Securing your data is only going to get more challenging

SINGAPORE (Dec 31): In December, news emerged that social media giant Facebook had been playing fast and loose with its users’ data. Internal documents and emails published by the UK government show that the company considered employing the data for strategic and commercial purposes. Advertisers and partners would be sold access to the valuable information, while rivals would be kept out.

The revelations come amid hearings in the UK Parliament on the controversies that the company has been mired in — including allowing its platform to be misused to incite violence and interfere in elections. To be sure, there is nothing wrong with a company looking to monetise its biggest asset, which, in the case of Facebook, is the trove of data from its 2.27 billion users around the world. But, the company has consistently asserted that it does not sell data to advertisers or anyone, as founder Mark Zuckerberg told members of the US Congress.

Yet, the privacy lapses at Facebook are only one of the risks faced by just about everyone who has an internet connection. In fact, in September, Facebook disclosed that 50 million user accounts were compromised in an attack that gave hackers the ability to take control of the accounts. More recently, the hack into the computer systems of the Marriott International hotel group exposed the private data of half a billion people around the world.

Indeed cyberattacks, believed to have been state-sponsored or otherwise, have been in the news for much of 2018. Both major public and private organisations have seen breaches of their systems and databases. While there appears to be a ramping-up of attacks, Barry Greene, principal architect at content delivery network Akamai Technologies, says hacks have been going on for years; people have simply been blissfully unaware.

“The problem has always been there, just that the reporting isn’t out. What’s happened is that different countries have adopted new regulations for reporting,” Greene explains. “For instance, you’ll see more reports of breaches [in Singapore] than [in other countries] in the region because [they have] adopted rules from the Sarbanes-Oxley [Act], which requires certain levels of reporting for listed companies in the US,” he says.

Industry experts and organisations say attacks and data breaches are all but inevitable. In fact, by year-end, it would be hard to find someone who has not had at least one piece of personal information — whether name, gender, address or credit card number — stolen or exposed. What more can be expected in 2019?

Complacency, organisational inertia the new virus

In Singapore, the largest breach the country has seen occurred in July, when the personal data of 1.5 million people, including Prime Minister Lee Hsien Loong, was stolen from the SingHealth database.

As the nation reeled from the discovery, questions were asked about the timeline of the incident, specifically why it took the Ministry of Health so long to publicly disclose the breach. The breach took place on June 27 and was discovered on July 4. But the public was only informed on July 20. Furthermore, statements made by the head of the Cyber Security Agency of Singapore, David Koh — that the information stolen, including names, dates of birth, National Registration Identity Card numbers, was only “basic demographic data” — were even more puzzling. On July 24, the Monetary Authority of Singapore issued an advisory to banks, asking them to tighten their customer verification process in the light of the breach.

More details of the breach have emerged as the government convened a Committee of Inquiry (COI) to look into the event. Significantly, the main cause of the lengthy lapse between the breach and the alert to the Cyber Security Agency (CSA) of Singapore was the reluctance of Integrated Health Information Systems senior manager Ernest Tan to report the suspicious network activity to his superiors. IHiS manages and integrates Singapore’s healthcare IT systems.

During a hearing on Oct 31, Tan said he felt there would be “no day, no night” for him and his colleagues once the matter was reported, meaning they would likely be working around the clock to provide information and updates to their superiors.

The COI also heard there was doubt over the ownership of the healthcare database, which meant the management of it was unclear. Also, the database had not been tested for vulnerabilities despite it being considered part of critical information infrastructure. And, there was no formal protocol for IHiS staff to follow in the event of a cyberattack.

“The culture in the region is not to report bad news unless [you] have to. Now, what you are seeing is the impact of laws and regulations as they roll into the region,” Akamai’s Greene says. “My personal experience is that I see tons of nasty stuff in the region; it just hasn’t been talked about.”

Whatever the case, cybersecurity has come to the fore in Singapore, and efforts to secure critical infrastructure have been stepped up. The Cybersecurity Act, legislated in March, identifies critical information infrastructure in sectors such as security and emergency services, and the government. Under the Act, the Commissioner of Cybersecurity has the power to issue directions to owners of critical information infrastructure to ensure its cybersecurity; establish a framework for companies to share cybersecurity information; and authorise the CSA to prevent and respond to threats and attacks.

Meanwhile, the public sector has implemented measures such as internet separation at workstations, although this approach has flaws, too. For one, experts note that this could result in higher security risks, as devices’ firmware has to be manually updated, rather than automatically done by the manufacturer or developer over the internet.

The Monetary Authority of Singapore recently launched a $30 million Cybersecurity Capabilities grant to help strengthen the cyber resilience of the financial sector, as well as develop cybersecurity talent. The grant will co-fund up to 50% of qualifying expenses, capped at $3 million.

Connected to lives

These efforts become even more important in the light of Singapore’s Smart Nation ambitions, which includes the nationwide collection and analysis of people’s data, using sensors and the Internet of Things (IoT), in a bid to make citizens’ lives easier. As the volume of data traffic grows, there are more opportunities for attackers to get into the system.

For the full article, click here: https://www.theedgesingapore.com/securing-your-data-only-going-get-more-challenging