by Andy Prakash, founder of Privacy Ninja
The increasing pervasiveness of online activities have led to a greater demand for interconnectivity. This environment is more apparent in nations such as Singapore where there is extensive internet connectivity and the citizens are digitally knowledgeable. Thanks to the Singapore government’s unrelenting drive for its Smart Nation initiative, both public and private organisations have also been working towards a digitally inclusive and interconnected space.
Recently, for instance, one of the three thrusts included in Singapore’s Cyberspace Masterplan 2020 is geared towards empowering the cyber-savvy population. And only a few days ago, the Government Technology Agency of Singapore (GovTech) launched a digital signature feature on the SingPass mobile app to provide “greater convenience” for its more than 2.1 million users, enabling them to sign digital documents in less than two minutes.
This interconnectivity of platforms and devices create a seamless experience for the modern user, inadvertently blurring the digital boundaries of work and personal assets. Taking this a step further, the current work-from-home scenario has blurred the lines even more, with organisations having less visibility on the handling or sharing of business data, or the security of their digital assets and those of their employees.
When the weakest link is breached.
Sometime ago, a textile company woke up to the news that its digital assets got compromised. The culprit? Its Mailchimp account. This could have been prevented if the company had invested in getting individual accounts for its employees rather than letting them share only one account. Additionally, the organisation should have maintained good cybersecurity hygiene by undertaking regular pen testing and vulnerability assessment for its system.
The implications of unregulated, unprotected interconnectivity are worrisome and disastrous. It should be noted that as the global cyber landscape evolves, cyber threats have also surged.
Organisations, therefore, cannot be complacent, as weak links in the interconnected digital chain become candidates for cyber attacks, leading to loss of profit and credibility from their clients and stakeholders. The average cost of a cybersecurity attack in Singapore, according to McAfee findings, stands at approximately S$1.7 million per breach.
Sadly, cybersecurity and compliance are often regarded as mere afterthoughts.
If the August data breach cases were any indication, many organisations seem to regard cybersecurity hygiene and compliance as mere afterthoughts. Big firms that have the capacity to invest in topnotch cybersecurity and compliance practices, have been found wanting in these areas.
For instance, FWD Singapore failed to properly deal with the manual review of its logic error and unit testing in the system, resulting in data breach. A more thorough cybersecurity testing coupled with the meticulous auditing of a personnel such as a Data Protection Officer (DPO) could have prevented such an incident.
Another organisation, the Singapore Accountancy Commission, also erred on the side of insufficient processing of personal data protection when it mistakenly emailed unintended recipients a folder containing personal data of 6,541 Singapore Chartered Accountant Qualification programme personnel and candidates. Again, the company’s data protection policies and procedures, as well as their cybersecurity measures, were not translated into viable security arrangements.
If businesses ever hope to get ahead of the threat, a cybersecurity leader urges that cybersecurity must be established as a key value enabler.
Clearer rules, stiffer penalties.
On October 5, a proposed amendment to the Personal Data Protection Act (PDPA) was introduced in Parliament to bolster data protection standards and enforcement. If implemented, an organisation found guilty of a data breach can be fined up to 10 per cent of its annual turnover in Singapore.
Other proposed changes include making it compulsory for organisations to notify the Personal Data Protection Commission (PDPC) of data breaches that are likely to harm the individuals. Moreover, organisations are also required to notify individuals affected so that they can take the necessary steps to safeguard their privacy where applicable.
The benefits and methods of data privacy compliance and cybersecurity.
Getting into the routine of data privacy compliance and better cybersecurity hygiene is more than just about avoiding hefty penalties for your organisation. It is also about building your company’s credibility among employees, customers, and stakeholders. Surveys have indicated that individuals highly regard the proper handling of their data and will react negatively to any sign of breach or mishandling from organisations.
Data privacy compliance is achieved through having an in-depth understanding of this concept in its entirety – definition of terms, rules and obligations, to name a few. Also, hiring a Data Protection Officer (DPO) as mandated by law ensures that someone will be responsible in maintaining and evaluating your company’s implementing policies and processes for handling personal data.
In the digital world, data protection is not attainable if the organisation doesn’t apply good cybersecurity hygiene. This includes using the right tools, adding security layers, and being thorough in practicing and activating essential steps to ensure your system is always protected. Akin to humans undergoing regular health checkups, an organisation’s infrastructure must also undergo regular vulnerability assessment and penetration testing. This is to ensure that your system is safeguarded against possible attacks from external forces, and against possible missteps from internal factors.
Adhering to compliance and cybersecurity hygiene: a win-win situation.
The future of the digital world is a safer cyberspace and in Singapore, this was recently accentuated through the announcement of the nation’s Safer Cyberspace Masterplan 2020. This points to a future where individuals are more knowledgeable about their rights to data privacy, rules are clearer, and where organisations have to be more proactive in their adherence to the PDPA compliance and good cybersecurity practices. With more stringent rules set in place, we can avoid the dire consequences of committing errors in this space.
Therefore, it is not an exaggeration to say that the best time to kick starting the habit of compliance and implementing better cybersecurity hygiene for your organisation is now. Ensuring that your organisation’s digital health is in excellent condition boosts your business credibility and establishes your continuity in the data-driven world.
Seeing a lapse in the Data Protection industry, Andy Prakash started Privacy Ninja, providing Data Protection Consultancy, training, audit and Outsourced DPO services. He is the designated Data Protection Officer for numerous companies and handles Data Protection matters on a day to day basis. He also co-founded AntiHACK.me, Singapore’s first bug bounty platform, working with white hat hackers to identify and report vulnerabilities in businesses’ websites, mobile applications and systems.