The Cyber Security Agency of Singapore ( CSA ) expanded last week its Cyber Essentials and Cyber Trust certification marks to include cloud security, artificial intelligence ( AI ) security, and operational technology ( OT ) security areas. In the expanded Cyber Elements, companies can get advice to protect themselves against the most popular cyberattacks related to cloud, AI, and OT. For Cyber Trust, these three new areas have been added to its examination model: risk, security planning, and risk treatment. The development simplifies security needs in the new areas for organizations, especially SMEs, and makes adopting great digital health practices easier.
Announced by Tan Kiat How, senior minister of state for digital development and information and national development, at a launch event about 120 guests from the cybersecurity industry, trade associations, and small and medium enterprises ( SMEs ), the CSA identified that attaining the Cyber Essentials or Trust mark an organization’s commitment to robust cybersecurity practices, enhancing its reputation and trust among customers. CSA is assessing the possibility of requiring companies that are given access to sensitive data to get these marks before they can be licensed or pay for government contracts.
The government may even take the lead to use cybersecurity considerations in its purchasing choices. SMEs can get help with implementing cybersecurity measures aligned to the Cyber Essentials mark from CSA’s Chief Information Security Officer ( CISO ) as-a-Service scheme. CSA offers up to 70 percentage co-funding for qualified SMEs to employ security consultancy services.
The expanded Cyber Essentials did manual organizations on how to secure their Twisted environment and maintain OT/IT convergence properly. For example, as OT typically has longer investment cycles than information technology ( IT ), OT environments could have older devices and/or systems that may not support strong access control measures such as secure passphrases. Companies should so put in place compensating settings, quite as or community classification.
As for Cyber Trust, an example of a threat situation is one where an organization’s OT merchant connects its computer, which had been from another customer’s system, to the organization’s OT system and infects it.
The CSA detailed that organizations that use or plan to use AI can refer to the expanded Cyber Essentials content on how to utilize AI securely. “For example, under the ‘Assets ’ category, which focuses on the need for organizations to know their own software assets, it on how an organization can have visibility on third-party AI tools used by its employees but not provided by the organization ( also known as ‘Bring Your Own AI’ ). Organizations should mitigate the associated risks as any compromise could lead to leakage of confidential data, ” it added.
As for Cyber Trust, an example of a risk scenario is one where an attacker exploits a weakness in an insecure large language model ( LLM) used by the organization and injects malicious content as prompts to manipulate the LLM’s behaviour.
The agency organizations can now take reference from the expanded Cyber Essentials content to secure their cloud usage. For example, organizations should refer to the cloud shared responsibility model in determining the scope of work with their cloud service provider, as well as ensure that their cloud-using employees put in place measures to secure user-level settings in the cloud.
As for Cyber Trust, organizations are guided through a list of cloud-related risk scenarios to make their own cybersecurity assessments according to their risk profile. For example, in one scenario, the attacker exploits an insecure application programming interface ( API ) in the organization’s cloud service and gains unauthorised access to the organization’s data or disrupts the delivery of its cloud services.
The CSA disclosed that at the launch event, over 20 guests from SMEs participated in an incident response scenario role-play game the agency. The game, titled ‘Cyber Essentials in Action, ’ assigned participants roles such as SME owner, communications manager, or IT manager. In their respective teams, they received game cards with common cybersecurity incident scenarios and a range of action options, which they had to identify as correct. The game is part of CSA’s suite of free cybersecurity toolkits for organizations to engage their staff in a more novel way.
