Data breaches: It is a matter of when, not if, your organisation is breached. This is probably the over-used adage we hear so often these days. When a company suffers a data breach, no matter the size, an initial wave of panic spreads throughout. How much data is missing? What data is gone? How was the system infiltrated? These are just some of the questions asked by top executives big and small alike.
Cyber security breaches represent a growing and costly global threat - and one that most are not prepared for. Given the speed at which hackers and criminals operate, the sophistication of the cyber security technology, and that a cyber security breach may not be detected for some time, effective and proactive management of cyber security risk is a pre-requisite for companies in this era. The time to put measures in place to protect your company is now.
Data breaches at the hands of sophisticated hackers may capture the most headlines, but a recent study shows the vast majority of data breach incidents approximately 88 percent of such compromise result from “insider negligence,” which can be as innocent as the administrative assistant who inadvertently tosses sensitive data into the trash.
Over the last few years and up until recently, we have seen our fair share of data breaches involving the entertainment, securities and healthcare sectors. These data breaches may just increase with greater intensity with an increasing large attack surface if we are not diligent enough in upping the cyber security ante. In reality, there is no “one size fits all” approach to risk management that is sufficient to deal with all types of cyber risks facing all companies.
The appropriate level must therefore be determined by each company for itself. This broad approach to combating risk is explicitly recognised by the Personal Data Privacy Commission (Section 17.5 PDPA), which requires organisations to practise protection obligation and to put in place “technical measures” to prevent unauthorised access to a user’s data. Moreover, within the last three years The Monetary Authority of Singapore (MAS) issued two circulars to Financial Institutions (FI) supervised by MAS focusing on cyber security related issues. The first circular concerned technical and internal control processes FIs should implement to detect early any cyber intrusions, while the second outlined the expectation of MAS that FIs should put in place technology risk and cyber security training programmes for Board members and senior management. This is besides the MAS Technology Risk Management Guidelines which have been used by FIs in Singapore to strengthen their cyber security posture. Even if your company is not one to which these circulars were addressed, they contain information and suggestions which may be of assistance in addressing the cyber risks facing your company.
There is some guidance available to assist companies in deciding the required level of security, and some “market standards” are emerging. Examples include an emphasis on encryption of personal data and the adoption of recognised security standards, including the Payment Card Industry’s PCI/DSS where payment card details are stored, processed and transferred. Keep an eye out for new standards and be prepared to implement them when they emerge. The MAS circular provides a list of minimum areas which the board and senior managers should cover in any cyber security risk management assessment.
We would advise that companies perform a self-assessment of the risks they face and the solutions they can take to minimise those risks. It may help to consider the various sources of the threats faced in terms of cyber security: a different response will be required to protect against external hackers than will be required to prevent the internal risk
of data being leaked by disgruntled employees or former employees.
One option that can be used, among others, is to encrypt personal information held electronically that would cause damage or distress if it were lost or stolen. However, encryption alone may prove insufficient in the face of a cyber breach, and therefore other measures must be adopted alongside any encryption, such as maintaining appropriate technology to achieve cyber security.
The Cyber Security Agency of Singapore (CSA) oversees and coordinates all aspects of cybersecurity for the nation. CSA is empowered to develop and enforce cybersecurity regulations, policies, and practices. It has identified 11 critical Information Infrastructure (CII) sectors, which cut across utilities, transport, and services.
Cyber security is vital for the continued success and growth of a business. It therefore needs and deserves regular consideration at board level. It should, like any other significant risk, be assessed and reviewed on a regular basis, taking into account the evolving likelihood and impact of its occurrence. The MAS places emphasis on the board and senior management taking a proactive role in ensuring effective cyber security. The CSA works with the operators of the CIIs to achieve a resilient maturity model in the face of cyber-attacks.
In Singapore, a government-level Monitoring and Operations Control Centre has been set up to complement the Cyber-Watch Centre. Together these institutions are designed to strengthen the Singapore government’s ability to detect, guard against and respond to cyber threats.
Likewise, companies should also take steps to make it easier for them to recover from, and thus minimise the impact of, any breaches, such as by segmenting and air-gapping their network so that a compromise in cyber security in one area will not affect the other areas of the network.
- Cecil Su, Director of Technology Risk Advisory, BDO LLP -