Dismissive attitude towards data security makes firms here vulnerable to cyber attacks, senior official warns

SINGAPORE — Companies and organisations here tend to neglect the importance of securing their internal data, making them vulnerable to online attacks, said a senior cyber security official days after news emerged of an unprecedented breach at SingHealth.

"We have seen decision makers dismiss data governance work during (the) project implementation phase, assuming it can be saved for later," Mr Ng Hoo Ming, deputy chief executive of operations at the Cyber Security Agency of Singapore (CSA), told an information security conference on Wednesday (July 25).

"This is precisely the type of thinking that leads to a lack of data governance and the entry of cyberattacks."

In his keynote address at the RSA conference for Asia-Pacific and Japan, Mr Ng urged outfits here to do more to strengthen their data governance frameworks, and to develop a clear contingency plan which can be activated in case of a major cyber attack.

Such frameworks spell out how organisations secure and manage their data. Without them, organisations would be in the dark about where their data resides, or who has access to critical information.

"This is exactly why it takes an organisation a while to identify that they have been breached, and usually, on a larger than expected scale," Mr Ng noted.

His comments came days after news emerged that hackers had broken into SingHealth's systems to steal the demographic data of some 1.5 million patients. The outpatient medication records of 160,000 patients – among them Prime Minister Lee Hsien Loong – were also stolen.

Police are investigating the breach involving Singapore's largest healthcare group. No suspects have been named to date, though many experts believe the attack could be a state-sponsored effort. 

On Wednesday (July 25), the Securities Investors Association (Singapore) (Sias) informed its members that personal data of some 70,000 members were stolen five years ago. The data included names, NRIC numbers and telephone numbers. It noted though, that the records were not amended or deleted. The breach was discovered only recently.

Singaporeans have been the victims of several notable online breaches in recent years, including an attack on ride-hailing firm Uber in 2016 that resulted in the theft of the personal information of 380,000 users here.

Citing a CSA report last year, Ng warned that personal data breaches in Singapore were "growing in scale and frequency", with "significant disclosures" coming from tech companies last year.

The Singapore Computer Emergency Response Team (SingCERT) has also witnessed more organisations, both public and private, falling victim to cyber attacks, he added.

Such online breaches are significant threats as the stolen data can be sold in underground markets, or be used for identity thefts and other fraudulent activities.

While Singapore needs more and better skilled cyber security practitioners, what's more critical going ahead is for organisations here to take the matter seriously and start taking steps to beef up their data governance frameworks, said Mr Ng.

He stressed that the push for efficiency and convenience should not come at the cost of data protection or cyber security, adding: "There must be no trade off between the two, we must strive for both just as much."