needed against the rapidly mutating cyber threats.

Singapore’s cybersecurity state

• Cyber threats such as ransomware attacks are no longer contained in the digital domain. They now spill over into the physical realm, with real-world consequences. We have seen this globally, especially with the recent uptick in international ransomware attacks. In the Colonial Pipeline incident, the company’s week-long shutdown affected the supply of fuel to about 50 million customers. Another example is the ransomware attacks on healthcare services in Ireland and New Zealand that caused a shutdown of the affected IT systems. As patient records became inaccessible, surgeries had to be postponed and outpatient services suspended.
• Given Singapore’s Smart Nation roadmap and ambitions to become a global financial hub, rising cyberattacks have also prompted action from the Government to help enterprises play a bigger and more active role in managing cyber risk.
• To date, Singapore has also not experienced any ransomware attacks of a massive and systemic nature or any which have impacted its Critical Information Infrastructure (CII) operators. The critical sectors include energy, water, banking and finance, healthcare, transport, government, infocomm, media and security, and emergency services.
• With the rise in global ransomware incidents, Cyber Security Agency of Singapore (CSA) has taken proactive steps to safeguard the country’s CII and directed these sectors to “raise their cybersecurity posture” and implement the necessary measures to mitigate ransomware threats. Some of the necessary measures include improving their detection of anomalous activity swiftly, backing up data regularly and keeping the backup offline, and practicing incident response and business continuity plans in case of a ransomware attack. 
• CSA has launched a series of tool kits for enterprises, which provide guidance on cyber-security issues tailored for senior business leaders and owners, as well as employees. Legislation has also been stepped up, with more companies encouraged to double down on cybersecurity with heavier fines for those who fall prey to data breaches. 

More Cyber Attacks Are Causing More Problems and Not Only for Businesses

• The cost of a data breach in six ASEAN countries including Singapore reaches an all-time high, averaging USD 2.87 million in 2022, and the inadequate adoption of zero trust principles in studied organizations is pushing those costs even higher.
• This is the latest findings from IBM’s annual Cost of a Data Breach report with 550 businesses across 17 countries including Singapore impacted by data breaches surveyed. ASEAN countries being surveyed are Singapore, Malaysia, Indonesia, Thailand, Philippines, and Vietnam.
• The research finds that consumers pay data breach prices amid soaring inflation. Invisible ‘cyber tax’ is what stands out most in this year’s finding – the financial impact of breaches is now extending well beyond the breaches organizations themselves.
• The hostile reality of the threat landscape where system error, phishing, and cloud misconfiguration become the costliest breach cause. Cloud migration and compliance failures are among the top three factors that may increase the cost of a data breach.
• The research also found that organizations that fell victim to cyberattacks were a prime target for follow-up attacks as part of a “haunting effect”, with 83% of organizations studied globally having had more than one data breach. And the study shows that it doesn’t pay for enterprises to pay threat actors’ ransom as they often do not get the expected results by doing so, with the ramifications of a data breach continuing to be felt for years.
• Other interesting findings are critical infrastructure showing “Blind Trust” where over 1 in 4 critical infrastructure businesses breached suffered ransomware or destructive attack. This is the time when multiple nations’ cyber authorities are urging heightened vigilance in these sectors. Globally, despite the risks, ~80% of these critical infrastructure businesses don’t implement Zero Trust, experiencing on average USD 1.17 million in added costs than those that do. In fact, 17% of these breaches were caused due to a business partner being initially compromised, emphasizing the risk of over-trusting environments.  
• Ransomware victims that opted to pay threat actors’ ransom demands just saved USD 610,000 (global data) in average breach costs compared to those that chose not to pay, but this does not include the ransom payment. It doesn’t pay to pay when accounting for current ransom payments (other industry research indicates the average ransom payment exceeds $800K) 
• We also see cloud security immaturity where 45% of breaches occurred in the cloud, while 43% of organizations state they are either in the early stages or have not started applying security practices across their cloud environments. Businesses with hybrid cloud environments were better positioned to deal with shorter breach costs compared to businesses operating solely in a public or private cloud.  

