Analysis: SG govt to fine brands caught in data breaches

The Singapore government has proposed to issue a fine of up to 10% of a company’s annual turnover in Singapore, or SG$1 million (whichever is higher), should a company be found guilty of a data breach. This comes following a slew of data breaches in the recent months from companies such as ShopBack, Razer, RedDoorz, and Shopify. The local government also had several lapses of data breaches in recent times, including the leak of over 800,000 blood donors' personal particulars due to mishandling of data by a vendor of the Health Sciences Authority.

The rise in data breaches has been prevalent in recent years, according to Yeo Siang Tiong, general manager for Southeast Asia at Kaspersky. Citing its own data, Yeo said phishing attacks targeting businesses in Singapore has increased by 61% from 55,653 in the first half of 2019 to 89,351 in the same period in 2020. He added that Singapore is not the only country witnessing this rise, with similar patterns of growth tracked across other countries such as Indonesia, Malaysia, Philippines, Thailand and Vietnam. “Considering that phishing attacks are often conducted with the purpose of stealing user data and gaining access to accounts, such statistics lend credibility to the observation that we are seeing more data breaches happening in recent years,” Yeo said.

Moreover, the rise of eCommerce nowadays means there is a “wealth of customer data” available online for cybercriminals to harvest. Therefore, Yeo said there is “an urgent need” for brands to enhance their cybersecurity posture.

As more brands look to digitise their offerings at a rapid pace, companies need to embrace an adaptive proactive approach in security rather than reactive. They need to be ready before an attack happens by ensuring their security and systems are up to date by performing regular audits, and of course, conducting regular security training sessions for its staff.

“Awareness matters. The biggest cyberattacks usually start with the simplest human error. Data breaches can occur when an employee opens phishing emails, or leaves sensitive data lying around in their personal devices that are not properly secured,” he said, adding:

Companies should never neglect the human element of cybersecurity.

Yeo added that in its recent report, 68% of the respondents said they use their own computers to conduct official business.  When using their own computer to process corporate data or access the IT server off-site, it runs the risk of having other gaining access to confidential information through employees’ personal devices. As a result, employees may end up becoming the weakest link in a brand’s cybersecurity infrastructure.  Data breaches can occur in any brands running business in any sectors. Naming Sephora, Sakae Sushi and Malindo Air, Yeo added that no specific brand, regardless of the industry they operate in, can safely say that they are less vulnerable to data breaches.

Agreeing that all brands are equally vulnerable to cyberattacks is Kerry Singleton, managing director, cybersecurity, Asia Pacific, Japan and China, at Cisco. Although he acknowledges that smaller businesses can sometimes be an easier target as they may not have the enterprise-class security built in, Singleton is of the view that no businesses are spared from being a potential target.

“Today, any company that requires an internet or VPN connection and involves customer information has a chance of falling prey to a data breach,” he said, adding:

The saying of “not if, but when” applies to cybersecurity.

The right question for brands to ask is not whether it has been attacked but if they will know when they are being attacked, Singleton said. Besides guarding a brand’s own security systems, Singleton said there needs to be an increased focus on ensuring that collaboration platforms used also have adequate levels of security built into them. “Anyone using these tools should be secure by default, without the burden of having to configure specific settings,” he added. Moreover, hackers often try to exploit known vulnerabilities such as out-of-date devices, cloud applications and remote access software to target users. Hence, as more people work and learn from home, brands should put in place controls to keep devices and software patched and up-to-date.

Cybersecurity is not an afterthought; it needs to be foundational to any digitalisation effort.

“It is important for security teams to have visibility across the network, endpoints and cloud, and know exactly which user and devices are connecting to which applications, when,” Singleton said. He added that another preventive measure companies can take is also to use multi-factor authentication, on top of using username and passwords to authenticate users before they are granted access onto systems and platforms.

What brands should do if attacked

If involved in a data breach, Singleton said the most important thing is to remain calm and alert your security team. They will be able to assess the level of attack, block it to prevent further penetration and apply segmentation as required. He also recommends engaging a third-party firm that specialises in breach response, adding that many organisations already have firms on retainer, or at least identified as vendors to work with.

If there are any third parties that are impacted, businesses should be prepared to communicate the data breach clearly and honestly. An open response can help mitigate any brand damage. “Trying to be evasive will have a negative impact especially with partners who may have been affected directly or indirectly,” Singleton said. Businesses could also consider cyber insurance and look to managed security services partners that can help them resource it.

On a similar stance, Kaspersky’s Yeo said companies should communicate with its staff, vendors and customers in an open and prompt manner and provide them with regular updates about the breach. Running concurrently with this, an initial assessment should be conducted to assess the following:

  • Cause of the data breach and whether the breach is still ongoing;
  • Number of affected individuals;
  • Type(s) of personal data involved;
  • The affected systems and/or services;
  • Whether help is required.

After this assessment, companies would have a better idea of which systems are compromised and decide whether to isolate or shut down the compromised system, in addition to changing any access rights as required.Companies are also requited to report the breach to authorities and conduct a fuller assessment of the data breach. Over time, the full report will allow them to understand where the gaps lie in their IT system, and they should take proactive steps to ensure that the risks of data breaches are minimised, Yeo said.

Scaling up cybersecurity may mean some additional cost on brands, but Yeo stressed that while some solutions can be expensive, it is equally important to remember that the cost for overlooking this will only grow as businesses scale up over time.

Should brands wish to digitalise on a lower budget, a good starting point would be to focus on the human element of cybersecurity and ensure employees are equipped with cyber hygiene skills and practices.

Meanwhile, Singleton is of the view that businesses should never trade-off security and privacy for convenience and simplicity, especially when adopting any new collaboration tools or cloud solutions. Additionally, he advised brands to ensure that any security solutions they adopt are done in a simplified and systematic approach in which solutions act as a team, and learn, listen and respond as a coordinated unit.

“Traditionally companies have taken the approach of introducing new cybersecurity solutions every time they discover a new issue. While some of these solutions may be very good in addressing a specific issue, they often don’t work well with each other. As a result, they only serve to increase the complexity of a company’s cybersecurity setup and introduce potential points of failure,” he added.

(Photo courtesy: 123RF)

Join us on a three-week journey at Digital Marketing Asia 2020 as we delve into the realm of digital transformation, data and analytics, and mobile and eCommerce from 10 to 26 November. Sign up here!

Related Articles:
ShopBack says consumer 'cashback is safe' despite data breach
L’Oreal Singapore let off with a warning for personal data breach
IBM and SkillsFuture SG to upskill mid-career professionals for AI and cybersecurity roles