The Cyber Security Agency (CSA) has developed a cybersecurity certification scheme for companies, made up of two security marks: the Cyber Essentials certificate and the Cyber Trust certificate. The marks certify the cybersecurity measures adopted at the organisation level and not the cybersecurity of specific products or services. The programme will help customers identify which companies have put in place strong cybersecurity measures and what steps they have taken to prevent cyber-attacks, such as testing out various scenarios and preparing their business continuity plan.
According to the Minister of State for Communications and Information, Tan Kiat How, during the certification development process, CSA referred to established international standards, including the ISO 27001, Service Organisation Control 2, and the US National Institute of Standards and Technology. It also piloted the certifications with companies from a wide range of sectors. The agency claimed that the pilot users found the certification useful in helping them identify their cybersecurity gaps and found the guidelines easy to follow and implement.
Before deciding what certification to opt for, companies should examine their risk profile. For companies that are at the beginning of their digitalisation journey, CSA recommends the Cyber Essentials mark. It simplifies the approach by prioritising five cyber hygiene areas for companies to focus on. On the other hand, for companies with a higher cybersecurity risk profile, that is if most of the business processes are digitalised, CSA recommends the Cyber Trust mark. The mark uses a five-tiered approach. The tiers address a broad spectrum of companies with different business operating models, such as the nature of the business’s products or services, the industry it operates in, or the customers it supplies to. The Cyber Trust certificate is evidence that the company has put in place good cybersecurity practices and measures that are commensurate with its cybersecurity risk profile.
The average cost of a cyber-attack for companies in Singapore is approximately SGD1.7 million per breach, which could include the cost of revenue loss from disruptions to business operations and legal penalties when there is a data breach involving personal data. For some small and medium-sized enterprises (SMEs), this may be too high a cost to bear. That is why it is critical for companies to be aware of cyber threats and implement the appropriate measures to counter them. Cybersecurity awareness is essential at all levels within the company. Business leaders need to be aware of cyber risks and allocate sufficient resources for the IT teams to address them. In turn, IT teams need to put in place appropriate cybersecurity measures to protect the company. All employees need to be mindful of good cyber hygiene practices as they are the company’s first line of defence. To help enterprise leaders and SME owners and employees learn about their specific roles in keeping their companies safe from cyber threats, CSA developed and launched a series of toolkits six months ago. So far, the toolkits have been downloaded over 3,200 times.