By Henry J. Schumacher
You remember the Singapore Health breach, which was arguably the most severe personal-data breach in Singapore? The prime minister’s personal data was stolen by a malicious attacker in an advanced persistent threat (APT) attack, along with almost 1.5 million other patients’ personal data.
Following an extensive investigation, the Committee of Inquiry (COI) submitted a 400 page report to the Singapore Minister of Communications and Information.
Here are five tips from the COI report that all organizations can implement immediately:
1. Conduct relevant training for all levels—management, managers and staff
This data breach started with a phishing ploy by the hackers. Phishing ploys are a real threat which all organizations must guard against…and guarding against them costs relatively little.
Hackers may direct their phishing attacks at organizations because they want to steal data from the organization; they may direct their phishing attacks at organizations to use them as a Trojan Horse to penetrate the IT systems of the organization’s customers. Or of the organization’s vendors. The management of an organization must be critically aware of all of these possibilities. For instance, a 2013 data breach at Target, which affected 110 million consumers, reportedly stemmed from a phishing attack on their heating, air- conditioning and refrigeration vendor.
Hence, it is crucial that to avoid this from happening in your organization, ensure that all members from management to rank and file receive relevant training.
2. Review and operationalize policies
A Citrix Local Administrator (LA) had a weak password for their account. A weak password creates risks for an organization. In the case of SingHealth, this risk was exacerbated by them having information security policies that were not enforced, for instance passwords were supposed to be changed periodically and more complex passwords were to be encouraged.
Generally, an organization needs personal data protection policies and an information security policy (including a password policy). Many organizations may not have them, or they may have outdated policies or may not have communicated their policies regularly to their staff.
An organization should have developed and implemented a data-protection management program (which includes information security), yielding the information necessary to enable relevant policies to be created. Such a program also includes training and continuing staff awareness, as well as regular review to ensure the policies are updated from time to time as circumstances in the organization and its operations change.
3. Craft/review incident response plan and test via table top exercises
Many remarks were made in the COI noting a lack of a proper incident reporting framework for front line staff. The report noted that there was no formal system of recording investigation findings in place for use during incident response. Had there been one in place, the team would likely have been able to grab the opportunity to prevent the attack.
After crafting an incident response plan, your organization should be sure to conduct table top exercises. The value of such table top exercises is significant, even if not apparent when first mentioned, and they cost little more than the time taken to do them. In practice, it is generally invaluable to simulate responses during an attack and, because gaps are often found in the simulation and then remedied, they better prepare your staffs’ readiness when there is an incident to which your organization needs to respond. This approach is trained in the Hands-On Data Protection Officer (DPO) Training which is available in the Philippines.
4. Develop and implement a data-protection risk-management program
The COI recognizes that cyber security is not merely a technical issue and, therefore, recommends approaching it as a risk-management issue. The key benefit of approaching cyber security as a risk-management issue is that it then involves departments within the organization that handle personal data. This enables your organization to identify all the relevant risks, and to formulate and implement a data-protection risk-management plan to mitigate them.
Your organization may wish to consider managing the data-protection risk-management exercise with a data-protection management system for greater efficiency. The DPMS software is offered in the Philippines.
5. Create an appropriate governance structure and conduct audits
Data protection is a continuous effort. After the initial development and implementation of their data- protection policies and practices, organizations must be able to ensure that they continue to be monitored and sustained.
Establishing and implementing an appropriate personal data governance structure is a fundamental part of any organization’s data-protection management program. It is intended to ensure sufficient and proper representation of all departments across the organization that have a role in handling personal data. In addition, it provides a framework to offer clear guidance to the staff both in operations and in incident response.
Is it worth the effort?
Every data breach is one too many. As attacks get increasingly sophisticated, no organization can expect to be excluded as a target. Therefore, if your organization implements the five tips we have learnt from the SingHealth COI, your organization would have appointed the right people to put in place the key elements of an inclusive data-protection management program that involves top management, middle managers and staff.
If you need support in implementing the five tips, please don’t hesitate to contact me at Schumacher@eitsc.com.