Guarding against common types of data breaches in Singapore

A cyber-attack is real possibility. Cyber-attacks have increased dramatically in the last year, particularly with remote working due to the COVID-19 epidemic. The Cyber Security Agency of Singapore released its 2020 report on July 8, 2021, reporting a 154% increase in recorded ransomware attacks – a total of 89 cases compared to 35 in 2019.

The attacks primarily impacted small and medium-sized firms (SMEs) in the manufacturing, retail, and healthcare sectors, as they are less equipped and prepared to defend themselves against cyber-attacks. The surge in such attacks serves as a clear message to enterprises to invest resources to defend their systems and plan for cyber-attacks.

To protect your Organization against common types of data breaches in Singapore, here are recommendations proposed by the PDPC based on various issues faced:

Data breaches in Singapore due to Coding Issues

Design before coding. Design before coding and undertake extensive impact analysis (e.g., traceability and dependency analysis) of any software or code modifications to identify the potential implications of these changes. Organizations should also carefully document their code design, updates, and analysis for proper assessment, review, and verification.

Invest effort to document all software functional and technical specifications. The value of this documentation will become clearer as the original developers leave the project and new developers take up software maintenance and upgrades. Without good documentation, developers frequently have no references to rely back on and may wind up making inaccurate assumptions about code logic.

Ensure that the program has been properly tested, including unit testing, regression testing, security testing, and user acceptance testing (UAT). Most organizations fail to recognize that effective testing can assist them in identifying programming flaws before launching a system. Adequate testing resources should be assigned, and a thorough UAT should ensure good test coverage of scenarios, including various user journeys and exception handling. Organizations must also confirm that the proposed UAT scenarios correspond to real-world usage. This can be accomplished by a thorough collection of business requirements and identifying relevant usage scenarios by possible users. The firm owner should be in charge of these.

Perform code reviews. In addition to examining their own code, code authors can perform peer code reviews, which can be useful for discovering programming problems and supplementing other forms of testing. A code review can be quite successful when undertaken by an experienced developer.

Also Read: What you need to know about appointing Data Protection Officer in Singapore

Data breaches in Singapore due to Configuration Issues

harden system configuration instead of relying on default settings to be sufficiently secure, by making suitable adjustments to settings. Here are a few examples:

• Firewall configuration: By default, block all traffic and allow only particular traffic to identified services.
• Turn off any services that are not in use while configuring your web server.

Automate the build and deployment processes to reduce the number of manual stages and, as a result, the likelihood of a human mistake. For example, instead of manually typing out commands each time a new build of an application is necessary, execute prepared scripts. This can reduce typing errors and the potential to miss out on commands or deploy the new build to the wrong environment.

Systematically manage configuration settings:

• Create a baseline configuration settings document. This baseline should be updated and reviewed regularly. This serves as a reference point for configuration changes and restoration, and it is also useful if the server needs to be rebuilt.
• Establish configuration management, code management, and code deployment protocols. This guarantees that configuration updates are managed methodically.
• When troubleshooting, make a note of any configuration changes you make. This is useful for review, updating the baseline, or reverting to previous settings if necessary.
• Conduct regular security reviews and testing to ensure that the actual configuration settings in use conform to the stated values.

Data breaches in Singapore due to Malware and Phishing

Conduct phishing simulation exercises regularly to train your employees to be wary. This is in addition to any existing employee education. Organizations should put mechanisms in place to routinely assess their employees’ level of awareness.

Educate staff and remind them regularly to be on the lookout for phishing and other forms of social engineering. Even with the most modern security systems in place, careless employees’ activities can give an entry point for cyber-attacks.

Consider restricting Internet access, especially if endpoints have direct access to substantial volumes of personal or sensitive data. When these endpoints, such as employee laptops, are compromised, the risk of personal data exfiltration increases.

Ensure that any personal information in your Organization’s possession is automatically and routinely backed up. Ransomware’s goal is to disrupt business operations by preventing access to operational data. Regular backups can be a successful recovery strategy. Backups should be performed offline and kept off-site for increased security. It is also critical to ensure that the backup data can be restored.

Data breaches in Singapore due to Security and Responsibility Issues

Instead of using real data, create synthetic data (false personal data or data anonymized from real data) for development and testing in non-production situations. Synthetic data can be generated from scratch using commercial tools1 or anonymized production data2.

Controlling access to personal data is an excellent way to keep it safe. Without suitable access control procedures (e.g., requiring user login), any webpage or document on a publicly available website/web application can be indexed by search engines and appear in search results, making it easily accessible to anybody.

Assign unambiguous responsibility for ICT security to the designated individual(s) or team. During maintenance, system patching, security scanning, and log file anomaly detection are all examples of ICT security. This can be done by your company, a competent vendor, or through a joint/split arrangement. If it is to be done by a vendor, explicitly identify the contract’s scope of work and areas of responsibility.

Data breaches in Singapore due to Accounts and Passwords

Review user accounts regularly and delete accounts that are no longer needed.

Make certain that no credentials are exposed in code or configuration files. Declare this clearly in your ICT policy, and make sure your employees and vendors are aware. During the security assessment and scanning process, keep an eye out for such dangers.

Reduce the possibility of brute force attacks. Allowing unlimited unsuccessful login attempts makes a system more vulnerable to brute force assaults. A hacker can attempt an infinite number of logins. Locking the user account after a predetermined number of failed login attempts, adding a delay after a failed login attempt, or utilizing CAPTCHAs are all ways to prevent or slow down brute force assaults.

Adopt and put in place a robust password policy. Organizations can use the following password best practices:

• Enforce a password history policy to prevent employees from reusing past passwords.
• Encourage users to use passwords that are long and difficult yet easy to remember, such as “Iwant2l@se10kg.”
• Users should be discouraged from using the same password across several systems.

Some administrative accounts should be subject to stricter criteria. Access to administrative accounts with 2FA or MFA would require an additional round(s) of authentication, such as a temporary code sent securely to the administrator’s mobile phone. As a result, simply using a stolen password to access an account will not suffice. This is critical for administrative accounts to systems that hold vast amounts of personal data or personal data that is confidential or sensitive because a breach of such data could negatively impact the individuals impacted.

Also Read: Vulnerability assessment Singapore: The complete checklist