The increasing pervasiveness of online activities have led to a greater demand for interconnectivity. This environment is more apparent in nations such as Singapore where there is extensive internet connectivity and its citizens are digitally well-versed. Thanks to the Singapore government’s unrelenting drive for its Smart Nation initiative, both public and private organisations have also been working towards a digitally inclusive and interconnected space.
Recently, for instance, one of the three thrusts included in Singapore’s Cyberspace Masterplan 2020 is geared towards empowering the cyber-savvy population. And only a two months ago, the Government Technology Agency of Singapore (GovTech) launched a digital signature feature on the SingPass mobile app to provide “greater convenience” to its over 2.1 million users. The feature will enable users to sign digital documents in less than two minutes.
This interconnectivity of platforms and devices create a seamless experience for the modern user, inadvertently blurring the digital boundaries of work and personal assets. Taking this a step further, the current work-from-home scenario has blurred the lines even more. Organisations now have less visibility on the handling or sharing of business data, or the security of their digital assets and those of their employees.
When the weakest link is breached
Sometime ago, a textile company woke up to the news that its digital assets were compromised. The culprit? Its Mailchimp account. This could have been prevented if the company had invested in securing individual accounts for its employees rather than letting them share only one account. Additionally, the organisation should have maintained good cybersecurity hygiene by undertaking regular pen testing and vulnerability assessment for its systems.
Akin to humans undergoing regular health checkups, an organisation’s infrastructure must also undergo regular vulnerability assessment and penetration testing.
The implications of unregulated, unprotected interconnectivity are worrisome and disastrous. It should be noted that as the global cyber landscape evolves, cyber threats have also surged.
Organisations, therefore, cannot be complacent, as weak links in the interconnected digital chain become candidates for cyberattacks, leading to loss of profit and credibility from their clients and stakeholders. The average cost of a cybersecurity attack in Singapore, according to McAfee findings, stands at approximately S$1.7 million per breach.
Cybersecurity and compliance are often mere afterthoughts
If the August data breach cases were any indication, many organisations seem to regard cybersecurity hygiene and compliance as mere afterthoughts. Big firms—that have the capacity to invest in top notch cybersecurity and compliance practices—have been found wanting in these areas.
For instance, a top online insurance company in Singapore failed to properly deal with the manual review of its logic error and unit testing in the system, resulting in a data breach. A more thorough cybersecurity testing coupled with the meticulous auditing of a personnel such as a Data Protection Officer could have prevented such an incident.
Another government organisation in Singapore also erred on the side of insufficient processing of personal data protection when it mistakenly emailed unintended recipients a folder containing personal data of 6,541 of its programme personnel and candidates. Again, the company’s data protection policies and procedures, as well as their cybersecurity measures, were not translated into viable security arrangements.
If businesses hope to get ahead of the threat, a cybersecurity leader urges that cybersecurity must be established as a key value enabler.
Clearer rules, stiffer penalties
On 5 October 2020, a proposed amendment to the Personal Data Protection Act (PDPA) was introduced in Parliament to bolster data protection standards and enforcement. If implemented, an organisation found guilty of a data breach can be fined up to 10% of its annual turnover in Singapore.
Other proposed changes include making it compulsory for organisations to notify the Personal Data Protection Commission (PDPC) of data breaches that are likely to harm the individuals. Moreover, organisations are also required to notify individuals affected so that they can take the necessary steps to safeguard their privacy where applicable.
Benefits and methods of data privacy compliance and cybersecurity
Getting into the routine of data privacy compliance and better cybersecurity hygiene is more than just about avoiding hefty penalties for your organisation. It is also about building your company’s credibility among employees, customers and stakeholders. Surveys have indicated that individuals hold proper handling of their data in high regard and will react negatively to any signs of breach or mishandling from organisations.
Organisations cannot be complacent, as weak links in the interconnected digital chain become candidates for cyberattacks, leading to loss of profit and credibility from their clients and stakeholders.
Data privacy compliance is achieved through an in-depth understanding of this concept – such as definition of terms, rules and obligations, to name a few. In addition, hiring a Data Protection Officer as mandated by law ensures accountability. A designated individual is then responsible in maintaining and evaluating your company’s implementing policies and processes for handling personal data.
In the digital world, data protection is not attainable if the organisation doesn’t apply good cybersecurity hygiene. This includes using the right tools, adding security layers, and being thorough in practicing and activating essential steps to ensure your system is always protected. Akin to humans undergoing regular health checkups, an organisation’s infrastructure must also undergo regular vulnerability assessment and penetration testing. This is to ensure your system is safeguarded against possible attacks from external forces, and against possible missteps from internal factors.
Adhering to compliance and cybersecurity hygiene: a win-win situation
The future of the digital world is a safer cyberspace, and in Singapore, this was recently accentuated through the announcement of the nation’s Safer Cyberspace Masterplan 2020. This points to a future where individuals are more knowledgeable about their rights to data privacy, rules are clearer, and where organisations have to be more proactive in their adherence to the PDPA compliance and good cybersecurity practices. With more stringent rules set in place, the dire consequences of committing errors in this space can be avoided.
It is, therefore, not an exaggeration to say that the best time to kickstart the habit of compliance and implementing better cybersecurity hygiene for your organisation is now. Ensuring that your organisation’s digital health is in excellent condition boosts your business credibility and establishes your continuity in a data-driven world.
Andy Prakash co-founded AntiHACK.me, Singapore’s first bug bounty platform, working with the top community of whitehat hackers to identify and report vulnerabilities in businesses’ websites, mobile applications and systems. As the Chief Information Officer, he has given speeches and conducted masterclasses for ACE startups, co-working spaces, Echelon by e27 (2019), Chamber of Commerce and even Interpol 2019. Seeing a lapse in the Data Protection industry, Andy started Privacy Ninja, providing Data Protection Consultancy, training, audit and Outsourced DPO services. He is the designated Data Protection Officer for numerous companies in Singapore and handles Data Protection matters on a day to day basis.