Singapore's government agencies will roll out several new "technical measures" for existing and new systems, including automated detection of emails containing sensitive data and stronger encryption for files. These are part of "interim" recommendations deemed necessary following a review of the public sector's cybersecurity infrastructure and policies, which itself was carried out after a series of data breaches involving government entities.
A committee set up to evaluate how the government secured and protected citizens' data released its initial findings on Monday, stressing a need to boost the sector's data security regime amidst rising threats. It added that government systems were increasingly complex and there was growing demand for the use of data to facilitate digital services for the public. Data also was necessary to support policy making, said the committee, which was led by Singapore's Senior Minister and Coordinating Minister for National Security, Teo Chee Hean.
It noted that it was completing its review, which included a "government-wide stocktake" of data management practices and inspections of key IT systems. In particular, these assessments had focused on the IT environments of five government agencies that managed high volumes of sensitive data, including the Inland Revenue Authority, Health Promotion Board, and Ministry of Health.
Several public IT systems in Singapore had been impacted by data breaches over the year, resulting in the personal information of 808,201 blood donors and 14,200 individuals with HIV being compromised. Personal data of another 1.5 million SingHealth patients also was compromised last July in what was described as Singapore's most serious data security breach.
Emphasising the government's duty to use citizens' data "responsibly and securely", the committee said public trust in this aspect was fundamental to the country's smart nation ambitions.
Its recommended approach focused on three key areas -- technical, process, and people -- and encompassed "interim" technical steps that it said should be immediately implemented to beef up data security standards in the public sector. These would ensure data integrity is checked to prevent malicious modifications of data in transit as well as allow for enhanced encryption to be adopted. Email messages containing sensitive content also would be automatically detected.
In addition, the committee underscored the need for further measures to be deployed to strengthen data access controls.
The right processes also must be in place to enable government agencies to safeguard against data security threats and know how they should detect and respond quickly should such attacks occur, so as to contain the threat and minimise its impact.
The committee said it was currently evaluating data security rules and guidelines, which had been adapted from global best practices, that should be implemented within the public sector. These include measures to better ensure data protection standards amongst third parties that handle government data.
It added that better procedures were needed with regards to notifying and supporting members of the public, who had been impacted by data security incidents,
The competence and confidence of civil servants to use and protect data also would be critical, said the committee, which noted that it was putting in place measures to increase data security capabilities in the country. These included skills-upgrading and initiatives to raise data security awareness across the public sector. A strong data security culture amongst civil servants also was essential, it added.
A full report on its findings and recommendations is scheduled to be submitted to the prime minister by November 30 this year.
Following several breaches involving government entities, Singapore's prime minister has assembled a committee to review data security practices in the public sector, but the government stands firm on excluding these agencies from the country's Personal Data Protection Act.
Cyber Security Agency says the number of common cyber threats, including website defacements and phishing, dipped in Singapore last year, but expects to see more frequent data breaches and disruptive attacks against the cloud in the near future.
Following a spate of data breaches affecting healthcare patients in Singapore, another lapse has occurred. A server containing personal information of 808,201 blood donors was not properly secured by a third-party vendor, potentially exposing data such as blood type and national identification number.
Hackers that compromised the data of 1.5 million healthcare patients have been identified as a group that launched attacks against several organisations based in Singapore, including multinational firms with operations in the country, and is likely part of a larger operation targeting other countries and regions.
Having gone through the mayhem of WannaCry, UK healthcare agency National Health Service underscores the importance of investing in and building up cybersecurity defences as well as ensuring the leadership team recognises the importance of security.
Businesses that handle customer data should be expected to do so with all the appropriate cybersecurity systems and polices in place, rather than provide these as a "value-add service", and it's time the Singapore government holds those that fail to do so accountable.