S'pore firms see more insider attacks

Survey finds more local companies making data protection a priority as they look to safeguard their information from increased insider threats.

SINGAPORE--As 2009 recorded widespread layoffs across various market sectors, businesses in the country--particularly in the financial services & insurance (FSI) industry--saw spikes in insider threats, as more organizations faced potential reprisals from disgruntled employees.

In a media briefing here Wednesday, Gerry Chng, Far East Area leader for information security at Ernst & Young Advisory, described how a bank recounted, during a discussion, that syndicates had "planted" their own people within FSI companies, which implies a breach in the organization's security infrastructure.

This observation is further highlighted in Ernst & Young's 12th annual Global Information Security Survey, which found that 28 percent of respondents in Singapore cited insider attacks as a current threat. This was 3 percent higher than the global average, according to the survey findings.

Within the local FSI sector, 43 percent of respondents acknowledged their companies had experienced insider attacks. "This is more than last year," confirmed John Chin, Asean leader for IT risk and assurance services, Ernst & Young Advisory.

Conducted between Jun. 1 and Jul. 31 this year, the survey polled IT professionals from 1,865 organizations across major industries in 61 countries. Within this number, 105 respondents were from Singapore, of which 27 percent--the majority--were from the FSI sector.

To counter the threat of insider attacks, 50 percent of local respondents said data protection was their top priority and they planned to increase their spend in implementing or improving data protection technologies and processes. Some 42 percent highlighted moves to improve and expand budget in information security risk management as a priority.

These priorities, noted Chng, were reversed in the global findings, with 50 percent of overall respondents looking to spend more on information security, compared to 43 percent who opted to improve their data protection.

However, he noted that while most indicated an increasing willingness to intensify or at least maintain their IT spend, "investments in IT" as a whole had fallen.

This could explain why 50 percent of Singapore respondents acknowledged that having an adequate budget was a "high" or "significant" challenge, and 53 percent cited the same challenge with regard to the availability of resources.

Chin said in the report: "Information security today already requires a lot more investment, as companies race to catch up with an accelerating threat landscape, after a much delayed start.

"However, budgets and technical resources are still limited…and senior IT professionals are expected to improve efficiency and effectiveness, while keeping spending to a minimum," he said.

Another factor driving information security is the need for companies to comply with industry regulations.

Both global and Singapore findings saw a high 77 percent of respondents, respectively, indicating that achieving regulatory compliance was "important" or "very important", while 96 percent of local respondents in the FSI sector replied likewise.

Half of survey respondents in the country said regulatory compliance costs accounted for "moderate to significant increases" of their overall information security costs.

Chng said: "While regulatory compliance continues to be an important driver, the cost of compliance remains high. This introduces the risks that the security management initiatives cannot be sustained over time."

Recognizing these challenges, Ernst & Young suggested that companies move away from looking at IT security as simply a need to meet standard regulations, to one that is focused on securing corporate data.

Chng said companies should ditch the notion of "external" and "internal" threats, as these would imply that the security infrastructure implemented still has a specific "parameter" in place. He noted that today's "mobility of information renders digital parameters useless", and added that IT professionals should look at securing the data rather than locations such as the office IT network.

This mindset is still lacking among Singapore-based companies, he noted, as most of these organizations simply look to satisfying regulatory rules. Chng said: "This needs to change and companies need to look at the intent behind the regulations to build a sustainable IT security system."

He added, though, that the situation is changing, with more organizations looking toward automation to better monitor their systems.