From time to time, we hear spooky reports of supernatural activity in Singapore’s offices, but these are urban legends. In the real world, a much more significant threat is “ghost employees” - former staff members who have held on to working login details and credentials.
Although there is an increasing awareness of cybersecurity issues in Singapore, this heightened consciousness is not necessarily translating into positive action. Too many businesses are leaving doors open for attackers to target sensitive data and assets through these “ghost employees.” The fact is that too many flesh-and-blood office workers have been afforded unfettered access to sensitive company data.
As we have seen with nearly every recent major cyber breach in Singapore, from Uber to Microsoft’s customer support portal, credential theft remains the most common and effective route to a successful cyberattack. A lax approach to protecting high-value ‘privileged’ accounts can directly elevate the risk of such an attack or a major data breach, in the event of employees’ credentials being harvested. It is, therefore, clearly essential to manage privileged access.
Cybersecurity Initiatives High on Government agenda
Regulatory approaches to cyber risk in APAC are varied and localized, with no significant steps taken yet toward harmonized standards across the region. Not surprisingly, economies with different levels of cyber exposure and capacity address the issue differently.
Generally, businesses operating in countries that have more advanced ICT infrastructure and a bigger digital economy face higher cyber risks. For example, Korea, Australia, Japan, and Singapore are nine times more vulnerable to cyber-attacks than other Asian economies.
The Singaporean authorities have had a longstanding interest in cyber risk and have launched a range of initiatives for creating robust and resilient cyberspace.
The country regularly updates its cybersecurity legislation. The 2018 Cybersecurity Act establishes a legal framework for the oversight and maintenance of national cybersecurity in Singapore, governing everything from the protection of Critical Information Infrastructure (CII) to the sharing of cybersecurity information and the establishment of a light-touch licensing framework for cybersecurity service providers.
Most recent is the addition of a sixth pillar - ‘Digital Defence’ - to the country’s Total Defence, which was announced this year.
However, while all these government-level initiatives are clearly essential, leveraging them to bring about lasting change in corporate and individual cyber-risk behavior is a real challenge. Studies have shown that as many as 35% of people never change their passwords, despite the constant stream of warnings about the risks as well as reports of breaches.
Ghosts in the Corporate Corridors
In the corporate environment, “ghost” individuals pose a substantial threat, according to Rich Turner, vice president, EMEA, CyberArk: "Ghost employees are a major concern for any organization – they not only elevate the risk of key company applications, tools and data being breached in the event of a cyberattack, but also provide a potential route for disgruntled employees or rival businesses to manipulate existing data, causing serious administrative and financial damage.”
CyberArk recently released a study that revealed many British businesses are failing to lock down such key accounts following changes in personnel.
According to Turner, “these findings of this study are symptomatic of the misguided cyber spending habits of British business. The U.K. continues to devote huge sums to perimeter defenses when the smarter approach is to assume the inevitable – that attackers will get in – and ensure that their access to sensitive assets and data is contained.”
These alarming figures show that far more employees have access to critical information than is necessary and demonstrate the need for U.K. businesses to limit how employees access sensitive data to better protect themselves and their customers.
This situation is by no means confined to the U.K.
Singapore Employees Likely Source of Cyber Incidents
According to PwC’s “The Global State of Information Security Survey", even with the most sophisticated security technology, organizations have found that more than unknown hackers or competitors, current and former employees were cited as top sources of security incidents.
Based on its 2017 survey, 38% of Singapore companies cited current employees as the likely source of cyber incidents, an increase of 13% from 2016. It also revealed that 32% of Singapore respondents indicated former employees as their likely source of incidents – up 7% from the year before.
Furthermore, the report revealed that 77% of respondents in Singapore detected one or more cyber incidents in the last twelve months. The top three areas where cyber incidents occurred were through Mobile device exploitation, followed by Phishing, which further highlights the vulnerability to threats due to human error or negligence (Employee exploitation).
The key to improving employees’ attitudes to cybersecurity lies in education. The findings of CyberArk’s U.K. study show a mixed picture of the effectiveness of cyber education. Almost four in five (79%) office workers would immediately admit to IT if they opened a malicious attachment, while three quarters (75%) would voice their concerns if they didn't understand communications from IT about security.
But many existing employees are still exhibiting poor cyber practices. The survey revealed that more than half (54%) don't admit when they let colleagues use their login details, and 45% don't inform their IT team when they download an unauthorized app on to their work device.
Not So Smart Devices Unless Secured
The need is for organizations to integrate cutting-edge new security technologies into their strategies, such as biometric security techniques, including fingerprint and retinal scans and embedded microchips. Smart devices, however, present a great cause for concern. 40% of respondents to the survey reported that their IT security team is failing to adequately secure IoT and BYOD devices, providing attackers with another privileged pathway to exploit. As these technologies become more and more prevalent, their access to company tools and applications must be managed in the same way as any other device within a corporate network.
Whether for new wearable devices or more established business development, HR or payroll systems, a lack of credentials management means businesses remain vulnerable to the seizure of critical company IP through credentials-based attacks. Forging a more secure digital future begins with adopting an effective privileged access management policy, which limits individuals' ability to escalate privileges and subsequently reduces their access to sensitive systems – ultimately reducing the number of vectors attackers can seek to exploit.
Vincent Goh, senior vice president, Asia Pacific and Japan, CyberArk wrote this article.
The views and opinions expressed in this article are those of the author and do not necessarily reflect those of HR&DigitalTrends.