Parliament Sitting on 1 April 2019 QUESTION FOR WRITTEN ANSWER *2707. Ms Joan Pereira: To ask the Minister for Communications and Information (a) whether the Ministry will make it mandatory for all employees in the Government and private sectors to attend courses relating to cyber security; and (b) beyond Internet separation policies, what else is being done to equip employees with the correct mindset towards cybersecurity. Answer: Mr Speaker, the Government is committed to build a strong cybersecurity culture in Singapore, both in the public service and the private sector. Training our people to be aware of cyber threats, and effectively detect and respond to malicious cyber activities, is key. 2 Within the public sector, the Government had introduced an IT security awareness programme in July 2018. It is mandatory for all public officers to complete the course by end of the year to educate all public officers of emerging cyber threats and the cybersecurity measures to take. There is also an annual Cyber Safe Cyber Ready Conference to enhance cyber awareness within the public service, and regular cyber exercises to sharpen the IT security incident response of our public sector agencies. These measures build up our public officers’ understanding of cybersecurity. 3 Within the private sector, the Cyber Security Agency of Singapore (CSA) enhances cybersecurity awareness and practices through a variety of channels, such as talks, conferences and CSA’s GoSafeOnline portal. CSA has also developed resources such as the Be Safe Online Handbook, launched in 2018, which explains what organisations should do to enhance their cyber defence capabilities such as using only authorised software, and updating systems regularly. CSA’s “Cyber Tips 4 You” programme also educates the public on four essential cyber hygiene practices to adopt – to use a strong password and two-factor authentication, use anti-virus software, update software as soon as possible and to watch out for signs of phishing. 4 Additional requirements are placed on enterprises that own Critical Information Infrastructure (CII), which are computers or computer systems supporting the provision of our essential services. All CII owners must fulfil their legal obligations under the Cybersecurity Act, including establishing cybersecurity awareness programmes for their employees, contractors and vendors, and participating in cybersecurity exercises to validate their responses to cyber incidents. 5 Mr Speaker, our cyber defences are only as strong as our weakest link. Every individual plays a critical role in safeguarding our cyberspace. The Government will continue to work with the private sector, individuals and the community to instil a strong cybersecurity culture, and strengthen Singapore’s Digital Defence.