Securing Singapore’s flexible workers with zero trust

With telework’s benefits ranging from increased productivity and flexibility, enterprises and policymakers recognise that redesigning job requirements will ensure operational effectiveness and sustainability in the long run.

In Singapore, the government is urging businesses to promote flexible work arrangements so that it becomes a permanent feature of employment for the country’s workforce. As a consequence, organisations need a comprehensive strategy that ensures workers can use personal devices for work purposes securely. However, this requires organisations to break away from perimeter-based security that is tethered to physical office locations.

Now more than ever, it is time to take a prescriptive approach that fully addresses this overlooked element of cybersecurity. Mobile devices like smartphones and tablets are convenient and ubiquitous, but they simultaneously offer access to organisations’ and their employees’ most sensitive data.

Dealing with BYOD

With flexibility coming to define the future of work, mitigating risks that stem from a bring-your-own device (or BYOD) program must be at the heart of businesses’ security posture. Employees increasingly use personal mobile devices to check email and engage in work-related communication, even if they are not authorised to do so. This is where a cybersecurity strategy that has zero trust at its core is crucial to securing valuable resources, while offering employees of Singapore-based firms the flexibility to be productive.

While Asia Pacific’s BYOD security market is anticipated to grow faster than any region in the coming year, there is still much left to do to ensure organisations can harness the benefits of secure work flexibility.

For one, businesses must ensure that mobile device security is part of all security training plans and policies. Additionally, implementing zero trust effectively and investigating threat incidents will require that all devices used by employees are vetted for security before gaining clearance.

User awareness is also crucial for those working on company-issued mobile devices, participating in a BYOD program, or sneaking tasks in on unauthorised personal devices. While security basics — like regularly updated passwords and avoiding suspicious links — are commonplace for the average individual in a tech hub like Singapore, mobile attacks are increasingly sophisticated and can slip under the radar.

Official figures from the Cybersecurity Agency of Singapore noted that cyberthreats – such as phishing, ransomware, and online scams – have thrived since the outbreak of the pandemic, and have pushed people to conduct more of their daily tasks online.

In this regard, education is essential, but it is not a silver bullet. Even with proper education, users alone cannot be a single line of defence. Organisations in the public and private sector must ensure consistent and stringent security policies are implemented.

Indeed, strides are being made to actively defend Singapore’s cyberspace, simplify cybersecurity for end users, and promote the development of international cyber norms and standards. It is commendable that Singapore’s Cybersecurity Strategy 2021 has workforce and ecosystem development as its foundations, ensuring that digital transformation is anchored by the fundamentals of zero trust.

Other ways to minimise cyber risk

At a basic level, zero trust requires device validation before providing access to data and networks, which is especially critical as a broader set of devices enter the network. For organisations, this requires policies that include all potential entry points, especially since mobile devices are vulnerable to infiltration by cybercriminals. Because of this, both the public and private sectors need to dynamically monitor the health of smartphones, tablets, and all mobile devices, restricting access immediately when a risk profile changes.

While there is an assumption that mobile security is accounted for with methods like device management, this does not offer the protection or the telemetry data needed to implement zero trust or investigate security incidents.

Because so many threats originate on mobile, it is critical that organisations also adopt endpoint detection, and response approaches that can examine and operate effectively on all endpoints.

A well-rounded mobile security strategy understands that mitigation is key to detecting and defending against all cyber risks, including application-based threats, network vulnerabilities, and mobile phishing attempts. Once identified, users should receive remediation instructions, so they know the precise actions to take next.