As the Singapore Government announces its third HackerOne Bug Bounty Program to boost cybersecurity this month, we take a snapshot on the most recent major breaches and industry developments in Cyber security in APAC.
HackerOne, a hacker-powered security platform, announces its partnership with the Government Technology Agency of Singapore (GovTech) and the Cyber Security Agency of Singapore (CSA), to work with hackers from all over the world to test public-facing government systems.
This is HackerOne’s third bug bounty initiative with the Singapore Government, following successful prior programs with GovTech and MINDEF Singapore.
The bug bounty initiative will invite a select group of proven ethical hackers to test GovTech’s systems in exchange for a monetary reward, or bounty, for valid reported security weaknesses.
According to HackerOne Director of Program Management Paul Griffin, bug bounty programs are an industry best practice, implemented by public and private sector organizations across industries and regions. GovTech Singapore joins government agencies like Singapore MINDEF, the U.S. Department of Defense, U.S. General Service Administration, NCSC, and the European Commission who have selected HackerOne to leverage the global hacker community to detect unknown security vulnerabilities before they can be exploited by criminals. Other leading organizations that work with hackers to improve cybersecurity include like Alibaba, Grab, Toyota, PayPal, Google Play, Nintendo, General Motors, Starbucks, and others.
“GovTech and the Singapore Government are among the world’s leaders in cybersecurity. Tapping the skilled and global hacker community is the most efficient way to approach security testing. The latest bug bounty program continues to signal momentum in the constant battle against malicious actors on the Internet,” says Griffin.
Griffin says the Singapore Government’s latest bug bounty program is part of a strategic initiative and commitment to build a secure and resilient Smart Nation by strengthening collaboration with the cybersecurity industry and community.
GovTech’s bug bounty program says it will run from July to August 2019 and will cover nine Internet-facing government digital services and information and communication technology systems with high user interaction. Roughly 200 proven international hackers and 100 local hackers will be invited to participate based on previous performance metrics on the HackerOne platform.
About 400 local and overseas ethical hackers took part in the most recent GovTech bug bounty program, uncovering 26 vulnerabilities and earning participating hackers a total of nearly US$12,000 in bounties. Similarly, MINDEF concluded a successful bug bounty challenge in early 2018 with HackerOne hackers, resulting in 35 safely resolved security weaknesses.
Bounties for this GovTech program will range from USD 250 to USD 10,000 per valid unique security vulnerability report, depending on severity. Results of the program will be announced in September 2019.
At the commercial end of town, 2018 was a record-breaking year for mergers and acquisitions (M&A). In the first three quarters of the year, companies around the world announced M&A deals worth a total of $3.3 trillion – the most since record keeping began nearly four decades ago.
However, according to Cybersecurity firm Forescout Technologies Vice President Asia Wahab Yusoff, in light of highly publicized data breaches last year, due diligence on acquisition targets were not as directed towards the target company’s cybersecurity posture as they should be.
The compromise of over 500 million Marriott customers’ sensitive information occurred due to an overlooked vulnerability of Marriott’s Starwood acquisition in 2016 – and in Singapore, Yusoff claims that the SingHealth data breach that compromised the sensitive data of over 1.5 million Singaporeans continues to have repercussions to this day.
Forescout recently released the results of its M&A cybersecurity risk survey, The Role of Cybersecurity in M&A Diligence, which surveyed more than 2,700 IT and business decision makers across the United States, France, United Kingdom, Germany, Australia, Singapore and India to examine the growing concern of cyber risks and the importance of cyber assessment during M&As and the subsequent integration process.
The data was weighted to evenly represent audiences and regions. To qualify, respondents had to be employed full-time, senior manager level or higher, and the primary decision maker for IT purchasing decisions or involved in M&A strategy.
The survey found that as many as 50 per cent of organisations in Singapore have encountered a critical cybersecurity issue or incident during a M&A deal that put the deal in jeopardy.
According to the report, cybersecurity is now a top priority with Singaporean companies, with 85 per cent of Singaporean ITDMs and BDMs putting more of a focus on a target’s cybersecurity posture than in the past.
Yusoff says the results comes as no surprise, as cybersecurity concerns discovered after consummation of the deal often present costly risks that would have been factored into the deal negotiations and/or may have led to the dissolution of the deal. After closing the acquisition, 65 per cent of respondents have experienced regrets in making the deal due to cybersecurity concerns.
“Traditionally, when acquiring a company, M&A due diligence has been focused on aspects such as Finance, Legal, Business, Operations, Human Resources and IT, among others. However, in light of recent breaches, it is clear that organisations considering an acquisition could benefit from greater, dedicated cyber evaluation. The IT and cyber landscape has changed dramatically in recent decades, with connectivity becoming increasingly prevalent. All of these factors have greatly complicated the evaluation and decision making process, and has made it a requirement to have new and innovative approaches to manage cyber risks. Cybersecurity assessments to have full visibility into all connected devices are therefore a key requisite not only prior to the acquisition, but continually throughout the integration process as well,” says Yusoff.
The survey highlights the following findings:
Proper cybersecurity evaluation takes time, but acquisitions often run on fast track. Many deals face a race to get across the finish line. Only 34 per cent of respondents in Singapore strongly agree that their IT team is given adequate time to review a targets’ cybersecurity standards, processes and protocols before completing an acquisition.
Connected devices and human error put organisations at risk. When asked what makes organisations most at risk during the IT process, Singaporean respondents identified human error and configuration weakness (63 per cent) and connected devices (59 per cent). Devices often get overlooked and missed during integration as over half (57 per cent) of ITDMs say they find unaccounted devices, including IoT and OT devices, after completing the integration of a new acquisition.
Prevalence of cybersecurity issues. Half (50 per cent) of survey respondents report their organisation has encountered a critical cybersecurity issue or incident during an M&A deal that put the deal into jeopardy. Further demonstrating the potential consequence of a security incident, undisclosed data breaches have become a deal breaker for most companies. 78 per cent of respondents agreed that a company with an undisclosed data breach is an immediate deal breaker in their company’s M&A strategy.
Internal IT teams may lack the skills to conduct cybersecurity assessments. Among Singaporean ITDMs, only 31 per cent strongly agree that their IT team has the skills necessary to conduct a cybersecurity assessment for an acquisition. Due to lack of resources, organisations must allocate outside resources to their cybersecurity assessments and/or may not be able to complete a robust assessment.
In Australia, major commercial cybersecurity breaches appear to be on the rise too, given Australia has already experienced three data breaches in June alone. Popular fashion e-tailer Princess Polly property valuer LandMark White and the Australian National University (ANU) were all hacked, exposing sensitive data of students from nearly two decades.
Commenting on the latest high-profile breach, Global AI cybersecurity firm Darktrace Managing Director APAC Sanjay Aurora says no one is immune to attack.
“The ANU case isn’t isolated – no organisation is immune to these slow and stealthy attacks. But identifying a breach months after the attackers has infiltrated the network is fighting a losing battle. Companies need to turn to AI technology, which is capable of stopping threats within seconds of emerging on the network. Though there is no silver bullet in the fight against cyber-crime, using machines to help fight back on our behalf is our best line of defence,” says Aurora.