According to a recent survey by the Cyber Security Agency of Singapore (CSA), only one-third of organisations in Singapore have fully implemented at least three out of five key cybersecurity measures deemed essential. Despite acknowledging the importance of cybersecurity, the findings reveal considerable room for improvement in protecting against cyber threats.

David Koh, the chief executive of CSA, emphasized the inadequacy of current measures given the rising frequency and scale of cyber threats. The CSA’s first Singapore Cybersecurity Health Report, released on March 28, indicates that organisations have, on average, adopted approximately 70% of the recommended measures across five categories: “assets,” “secure/protect,” “update,” “backup,” and “respond.”

Awareness and Partial Adoption
While around 75% of surveyed organisations are aware of CSA’s national cybersecurity standards aimed at prioritizing essential measures, the report highlights that partial adoption leaves many organisations vulnerable. The survey found that over 80% of organisations experienced a cybersecurity incident within a year, with nearly half encountering multiple incidents. The most common types of incidents reported included ransomware attacks, social engineering scams, and exploitation of cloud misconfigurations.

The impact of these incidents is significant, with 99% of affected organisations reporting negative consequences such as business disruptions, data loss, and damage to their reputation.

Barriers to Implementation
The survey identified several challenges preventing organisations from adopting robust cybersecurity measures. The most significant barrier was a lack of knowledge and experience, cited by 59% of businesses and 46% of non-profits. Additionally, many organisations underestimated their likelihood of being targeted by cyberattacks. Other noted challenges included insufficient manpower, limited resources, low perceived return on investment, and a lack of budget for cybersecurity.

Cost of Implementation
The CSA estimates that implementing basic cybersecurity measures would cost small organisations between S$1,800 and S$4,500, including available funding support. Koh urged organisations to prioritize cybersecurity and utilize available resources to enhance their defenses. He warned that addressing cybersecurity only after an incident occurs would be significantly more costly.

Conducted between May and August 2023, the survey included responses from 2,036 small, medium-sized, and large organisations, covering various aspects of cybersecurity, including incident frequency, business impact, and the level of measure adoption.