By: Jess Ng, Country Head, Singapore & Brunei, Fortinet

In today’s digital-first era, Singapore faces a critical juncture in its approach to cybersecurity. With the growing adoption of hybrid and remote working models, the vulnerabilities within our digital infrastructures have never been more exposed. A 2023 survey commissioned by Fortinet, in collaboration with IDC, sheds light on this pressing issue. It reveals that an overwhelming 92% of Singaporean organizations are operating under hybrid or fully remote models. This shift has inadvertently led to a significant increase in security incidents, with 70% of these organizations witnessing at least a twofold rise in such events.

Notably, the Cyber Security Agency of Singapore’s (CSA) 2022 annual report echoes these concerns. The year 2022 saw the alarming figures of 81,500 infected infrastructures and 132 ransomware incidents in Singapore. However, despite these rising threats, many companies still perceive cybersecurity as a financial burden rather than a critical necessity. This mindset has led to minimal investments aimed solely at meeting regulatory requirements – a stance that could have dire consequences.

The escalating cyber threat landscape necessitates a paradigm shift in how organizations approach security. Zero trust security, once considered a supplementary measure, is now imperative for safeguarding business continuity. This strategy operates on the principle that all access attempts are potentially malicious, thus significantly reducing the risk of targeted threats.

A recent Forrester report reveals a positive trend across the Asia Pacific region, where 80% of organizations are actively involving senior leadership in championing zero-trust strategies. In Singapore, this movement is gaining momentum, backed by the government’s commitment to fortifying national cybersecurity through the Government Zero Trust Architecture (GovZTA) framework. This initiative aims to enhance the government’s cybersecurity defenses, balancing risk management with user convenience.

In the private sector, the responsibility to fortify defenses against cyber threats is equally paramount. Organizations must adopt a proactive stance, implementing the necessary tools and adopting a mindset that eschews the traditional leniency in access control. Below are three critical steps for effectively implementing a zero-trust security framework:

Controlling access to resources

The first step to building a successful zero-trust strategy relies on security teams understanding their assets and resources and determining the specific access required for employees to perform their jobs. Zero-Trust Network Access (ZTNA) plays an important role by ensuring continuous identity verification for users and devices accessing applications regardless of their location. This reduces reliance on virtual private networks (VPNs) and enhances security through measures like Multi-factor Authentication (MFA). 

When selecting a ZTNA solution, organizations should prioritize those enforcing “least privilege” principles to ensure users access only the necessary applications and files for their roles.

Extending zero-trust to all devices

With the increasing importance of device security, particularly with the growth of IoT technologies, network access controls (NAC) become vital. NAC provides greater visibility into IoT devices, allowing security teams to grant them the minimum network access required for specific functions. This is particularly critical as IoT devices often lack built-in security features and processing power for software installations.

Enforcing zero-trust across various environments 

Zero trust requires seamless integration among various security tools. Organizations, especially those with hybrid networks or multiple cloud platforms, must ensure that their solutions safeguard both remote and on-premises workers. Recognising that the internet is now the perimeter, organizations should apply a level of suspicion to users and devices on the network. Zero trust is fundamentally about verification – ensuring that users and devices have access only when verified and to what they really need.

The internet is the new perimeter and it’s imperative to leverage every available security measure, especially in light of escalating and increasingly sophisticated threats. The core of zero trust lies in meticulous verification, ensuring that users and devices are granted access only to requisite resources, contingent upon successful verification.

Initiating the foundational framework for ZTNA propels organizations toward a trajectory of straightforward, automated secure remote access. This process substantiates the verification of the identities of users and devices on the network. Notably, it empowers network administrators to establish and regulate secure access to the organization’s digital assets. This regulation encompasses scrutiny of user identity, device identity and health, geolocation, time of day, and permissions. Consequently, organizations can alleviate the burdens on IT security personnel while markedly enhancing their security posture.