Government agencies have fixed 80% of high-risk data security issues found in review: SNDGG
SINGAPORE: Government agencies have rectified about 80 per cent of "high-risk" data security issues that were found in a recent review, and work is under way to introduce new systems to improve user access security, the Smart Nation and Digital Government Group (SNDGG) told CNA.
Findings of the review were released last November, after a Public Sector Data Review Committee inspected 336 systems across 94 public sector agencies. It was part of a major review to better protect the public's personal data.
In its report, the committee said that about three-quarters of agencies had at least one finding of non-compliance with a government manual on data policies and standards.
Sixty-four per cent of agencies were rated “low-risk”, 23 per cent were rated “medium-risk” and the remaining 13 per cent were rated “high-risk”.
The most common shortcomings found were in the management and monitoring of privileged user accounts, user access reviews, as well as the encryption of emails with highly sensitive data.
The committee's report did not state which agencies fell under these categories.
READ: Government accepts 5 measures to improve data security, to set up single contact for public to report breaches
The Prime Minister’s Office had announced in March last year that it was forming the committee following several public data breaches.
In July 2018, 1.5 million SingHealth patients’ records – including that of Prime Minister Lee Hsien Loong – were accessed and copied, in what was the most serious breach of personal data in Singapore’s history.
EMAIL ENCRYPTION A TOP PRIORITY
A representative from cybersecurity firm Kaspersky told CNA that the encryption of emails with highly sensitive data should take “top priority”, given that emails are agencies’ preferred mode of communication in today’s digital age.
"Encryption is the basic building block of data security and it is the simplest and most important to ensure that sensitive data does not get stolen and read by someone who may use it for illegal purposes," said Mr Yeo Siang Tiong, Southeast Asia general manager at Kaspersky.
Safeguarding email communications is also "paramount" to mitigating the risk of data breaches, Mr Yeo added, citing a Deloitte report that said 91 per cent of all cyberattacks begin with a phishing email.
A user infected with malware can allow attackers to intercept and read emails en route from sender to recipient, before extracting any sensitive content, a report by Scarfone Cybersecurity explained.
READ: Confirmation prompts for emails among 13 data security measures to be rolled out across public sector
Following the committee’s findings, the Government has implemented various measures like the use of tools that require public officers to acknowledge and confirm the sending of emails containing sensitive data, said an SNDGG spokesperson.
They are also required to digitally sign and password protect sensitive documents to ensure data in transit are not maliciously modified.
In addition, officers must securely distribute passwords through a separate channel, and use data-sharing platforms like the Singapore Government Document Collaboration to securely send and access sensitive data documents.
Since the committee’s report was released, more than 65 per cent of agencies with at least one finding of non-compliance have rectified them, said the spokesperson.
The fixes are validated by the Government Technology Agency, which together with the Smart Nation Digital Government Office make up SNDGG.
Most instances of non-compliance are expected to be rectified by the end of 2021, said SNDGG, except for those related to the updating of user access rights, which includes removing access rights of inactive users.
This will take until end-2023 or end-2024 to implement, as new central systems are needed to automate the checking of user access rights, the spokesperson added.
"Meanwhile, agencies have put in place other mitigating controls, such as 2-factor authentication (2FA), encryption of sensitive data and monitoring of data access logs, to manage the attendant data security risks to ensure that data is secure," the spokesperson stated.
Kaspersky’s Mr Yeo said the measures "can be quite effective" as a system of information security checks and balances, and are in line with industry best practices.
However, the use of SMS-based 2FA can sometimes be unreliable, he warned, as text messages can be intercepted by a Trojan virus inside the smartphone, or through a basic flaw in the protocol used to transmit the messages.
"In such cases, it would be advisable to use authenticator apps which are entirely self-contained, with the SMS option used only as a last resort to minimise an organisation’s exposure to data breaches," he added.
NON-PRODUCTION ENVIRONMENTS COULD BE VULNERABLE
Mr Yeo said the management of extraction of production data to non-production environments is "another key item of non-compliance to pay attention to".
Production data refer to actual data stored in a system, like personal details. Non-production environments refer to offline systems used during testing and development to prevent interruption to users.
READ: More than a quarter of Singapore residents suffered at least 1 cybersecurity lapse in past year: CSA survey
A report by cybersecurity consultancy UpGuard gave an example of how these two could meet - occasionally, production data are loaded in a non-production environment to help debug a complex issue.
A hacker could exploit this by gaining access to the non-production environment and stealing the production data, the report said.
"Today, a lot of the proprietary data generated and accumulated by organisations are often shared with non-production environments for data analytics, development and other purposes," Mr Yeo added.
"While most production environments have established security protocols, the same kind of protocols might not be applicable in a different environment and this creates a vulnerability that could be exploited by cybercriminals."
CYBERSECURITY EDUCATION KEY TO RESPONSIBLE USER ACCESS
As for user access reviews and the management of privileged user accounts, Mr Yeo said users should be educated on cybersecurity best practices, pointing out that human error appears to be "greatest cause" of cybersecurity breaches.
Users should know not to click on email attachments from unknown senders, avoid the use of unsecure Wi-Fi networks on organisation devices, as well as adhere to an IT code of conduct, he noted.
In its review, the Public Sector Data Review Committee had recommended that officers attend improved data security training every year.
Mr Yeo cautioned that training could become a "rather mundane and ‘tick the box’ activity for organisations", adding that it should consider how people naturally think and be tailored to different roles.
"Given that employees in the civil service have differing levels of data access and work in different roles, it is important to consider implementing a holistic adaptive framework to cybersecurity education," he added.
"All three attributes of people, process and technology play a key role in minimising any data breaches arising from user access and the misuse of user privileges."
INACTIVE USERS HAVING ACCESS A CONCERN
This is also why the updating of user access rights is an area of concern, Mr Yeo said. Under this category of findings, the committee found delays in the removal of access rights of inactive users.
A Kaspersky report released last year showed that one-third of employees continue to have access to files and documents from their previous employers.
"When applied to the context of civil service in Singapore where employees often take up roles in different departments, the updating of user access rights is rightfully a key area of concern where there is a greater need to safeguard sensitive and confidential data that might carry implications for national security," Mr Yeo said.
"Some potential risks to data security include former employees using the data for their own purposes, sell to interested individuals who are keen to harm the national interest, as well as the fairly innocuous act of corrupting or deleting files by accident on the network."
Fixing these issues effectively would require a "re-architecture" of existing systems, the SNDGG spokesperson said.
He added that a central identity and access management system will be completed by end-2023 for priority systems, with the remaining systems scheduled for completion by end-2024.
"Some possible challenges in this pertain to the systems’ ability to simplify communication processes across a complex and interconnected system that is expected to monitor and update user access rights on an ongoing basis," Mr Yeo explained.
"Generally, this would involve multiple testing phases to ensure that the system is able to deal with the heavy flow of information and compliant with data security measures before it can be officially utilised."
Nevertheless, the agencies have made "quite encouraging" progress on fixing the instances of non-compliance, Mr Yeo said, although he added that both users and processes need to keep up with the technical improvements.
"While it is easier for an organisation to implement the latest cybersecurity technologies, how quick these non-compliances are patched up will also depend on how fast people and processes adapt as well," he said.