Singapore has introduced certification programmes to tag small and large enterprises that have adopted good cybersecurity practices. The move is touted as essential for companies to ascertain their security posture amidst increasing supply chain attacks.
The certification scheme encompassed two cybersecurity marks, one of which would enable small and midsize businesses (SMBs) to prioritise basic security measures they should implement to protect their systems and operations against common cyber attacks. These baseline measures included preventive measures to control access to systems and data, and cyber incident response.
The Cyber Essentials mark not only recognised SMBs with good cyber hygiene, but also would help these companies understand fundamentals they should have in place even with their limited IT or cybersecurity resources, said Singapore's Cyber Security Agency (CSA).
An SMB food and beverage company, for instance, with the Cyber Essentials mark would have adopted baseline cybersecurity measures to safeguard personal data of its customers, such as name and date of birth, needed to facilitate its loyalty programme. These included controlling access to and backing up customer data and investing in software to secure its internal IT systems.
The second certification programme was targeted at larger and more digitalised businesses, including multinational corporations, CSA said. Called Cyber Trust, it outlined a risk-based approach to help organisations understand their risk profiles and determine security elements they needed to prepare to mitigate such risks.
Specifically, the Cyber Trust mark encompassed five cybersecurity preparedness tiers that matched the company's risk profile. Each tier outlined 10 to 22 domains such as cyber governance, education, information asset protection, and secure access against which the organisation would be assessed to determine their cybersecurity posture.
For example, a financial services institution would have to ensure both its internal and external systems had a robust level of cybersecurity to safeguard its customers' personal and financial data, CSA said. The cybersecurity regulator added that the Cyber Trust mark would certify the financial organisation's investments and efforts in cybersecurity.
The certification would provide a competitive advantage for companies who earned it as well as offer assurance for their customers,.
CSA's chief executive David Koh: "CSA's cybersecurity certification scheme for enterprises is a timely introduction to the market. Supply chain cyber attacks will continue to proliferate in the digital space and, in time to come, companies could be required to demonstrate their cybersecurity posture when they conduct business as a way of providing greater assurance to their customers.
"Having the certification reflects the company's commitment to ensure that they remain cyber-secure, giving them an edge over their competitors," Koh added.
CSA said it would work alongside industry partners such as SGTech to drive the adoption of both security marks, which would not be made mandatory.
The certification process would be run by an initial group of eight certification bodies, including Bureau Veritas Quality Assurance, EPI Certification, and iSOCert.
According to CSA, the marks were developed in consultation with industry partners such as certification practitioners and trade associations.
The cybersecurity regulator also worked with several companies in Singapore to trial the frameworks for both Cyber Trust and Cyber Essentials. These included F&B companies as well as e-commerce operators and technology vendors such as Andersen's of Denmark Ice Cream, IBM, Kestrel Aero, and Lazada Singapore.
CSA also developed a toolkit to help companies adopt cybersecurity and attain the certification marks. Designed for IT administrators, the toolkit curated an initial list of partners offering products and services that could help businesses meet the requirements of the two marks.