Singapore government must realise human error also a security breach

Latest data breach involving a government agency may have been the result of human error, but it should still be deemed a security breach and treated as a risk that needs to be addressed, rather than dismissed.
Written by Eileen Yu, Senior Contributing Editor

A recent data breach has highlighted a need for the Singapore government to realise human errors are cybersecurity risks that need to be addressed, and not simply dismissed as mistakes that carry little threat to an organisation's network. The incident exposes a mindset within the public sector that, if left to fester, will put citizens at higher risk and erode public trust in the government's ability to safeguard their personal data. 

Last week, a folder containing personal data of 6,541 individuals was "inadvertently" sent via email to several parties, according to the Singapore Accountancy Commission (SAC), a statutory body under the Ministry of Finance. The error was discovered only months after the first email was sent, when an email protection tool--implemented in October as part of a government-wide deployment--triggered an alert. The incident exposed personal details such as names, national identification number, date of birth, and employment information. 

The data was sent out in multiple email messages between June 12 and October 22 this year to 22 organisations, all of which were later asked to delete the data folder as well as ascertain whether the folder had been forwarded to other parties. The SAC, however, did not disclose if, and how many, other parties had received or accessed the data. 

Asked about further remediation since the incident had been highlighted as a security risk, SAC's chief executive Evan Law told ZDNet in an email: "Sending out this administrative email is not a security risk as it was by mistake that a staff attached the data file."

And asked what efforts the commission was making to ascertain if the personal data had been published online or sold on the dark web, Law replied that all primary and secondary recipients already had provided an official statement to SAC via email, stating that they deleted folder and had not forwarded the folder. 

He did not comment directly on whether the commission was investigating to ascertain the data had not been published online. 

The SAC's response is perplexing. It made no apology for the incident, expressing only "deep regrets" for the "mistake". And apart from chasing down written statements from the 22 organisations declaring they, and whoever they might have forwarded the email to, had deleted the folder, the commission did not appear to have taken any additional steps to ensure the data leak had been fully contained. 

Surely it's naivety on the SAC's part to assume the situation is under control simply because 22 organisations pinky-swore in written statements they had dutifully deleted the compromised data? How difficult is it really to task an IT administrator to check that the data hasn't been published online? Or to engage a security consultant to do a sweep of the dark web to ensure the data is safe? 

More importantly, before dismissing man-made mistakes as "not a security risk", organisations such as the SAC need to consider the stats.  

"Inadvertent" breaches brought about by human error and system glitches accounted for 49% of data breaches, according to an IBM Security report conducted by Ponemon Institute, which estimated that human errors alone cost companies $3.5 million. 

In fact, cybersecurity vendor Kaspersky described employees as a major hole in an organisation's fight against cyber attacks. Some 52% viewed their staff as the biggest weakness in IT security, where their careless actions put the company's security strategy at risk. 

It added that 47% of businesses were concerned most about employees sharing inappropriate data via mobile devices, while careless or uninformed staff were the second-most likely cause of a serious security breach--second only to malware. Some 46% of cybersecurity incidents in the past year were attributed to careless or uninformed staff.

Kaspersky further described human error on the part of staff as the "attack vector" that businesses were falling victim to. 

According to the Kaspersky and B2B International survey, 52% of businesses admit that employees are their biggest IT security weakness, with careless actions or lack of knowledge compromising corporate IT security strategy.

The UK Information Commissioner's Office (ICO) also revealed that, over the past two years, 88% of data breaches in the country were caused by human error. 

In addition, 60% of personal data breaches reported to the ICO in the first six months of this year were brought about by human error, of which 43% were due to incorrect disclosure and 20% were the result of posting or faxing data to the incorrect recipient. Another 18% were due to someone emailing information to incorrect recipients or failing to use Bcc, according to security vendor Egress

Don't just talk the talk

The Singapore government earlier this week pledged to adopt new measures to bolster its cybersecurity posture and improve the way it safeguards public data. 

It said it had spent eight months inspecting 336 systems across all 94 government agencies and looked at best international data security practices in the financial and healthcare sectors, in coming up with the new measures. These had included the email protection tool that eventually alerted the SAC to the rogue data folder. 

Other measures included a need to "inculcate a culture of excellence" around sharing and using data securely amongst government agencies, as well as improve the accountability and transparency of the public sector data security regime. 

But it's not enough simply to say the right words, form the right committees, and establish the right framework and policies. We've all heard it said many times over: a robust cybersecurity strategy shouldn't just encompass the right technology, processes, and policies. It also requires employees to adopt the right mindset and heightened awareness about why even the simplest of errors can prove catastrophic for their organisation.

For starters, the SAC should have been more forthcoming and revealed the exact number of recipients--apart from the 22 organisations--that received the email containing the folder. The names of all recipients also should have be made public. This would put added pressure on these organisations and individuals to ensure the data was indeed removed from their possession as well as from the hands of anyone else to whom they might have forwarded the data.

In endorsing the new data security measures for the public sector, Singapore's Prime Minister Lee Hsien Loong said: "As the custodian of a vast amount of data, the government takes this responsibility very seriously. We must do our utmost to minimise the risk of data breaches. At the same time, when such breaches do occur, it is essential that we detect them quickly, and respond effectively to limit the breach and minimise the harm done."

I hope that means all agencies including the SAC realise how they should handle future security lapses or risk eroding public trust in a government that believes access to data is essential in an organisation's ability to innovate and customise services and processes. Otherwise, the next "inadvertent mistake" might result in a data breach that would impact more than just 1.5 million Singaporeans.


Editorial standards