Increase in number of data incidents reported within Government, majority due to human error: SNDGO
SINGAPORE: More data incidents have been reported within Government, the Smart Nation and Digital Government Office (SNDGO) said in a release on Wednesday (Nov 11).
A total of 75 data incidents were reported in Financial Year (FY) 2019, a 47 per cent increase from the 51 incidents in FY 2018. Thirty-seven incidents were reported in the first half of FY 2020 up to Sep 30, similar to the same period in the previous financial year.
The majority of incidents reported were due to human error, SNDGO said, including inadvertently emailing sensitive data to the wrong recipients and misplacing IT equipment containing sensitive data.
Another main cause of the incidents was a failure to follow established processes to secure data, SNDGO said, including deploying software containing bugs to save time, which could have led to a breach.
"Most of the incidents were assessed to not have significant impact on the agency or individuals affected as protection measures had been put in place to mitigate the risk of data breach," it said.
"For example, the misplaced IT equipment were encrypted; the sensitive data contained therein would not be usable to unauthorised users who attempt to extract data from these devices."
READ: Government accepts 5 measures to improve data security, to set up single contact for public to report breaches
This comes as SNDGO said it has implemented 18 out of 24 key initiatives recommended by the Public Sector Data Review Committee in findings released in November last year.
The committee, which inspected 336 systems across 94 public sector agencies, found that about three-quarters of agencies had at least one finding of non-compliance with a government manual on data policies and standards.
The initiatives implemented include improving audit and third-party management frameworks, enhancing processes to respond to data incidents in a timely manner, and strengthening data security accountability at every level.
"We are on track to implement the remaining technical measures as planned - 80 per cent of the systems will be covered by the end of 2021 and all systems by the end of 2023," SNDGO said.
These measures include tools that prevent the loss of sensitive data across government systems and devices, and automate user account management to ensure regular and timely reviews of access to IT systems containing sensitive data.
INCREASE IN REPORTED DATA INCIDENTS IN LINE WITH GLOBAL TRENDS
SNDGO said the increase in reported incidents was "in tandem" with the trends seen in the private sector and globally, which have seen a "general increase" in data incidents.
"The increase in the number of data incidents reported can be partly attributed to greater awareness, vigilance and an improved understanding among public officers of what constitutes a data incident," it added.
"Public officers are regularly engaged on data security measures to build a culture of learning and heightened awareness."
SNDGO said the Government will continue to invest in technical tools as a first line of defence against data compromises.
This includes a whole-of-government data loss prevention (DLP) programme, which will be integrated into the ICT systems and user devices, and be completed by the end of next year.
An ICT system comprises hardware, software, data and the people who use them.
The DLP programme will address common causes of data incidents in the public sector, such as the unintentional transfer of documents containing sensitive data during bulk data transfers.
It will use a combination of technical and process controls to detect risky user actions that might result in data loss and guide the users to take the appropriate actions.
For instance, when a public officer tries to extract sensitive data from his work laptop using authorised storage media, the DLP tool will highlight this risky activity and require the officer to affirm the action before proceeding.
MORE MUST BE DONE TO TACKLE HUMAN ERROR
Nevertheless, SNDGO said in its report update on the Government's personal data protection efforts this year that "more must also be done to tackle the root cause of human error".
"While the policies and processes on handling sensitive data are generally sound, many of the data incidents occurred because officers failed to follow these established procedures and protocols," it said.
"The officers found responsible for these data incidents had been duly disciplined, with punitive measures ranging from counselling and formal reprimands, to financial penalties."
In one unintentional data disclosure incident that took place from June to October 2019, officers and supervisors from the Singapore Accountancy Commission (SAC) were disciplined through formal warning letters or financial penalties of up to half a month's pay.
An SAC officer had unknowingly attached a file containing personal information of 6,541 individuals, including contact details and examination results, in emails that were sent to 41 people in 22 organisations, SNDGO said.
An email data protection tool implemented in October 2019 had alerted the sender that the email contained sensitive data.
"SAC immediately rectified the mistake and prevented further unauthorised disclosure of the data," the SNDGO report said.
"SAC also convened a committee to inquire into the incident and make recommendations to improve the organisation’s personal data protection practices."
DISCIPLINARY ACTIONS INSUFFICIENT
Despite that, SNDGO said in its report that disciplinary actions were not enough, adding that there was a need to ensure public officers better understand the importance of data security.
Next year, the Government will ramp up efforts to increase data security awareness and knowledge among public officers, including embarking on "more intensive" campaigns to engage officers on data security and sharing lessons learnt from past data incidents in newsletters and at workshop.
"Starting in 2021, the Government will conduct regular ICT and data incident management exercises for public agencies and public officers to practice and improve their incident management processes," SNDGO said.
"These are first steps towards inculcating a culture of excellence in sharing and using data securely, which will require sustained efforts across many years at all levels of the organisation."