Data is rapidly becoming one of the most valuable assets in the modern world. The digital giants that monopolize data are arguably the most powerful companies in the world, prompting ongoing conversations about anti-trust legislation and digital privacy.
If the most robust defence system in Singapore can be infiltrated, how can businesses including SMEs deal with this challenge of protecting their information systems and digital assets – financial information, customer data, intellectual property – and the reputational and regulatory implications of failing to do so continue to raise the stakes of cyber security and governance. Investors and regulators are increasingly challenging boards to step up their oversight of cybersecurity and calling for greater transparency around major breaches and their impact on the business.
The Origin Of Data Breaches
Data breaches have gained widespread attention as businesses of all sizes become increasingly reliant on digital data, cloud computing, and workforce mobility. With sensitive business data stored on local machines, on enterprise databases, and on cloud servers, breaching a company’s data has become as simple – or as complex – as gaining access to restricted networks.
Data breaches did not begin when companies began storing their protected data digitally. In fact, data breaches have existed for as long as individuals and companies have maintained records and stored private information. Before computing became commonplace, a data breach could be something as simple as viewing an individual’s medical file without authorization or finding sensitive documents that were not properly disposed of. Still, publicly disclosed data breaches increased in frequency in the 1980s, and in the 1990s and early 2000s, public awareness of the potential for data breaches began to rise.
Past Data Breach Cases That Have Happened to Singapore Companies
In 2018, Singapore suffered its worst ever data breach when inadequate cybersecurity at SingHealth saw a quarter of the population’s medical records stolen. A total of 1.5 million SingHealth patients’ non-medical personal data were stolen, and 160,000 of them had their dispensed medicines’ records taken as well, according to MCI and MOH. Their personal data such as name, NRIC number, address, gender, race, and date of birth were stolen along with Prime minister Lee Hsien Loong’s personal data. With the lack of cyber security practices in Singapore, Singaporeans are worried as their stolen personal data has the possibility of targeted phishing attacks at a later date.
In 2019, The systems at ST Logistics affected by the malware contained full names and NRIC numbers and a combination of contact numbers, email addresses or residential addresses of about 2,400 Mindef and SAF personnel. The incidents involved third-party vendors, the HMI Institute of Health Sciences and ST Logistics. The affected server primarily contained backup information on 120,000 individuals, such as their full names, NRIC numbers, dates of birth, home addresses and email addresses, depending on the course they had enrolled or applied for.
In 2021, The personal information of nearly 130,000 Singtel customers, including their NRIC details, was stolen after a vendor’s file sharing system was breached. Singtel uses the system provided by US company Accellion to share information internally as well as with external stakeholders and organisations. The data breach occurred on a file-sharing system called File Transfer Appliance, a two-decade-old product that is provided by Accellion to a number of companies, including Singtel. Nearly 130,000 Singtel customers have had their personal information stolen, including their NRIC numbers, and some combination of names, dates of birth, mobile numbers and addresses. Bank account details of 28 former Singtel employees were also stolen, as were the credit card details of 25 staff members of a corporate customer with Singtel mobile lines.
How Can You Build A Strong Cyber Security to Prevent Data Breach?
It is becoming commonplace to hear of big security breaches. Consumers wonder how this keeps happening. It would seem like every company should be taking their data security very seriously. After all, a data breach typically costs millions of dollars and tarnishes the company’s reputation.
- Limit access to your most valuable data.
In the old days, every employee had access to all the files on their computer. These days, companies are learning the hard way, to limit access to their more critical data. After all, there is no reason for a mailroom employee to view customer financial information. When you limit who is allowed to view certain documents, you narrow the pool of employees who might accidentally click on a harmful link. As corporations move into the future, expect to see all records partitioned off so that only those who specifically need access will have it. This is one of those common-sense solutions that companies probably should have been doing all along.
- Third-party vendors must comply.
Every company does business with a wide array of third-party vendors. It is more important than ever to know who these people are. Companies can even open themselves up to lawsuits by allowing strangers to enter their premises. What if the guy who delivers office supplies just got out of prison? It’s something to think about. In addition, be sure to limit the types of documents these vendors can view.
Though precautions like this can be a hassle for the IT department, the alternative could be a multi-million-dollar data breach. For those companies that can view your important data, demand transparency. Make sure they are complying with privacy laws; do not just assume. Ask for background checks for third-party vendors who must enter your company on a regular basis. CEO’s need to get tougher on security if they really want to instigate change.
- Conduct employee security awareness training.
According to recent surveys, employees are the weakest link in the data security chain. In spite of training, employees open suspicious emails every day that have the potential to download viruses. One mistake that employers make is thinking that one training class about cybersecurity is enough. If you are serious about safeguarding your important data, schedule regular classes each quarter or even monthly.
In Aventis, we offer a suite of cyber security courses. One of which will be ‘Cyber Attack & Data Breach Preparedness, Response & Compliance Workshop’. This 1 Day hands-on workshop aims to equip you with the core competencies to devise and implement policies & practices required by data protection laws and ensure compliance in a cost effective and productive manner. Using the most recent real cases and scenario analysis, including previously imposed legal penalties, fines, business limitations, and licence revocations. This practical workshop will provide you with the most current understanding of the evolving regulatory scrutiny, consumer expectations and emerging risks.
- Update software regularly.
Professionals recommend keeping all application software and operating systems updated regularly. Install patches whenever available. Your network is vulnerable when programs are not patched and updated regularly. Microsoft now has a product called Baseline Security Analyzer that can regularly check to ensure all programs are patched and up to date. This is an easy and cost-effective way to strengthen your network and stop attacks before they happen.