Opening Remarks for Cybersecurity Conference 2018
Welcome to the Cybersecurity Conference 2018! In this hallowed halls of learning in SMU, today will be a day of much learning on cybersecurity.
The Law Society of Singapore is committed to strengthening our watch on cybersecurity. This year, we renamed the relevant committee from the Cybersecurity and Forensic Committee to the Cybersecurity and Data Protection Committee. The Committee under the energetic, efficient and enthusiastic leadership of KK Lim has blazed a new trail in their activities. Among the activities undertaken are:
- Supporting the Cybersecurity Agency (CSA) Cybersecurity Awards in March 2018; and
- Participating last month in the PDPC Consultation on “Managing unsolicited messages and the provision of guidance to support innovation in the digital economy”.
And now, in a hat trick of activity, comes the Cybersecurity conference. Today, we have a bumper crop of 245 registered participants with overall numbers pushing at 300 (including invited guests and speakers). I say bumper crop because the previous precedent in May 2016 entitled “Seminar on Cybersecurity for Lawyers” saw about 60 attendees. So that makes a four-fold increase in participation.
I venture to suggest that the interest by lawyers is not just as a consumer in this digital age. It is also to acquire the requisite niche domain knowledge so that we can advise with accuracy when (not if) a cyberattack takes place and issues of liability and losses need to be considered in an intelligent and informed way.
In yesterday’s Business Times edition (18 July edition), Richard Koh, CTO of Microsoft Singapore wrote an op-ed entitled “Don’t let cybersecurity be an afterthought”. The writer made a compelling economic case on the “iceberg effect” of cyberattacks in Singapore. By extrapolating direct, indirect and induced losses associated with a cybersecurity incident using the Frost & Sullivan economic loss model, he guesstimated a potential economic loss in Singapore due to cyberattack incidents to be a staggering US$17.7 billion. That is about 6% of Singapore’s total GDP of US$297 billion. Analytically, he identified two main heads of losses. Direct losses which entails financial losses such as loss of productivity, fines, remedial costs, etc. But that is only the tip of the iceberg. Indirect costs include opportunity costs to the organisation such as customer churn due to reputation loss. The impact of a cyber breach to the broader ecosystem and economy such as decreases in consumer and enterprise spending all go towards making up the bigger picture of the true cost of cybersecurity incidents. The ripple effect of a cybersecurity attack is far reaching. It should not be underestimated.
Leaving aside macroeconomics, malware or ransomware such as Wannacry is enough to cause tears and fears for business owners. The numbers crunched in the BT op-ed from a financial loss perspective show a material impact on organisations of different shapes and sizes: US$13.8 million is the average economic loss for a large size organisation and US$177K for a mid-size organisation.
One would have thought that the spectre of financial losses should be sufficient to spook organisations to apply the age-old adage that prevention is better than cure. And yet the norm as observed in an ASEAN foresight panel discussion featured in a Channel News Asia clip yesterday (18 July) for those of you who caught it was that enterprises change their approach only after they have been attacked. Is this due to complacency or ignorance ?
Let me offer a tip from yesterday’s BT op-ed. This is part and parcel of cybersecurity best practices to strengthen cyber defence. The writer recommended investing in strengthening your security fundamentals. I quote from the writer: “over 90 per cent of cyber incidents can be avoided by maintaining the most basis best practices. Maintaining strong passwords, contained of multi-factor authentication against suspicious authentications. Keeping device operating systems, software and anti-malware protection up to date and genuine can rapidly raise the bar against cyber attacks.”
Let me also give lawyers present a tip on improving your law firm’s cybersecurity practices.
Have serious consideration for a cloud computing software. Nicole Blake, a New York Attorney and the author of “Cloud Computing for Lawyers” advocates that cloud computing, cloud software offers better security including data redundancy and disaster recovery options. For smaller law firms, cloud computing is a secure way to store and protect confidential client data.
And finally, a top tip for lawyers intending to practice in the area of cybersecurity. Here is a practice description from a leading US law firm practicing in cybersecurity and a recognized pioneer in the field: “[We understand] the high stakes involved when sensitive data is at risk. Our lawyers work to protect companies both before and after a data breach. We provide assistance in the development or improvement of data privacy practices and incident response plans to ensure our clients’ data is secure. Our goal is to always minimize our client’s risk of a data breach and to put our client in the best position to respond if a breach occurs. In the event of a breach, we provide rapid and comprehensive incident response.”.
That could be a description of your own practice in months or years to come. A potential service line and specialist practice for each of you.
In conclusion, I learnt a valuable term from the cyber lexicon as I was preparing these remarks. Cyber resilience. Cyber resilience encompasses cyber security and business continuity management that aims to defend against potential cyberattacks and ensure your organisation’s survival following an attack.
I hope (no, I know) that after participating in today’s cybersecurity conference, your own organisation’s cyber resilience will be ratcheted up to new levels following your new found knowledge. Cyber resilience is not only a critical survival trait in the future; I dare say it is an organisational existential trait in the future. Leading law professionals like those of you participating in this conference from the Law Society help keep your organisation cyber resilient because of the choices you make. That choice included the choice to attend this event. You are in the right place at the right time. I wish you an enriching and educational day ahead!
[As an afternote, after these remarks were shared including on the “… when (not if) …” of a cyberattack, the very next day, many of us read about the unprecedented and shocking cyberattack on our health systems. In Prime Minister Lee’s words from his Facebook page on 23 July: “Singhealth’s database has experienced a major cyber-attack. 1.5 million patients have had their personal particulars stolen. Of these, 160,000 also had their outpatient medication data compromised. I am personally affected, and not just incidentally. The attackers targeted my own medication data, specifically and repeatedly.”]