Email: Boon or Bane for Singapore?

Singapore is now a prime target for cyber criminals. Most recently, the country witnessed its largest personal data breach in history when a cyber attack on Singapore’s largest healthcare group SingHealth’s database put the information of 1.5 million people, including Prime Minister Lee Hsien Loong, at risk. Singapore also battled nearly five times more cyber attacks than the US or Canada during the Trump-Kim Summit in June.

Whilst healthcare institutions and government agencies have been common targets in recent years, businesses from other verticals have experienced a spike in the number of cyber attacks during the period. The Singapore Police Force (SPF), in fact, reported 5,430 cybercrime cases in 2017 – accounting for 16.6 per cent of total crimes.

Amongst all cyber crimes, phishing attacks remain to be the most prevalent, with 42% of Singapore-based businesses reporting phishing incidents in their respective organisations. Today, cybercriminals are increasingly using deceptive emails with designs and logos that trick users into clicking on links that direct them to fake websites.

More than ever, these cyber attacks simply shed light on the importance of safeguarding against threat vectors, especially email – which is arguably the most common communication tool today, ahead of social media.

Email as a communication channel
Email has truly become ubiquitous in day-to-day interaction – readily evident in the number of email notifications on consumer spending, news updates, and product launch announcements received on a daily basis.

With the prevalence of smartphones, email communication has truly become more omnipresent, regardless of the time and day of the week. According to a survey conducted by consultancy firm Ernst & Young, Singaporeans spend an average of three hours and 12 minutes on their mobile phones daily, with 57% checking emails on their phones.

In Singapore, businesses have been leveraging email as the primary means for communicating with internal and external stakeholders. As a result, customers now demand constant customer service availability and swift replies to enquiries, with employees sending work-related emails even after work hours.

As large amounts of data can be quickly and conveniently shared with multiple recipients, email communication eliminates the need for printing and manually sending most documents. Email interchange facilitates effective communication and coordination with the company’s stakeholders across the world as vital information can be sent instantly and internationally.

Whilst a reduced reliance on international calls translates into significant cost savings for organisations, the high dependence on emails puts companies in a highly vulnerable position, given how cybercriminals nowadays exploit email security.

Email as a vector for cyber attacks
Every email sent is a potential spearhead for a targeted attack by cybercriminals. Whilst the threat has always been present, the past years have seen a dramatic spike in ransomware and malware proliferated through email. More importantly, these attacks are no longer confined to specific industries or regions. 2017 alone saw WannaCry and Petya attacking thousands of servers, affecting companies across the world.

Business Email Compromise (BEC) attacks, also known as CEO fraud, are increasingly being utilised by cybercriminals today. Cybercriminals have been impersonating C-level executives through bogus emails and social engineering tactics. By imposing imminent schedules for money transfers or requesting confidential business information, they pressure targeted employees into acting swiftly. As BEC attacks can easily be orchestrated without advanced coding knowledge, cybercriminals can easily target vulnerable employees within organisations.

Given the prevalence of such cyber attacks, Singapore has been focusing on enhancing cyber capabilities and cyber defences against online threats. Recently, the state implemented the new Cybersecurity Act, which makes critical information infrastructure (CII) owners more accountable, in light of their new cyber security obligations. The Cybersecurity Act also empowers the Commissioner of Cybersecurity to respond to and prevent cyber security incidents, whilst regulating cybersecurity service providers. Besides the Cybersecurity Act, strides have likewise been taken towards strengthenging the Cyber Security Agency of Singapore (CSA).

An all-encompassing approach to cybersecurity:
Based on a Frost & Sullivan study commissioned by Microsoft, Singapore could potentially risk losing US$17.7 billion – or 6 percent of its total GDP – due to cybersecurity incidents. Whilst the state has been strengthening Singapore’s cybersecurity and data protection ecosystem, businesses across the country still have their own responsibility to maintain a robust cybersecurity posture within their respective organisations. McKinsey & Company highlighted the need to shift from a myopic view of cybersecurity as a hardware issue, and instead employ a holistic approach towards cybersecurity. Hence, company leaders need to proactively engage with their teams and IT departments to implement a comprehensive cybersecurity plan.

Modern innovative tools can today detect malicious documents before employees have even had the chance to open them. Sandboxing ensures that dubious attachments are tested in virtual, secure test environments through simulation procedures before they are actually delivered to recipients. Once detected, harmful documents are immediately neutralised by anti-virus systems. IT forensics can then use the ‘digital fingerprint’ to search for further potential breaches and provide insights as to the next steps a company should take.

Besides innovative technology, it is important for enterprises to consider the human factor. Only well-trained employees will be able to avoid the pitfalls of phishing emails and distinguish them from valid email requests coming in. Well-informed, vigilant employees, for instance, can easily recognise a CEO fraud email for what it is – a phishing email.

Given that 91% of all email-related security breaches result from bad employee practices, hardware and software updates are only one part of the solution. A dual approach combining IT updates and cybersecurity training for employees is the best way to protect enterprises from cyber threats. With proper education, staff can easily detect phishing emails, preventing security breaches that may lead to grave financial losses.