Singapore suffers from 'false sense of security'

Singapore's "vibrant" IT security environment, low rate of reported breaches and incidents, and not being at the frontlines of online attacks have lulled local businesses into a "false sense of security" which leaves them vulnerable.

According to Ngair Teow Hin, founder and CEO of security firm SecureAge, the "vibrant" security scene in the city-state with more than 100 security companies here, and existing laws such as the Computer Misuse Act, help deter people from hacking into organizations here. This can be seen by the low number of reported security incidents, he added.

The country is also not likely to be one of the primary targets for hackers and hactivist groups because of its small population size, Ngair pointed out. This makes companies here a smaller target than those in countries such as the United States, for example, he added during an interview with ZDNet Asia on Tuesday.

Complacency sets in
However, Singapore-based companies have been lulled into a "false sense of security" even though the abovementioned factors are not enough to ensure the country will be safe from hacking activities, he stated.

The low report rate, for instance, is because there is no incentive for companies to lodge one, he noted. Since the local government's priority is to keep business costs low and reporting the incident will only add to expenses, such incidents are often not known and companies are not penalized for not sharing the information, the CEO explained.

The country is also rather backward in enacting laws that would strengthen the protection of sensitive data. Citing Singapore's Data Protection Act as an example, Ngair said it is "way behind" many countries including those less developed than Singapore such as Malaysia and India.

The Act was partly driven by necessity, as the local government wanted to encourage the growth of cloud computing and data center industries and it had to assure interested parties that their data would be protected, the executive added.

Currently, only financial institutions have to report security incidents due to guidelines issued by the Monetary Authority of Singapore (MAS), he noted. A Computer Emergency Response Team (CERT) exists but, besides the government, it does not collaborate with other industries to ensure online attacks are detected and prevented, he said.

Be more adventurous with tech
Ngair also highlighted that the cultural differences between East and West hinders the development of security companies here as less businesses are willing to engage an unknown entity.

He said in the U.S., for instance, security firms are more willing to be "guinea pigs" of new technology, thus giving them a headstart when growing their businesses. Palo Alto Networks is one that started out experimenting with firewalls but got so successful they eventually filed for its initial public offering (IPO) in July this year, he pointed out.

The Asian culture of not wanting to fail, however, means businesses here will not be willing to try security products without a good brand name despite these being good enough. Singapore's government, for example, would always ask for references and past technology usage from other governments whenever they look to procure security tools, Ngair said.

This business culture of not tolerating failure is "unfortunate" as it stifles innovation and makes the local IT ecosystem stale, and it would be a long time before Asian security firms be able to catch up with their western counterparts, he added.