A cyber security breach not only cripples an organisation’s infrastructure but results in a loss of trust from consumers. In other words, it brings with it a real business risk. But by taking the right pre-emptive steps, cyber attacks can be kept at bay.

1. See cyber threats as real business risks

Business leaders and key decision makers should not brush off cyber threats as merely a technical problem, but also see it as a managerial issue that is accompanied by potential impact to its business – experts said.

When a company suffers a cyber security breach, it can lead to almost half of general consumers losing their trust in the firm, according to a 2018 survey by market research firm Frost and Sullivan.

“We need to improve communications and convert and translate all the technical jargon and terms into management concepts,” said Prof Lam Kwok Yan, a cyber security researcher and practitioner at Nanyang Technological University.

Yet, a third of executives still do not see beefing up their cyber security as a worthwhile investment with a clear and present impact on a business’ bottom line.

2. Practice good cyber hygiene

Good cyber security hygiene – which refers to good online and system practices, such as updating the software regularly and using strong encryption – can prevent up to 90 per cent of cyber attacks.

“Of the attacks that we see – most of them have vulnerabilities published one to two years ago. The solutions have already been released – it’s just a matter of whether we are following up on them,” observed Mr David Koh, Chief Executive Officer (CEO) of Cyber Security Agency of Singapore (CSA).

Having the right instincts for cyber security is also something that is nurtured. And education is key at instilling good cyber hygiene.

“We’ve been thrusted into the 21^st century, living this 21^st century life without the basic instincts for cyber security. We need to do generational bootstrapping, to educate people on the basic things that need to be done to have these instincts – and I think that will deal with the basic cyber hygiene issue,” said Mr Koh.

3. Drill, drill, drill

Getting drilled in cyber defences is a good way to react to cyber attacks. Having a comprehensive response plan that is well-versed across all stakeholders can help in mitigating future attacks.

“You have to do the dry runs; you have to do live fire drills. You have to get hands-on experience with the whole team, operating from event to fix,” suggested Mr Kevin Mandia, CEO of FireEye, a cyber security company.

Malaysia, for instance, has been carrying out biennial nationwide cyber security drills since 2008 across both the private and public sectors.

“You can see the response time improving. They understand their roles better and improve internal procedures. If something happens – they know what to do,” said Mr Md Shah Nuri, Chief Executive (CE) of Malaysia’s National Cyber Security Agency.

But the drills should not be limited to technical and operational aspects, as the other half of it lies on public communications, said Mr Koh. “How do you tell your customers and clients what has happened? How do you manage the public information? You need to practise that as well.”

4. Engaging accredited cyber security service providers

In the eyes of many lawmakers, cyber security is still a relatively unchartered area that is not comprehensively regulated. New policies can help enhance industry best practices, and licencing is essential in enhancing the trust towards cyber security service providers by companies who outsource their cyber security and ethical hacking needs to them.

“In Singapore, we have the Cybersecurity Act (CSA) which has been passed by Parliament. We’re in the process of implementing this,” said Mr Koh.

“These can’t be left to individual values, so we are regulating through the CSA.”

Similarly, France has also developed a certification programme for cyber security companies.

“You should work with real experts and the best way to know that they are real experts is to rely on the certification that we provide,” said Mr Guillaume Poupard, Director General of Agence nationale de la sécurité des systèmes d’information, the national cyber security agency of France.

5. Sharing is caring

Open information sharing is key to addressing global cyber security needs. And this has to be done not only across private and public sectors, but also on the regional and international stage.

“Exchange between countries and nations is growing, exchange between the private and public sectors is also growing,” said Mr Poupard.

“Information sharing will help people. We’ve been talking about it for a long time. (But) I must admit it’s a complex topic because valuable information is sensitive.”

Mr Md Shah shared the benefits of a multi-agency information sharing platform that was established in Malaysia. “This facilitates and creates an environment where you can respond better and faster.”

The GovWare CXO Plenary programme brought together more than 180 C-suite decision makers who exchanged their views on strategic developments, trends and the way forward in advancing cyber security. It was part of the Singapore International Cyber Week (SICW). Held in September this year, the event connected 8,000 global cyber security experts, policymakers, academic leaders and industry practitioners from over 50 countries.

Mr Lim Hock Chuan, CE of Temasek Foundation Connects said: “As a strategic partner of CSA, TF Connects helps bring together leaders and professionals at the SICW, and strengthen the collaborative relationships and ecosystems. This will enable us to build deep expertise and develop cyber security professionals needed to successfully counter cyber threats.