The Cyber Security Agency of Singapore (CSA) released the Second Edition of the Cybersecurity Code of Practice for Critical Information Infrastructure (CCoP 2.0) to further improve the defense of Critical Information Infrastructure (CII).
As in other countries, CIIs include:
- Energy
- Water
- Banking & Finance
- Healthcare
- Transport (Land, Maritime, Aviation)
- Government Infocomm Media
- Security and Emergency Services
There is cause for concern in the island state: in 2021, 65% of organizations in Singapore were victims of ransomware, against 25% in 2020. Transportation, one of the CIIs mentioned above, suffered an increase of 67% in attacks.
In simple terms, Singapore is looking for better security measures to protect its critical infrastructure from cyber attacks. As threats become more sophisticated and state-backed attackers become more important threat actors, Singapore joins other countries in tightening its defenses through more detailed compliance.
The Central Role of Security Awareness in the CCoP 2.0
And, as several reports showed up in recent months, the human factor is at the forefront of data breaches and attacks. For example, Verizon claims that 82% of all data breaches are human-based.
Being so, the CSA dedicates a chapter to Security Awareness and how CIIs must address “proper cyber hygiene.” From the CCoP 2.0 document:
“Being aware of the evolving cybersecurity threats and being equipped with the essential cybersecurity skillsets enable the CIIO to recognize cybersecurity threats and mitigate them in a timely manner.”
CCoP 2.0 excerpt
According to the CCoP, the CIIO (Critical Information Infrastructure Owner) is responsible for creating and managing Security Awareness programs in the organization and for the cybersecurity awareness of employees and external vendors. This addition is important because of the high risk of Supply Chain Attacks in that critical infrastructure organizations.
The CCoP describes Security Awareness programs in format, periodicity, and metrics. In other words, the code ensures that Security awareness programs for critical infrastructure organizations in Singapore are continuous and effective and that the infrastructure owners will be held accountable for its results.
The expectations for employees are as described in the document:
“Cybersecurity training aims to equip employees with the required cybersecurity skills to effectively perform their roles and responsibilities. It is important for employees to have the necessary skillset in identifying cybersecurity threats and vulnerabilities for timely remediation.”
CCoP 2.0 excerpt
5 Reasons Why Security Awareness Should be a CCoP Priority
The IT/OT bridge
Always a concern with critical infrastructure, people are in the middle of information and operation technology systems. Developing a security culture means that users will safeguard the data and the systems that run critical services.
People-first attack vectors
As we said at the beginning, most data breaches start with users. And many attack vectors demand high awareness: phishing, smishing, social engineering, identity theft, credential compromise, and others.
Cybersecurity infrastructure budget decisions
Well-structured Security Awareness programs deliver actionable metrics that support informed decisions on vulnerabilities (we’ve said that in this article). With these numbers in hand, CIIs can make better decisions on investing in infrastructure to support their cybersecurity initiatives.
InfoSec teams need the relief to work on other CCoP priorities
Security Awareness is just one of the CCoP priorities. However, if you have users who know how to detect and mitigate threats before they reach InfoSec systems and admins, there’s less operational stress.
Security Awareness results can be a quick win.
When done right, such programs can show outstanding results in the first 12 months. The culture change is reflected in training performance, suspicious emails reported, and so on.
Automated Cyber Awareness + CCoP 2.0
Under these guidelines, just delivering traditional Security Awareness training is not enough. Constant refreshing, actionable success metrics and quizzes/surveys that truly measure that knowledge gaps are filled require modern Security Awareness programs.
The mix of automation, customizable content, user-friendly interfaces, and drill-down metrics ensures compliance and results for Critical Information Infrastructure Owners and secured CIIs.
Here are the main benefits of an automated Cyber Awareness program:
- Targeted Training delivers the content users need the most (based on their vulnerabilities) at the time they need the most (based on their learning curve).
- Custom Content enables admins to improve results with content close to the organization’s culture and language.
- Risk Ratings allow admins to measure program effectiveness by employee, department, branch, and organization.
- Automated onboarding and deployment allow better output with the same headcount and budget.
- A user-friendly, mobile-first platform respects the users’ schedules and lifestyles, allowing for a better learning experience.
How about trying automated Cyber Awareness in your environment? If you’re looking for CCoP 2.0 compliance, or if you’re looking for an upgrade in your Security Awareness programs, request a trial today! 👇