Who is feeling the brunt of it?

• Interesting findings from this year are that consumers are paying the price of all this where 60% of the organizations studied increased the price of their products and services because of a data breach they experienced, inadvertently passing the cost on to customers. 
• 83% of businesses said they’ve been breached more than once, while nearly 50% of costs are incurred more than a year post-breach, suggesting breaches are having a “haunting effect” on organizations, which tells us consumers have paid the price more than once. 
• When a business raises its prices, it affects partners, customers, and consumers, and ultimately the higher prices create a chain reaction that hurts the economy. It’s clear that cyberattacks are evolving into market stressors. We must think of cyber events as factors capable of stressing the economy– similar to Covid, the war in Ukraine, gas prices, and supply chain issues.

Which industries are under attack in Singapore?

• We saw three main industries across ASEAN including Singapore – financial services, technology, and transportation saw the costliest breaches.
• In the finance sector, security has become a top-of-mind issue for business leaders as the number of cyberattacks skyrockets and campaigns become more sophisticated. 
• Companies in the financial sector are paying the highest cost for data breaches at USD 461 per record cost. Technology companies paid USD 350 per record, the second most expensive by industry, followed by the transport industry at USD 332 per record. The regional and national average cost across all sectors was USD 286 per record. 
• Financially motivated attackers caused the majority of malicious data breaches. In a highly regulated environment, breaches in the financial services sector can be excessively expensive, followed by hefty fines. 
• This is what happened in the Solarwinds hack last year. Hackers had gained access to US government and corporate networks by compromising Solarwinds’ systems. The company provides information technology management software, and its clients include US government agencies and large companies. 
• Top executives and decision-makers in the finance industry are aware of the rapidly evolving cyber threat landscape and recognize the need to put more resources and effort to keep up with these changes.

How worried should we be?

• On whether Singapore should be worried about cyberattacks, IBM thinks that companies generally (are) not prepared enough.
• Companies should have contingency plans in case they get hit by sophisticated threats such as ransomware and have a solution planned. “The reality is a lot of companies still don’t have that, and then you can’t make those plans once you’re under attack. Because if it’s a systemic ransomware attack, you don’t even have access to your systems anymore, so you can’t even send emails to each other.
• Ransomware is a symptom. If you have the ransomware, it’s because you’ve already been hacked, and you’ve been hacked for a period of time. And if it’s systemically important to the organization, as in putting them out of business or stopping the way they operate, then it’s already too late.
• Interestingly, the hybrid cloud model had the lowest breach cost compared to public and private clouds. 
• Hybrid cloud adopters saw significantly less breach costs (average of USD 3.8M per incident – global data) compared to solely private (USD 4.24M – global data) or public cloud (USD 5.02M – global data) adopters. These organizations were also able to identify and contain data breaches much faster, 15 days faster than the global average and 48 days faster than public cloud adopters.
• We also see that security AI had the biggest cost-mitigating impact. Organizations that fully deployed security AI and automation saw USD 3.05 million less costs (global data) than those that do not deploy. The former also saw significant advantages in the speed to detect/contain a breach.

What can businesses do?

• Although the report highlights the bleakest of the current threat landscape, it also points to some promising technologies and methodologies that enterprises can use to reduce the cost of data breaches.
• As we transition towards a digital-first environment, remote work and the digitalization of operational processes can make defending against cybercriminals more complex. Organizations must adopt a holistic cybersecurity strategy that entails enhancing cloud resiliency, monitoring insider threats, consolidating technology vendors, white hacking to test vulnerabilities, and having regular cyber exercises to anticipate possible disruptions.
• ‘Zero trust’ approach has been proven to bring a net positive impact on data breach costs. 
• Enterprises need to “give up” on just doing prevention and put their defences on the offense. Enterprises also need to focus on detection at speed to reduce breach lifecycles and mitigate the impact. 
• IBM Security global findings show a USD1.12M cost difference between breach lifecycles less than 200 days vs greater than 200 days. As attackers reduced their attack lifecycle by 94% over the past three years, so we must make it harder for them to execute their objective.