The hacking of SingHealth’s database on June 2018, labelled as Singapore’s worst Cyber-Attack, was brought back into the spotlight as the Committee of Inquiry (COI) investigating the case recently put forward a series of recommendations in its published public report.
What Lessons can we all take away?
Customers’ data are increasingly being stored in digital spaces. Failure to give proper due diligence to your company’s IT Policy is akin to a tickling time-bomb for a potential Cyber-Attack. When a Cyber-Attack happens, it results in high legal costs and loss of trust from your customers. Hence, to remain always accountable and responsible to its customers, a business should place great importance on reviewing its IT Strategy.
From the series of recommendations brought forward by the COI, we have distilled it into simple, actionable steps that any general business can and should take to bolster its IT Security.
Vigilant Employees
The first line of Defence against Cyber-Attacks is the end-users. Thus, companies should implement regular security awareness programmes to educate staffs on common tactics hackers employ such as phishing emails and ransomware. In addition, it is highly recommended that a follow-up evaluation of their level of awareness through a simulated Cyber-Attack be conducted.
Ultimately, staffs should recognize that collectively maintaining high vigilance acts as an effective first line of Defence against Cyber-Threats.
Infrastructure Policy
Even as General Businesses plan to outsource their IT needs, they should also keep an eye on their IT security infrastructure and ensure that their IT security is being optimally managed. A few signs to look out for are:
Ensure software, Operating Systems and anti-virus are updated with the latest security patch
Tighter controls and monitoring over accounts with Admin privileges such as enabling Two-factor authentication (2FA) for their accounts
Enforcing strong password policies
Response Policy
It is important have a Business Continuity Plan and proper Standard Operating Procedures (SOPs) in preparation of a Cyber-Breach.
Generally, it should include elements of timely incident reporting, proper investigation and clear action plan to defend IT systems from the intrusion.
In addition, companies should conduct a Table-Top Exercise (TTX) to ensure that SOPs are practical and followed through. Hence, there is the element of Damage-Control to prevent hackers from stealing more information.
When it comes to Cyber-Attacks, it is not if, but when the next attack occurs.
With a strong company culture of ensuring a high standard of Cyber-Hygiene, an infrastructure policy that is constantly reviewed and checked for vulnerabilities and a set of SOPs in case of a Cyber-Attack incident, companies would be well-positioned to deal with future Cyber-Attacks.