PDPA guidelines -
key amendments in 2018
PDPA guidelines -
key amendments in 2018
Safeguard your critical information against data breaches for the forthcoming of PDPA amendments.
Singapore’s high level of connectivity also translates to a corresponding level of vulnerability. It’s a common misbelief that small to medium-size enterprises (SMEs) will get passed over from cyber attacks. In reality, smaller companies are easier victims because they often lack the resources, expertise and technical capability to defend themselves against cyber crimes.
One in three SMEs experienced a ransomware attack in 2016i, and the reported cases spiked by almost 10 times from the previous year.
About 21 per cent of those who had been hit by ransomware had to cease all business operations immediately, while 11 per cent lost revenue as a direct result of the attack.
SMEs also tend to fall victim to website defacements. Out of the 1,750 website defacements reported in 2016, majority of the affected websites belonged to SMEs from a range of businesses, including interior design, logistics, manufacturing and construction.ii
Business email scams were one of the top cyber threats amongst SMEs, with millions of dollars lost through phishing scams.iii43 per cent of security incidents reported to SingCERT by individuals and SMEs occurred through phishing attacks. Cyber criminals may attack SMEs as a means of getting to larger corporations, to which SMEs are suppliers.iv
With a growing trend of such data breaches, a data protection regime, named the Personal Data Protection Act (PDPA), came into effect in 2014 to regulate the collection, use and disclosure of personal data. Since then, the digital landscape has been constantly evolving. To ensure Singapore stays in step, proposed amendments on the PDPA under Protection Obligation will be rolled out in the near future to provide greater transparency when data breaches occur.
Implementation of Mandatory Breach Notification Regime
Due to heightened cyber threats and impact of data breaches, it will be mandatory for businesses to inform the affected customers and the Personal Data Protection Commission (PDPC) of a data breach that poses any risk of impact or harm. For instance, a data breach that involves personal data such as NRIC number, health information, financial information or passwords would be required to go through the breach notification procedure.
Failure to meet the new obligations can be costly, not just in terms of monetary penalties but also business reputational damage. Therefore it is indispensable to strategise a comprehensive data breach response plan that will prepare your business for the inevitable.
Some quick steps for better data breach response management include:
- Introduce standard operating procedures when a breach occurs.
- Train your respective employees and ensure they are fully aware of their responsibilities and the action steps required.
- Have a draft notification on standby so that your team can respond promptly. Also consider the channels in which the notifications will be sent to customers.
- Review contracts with your third party service providers who hold personal information for your business to ensure they contain privacy and data breach notification obligations as well.
"It is impossible to prevent successful attacks 100 per cent of the time. As Singapore pursues its plans to build a Smart Nation, we cannot afford to ignore the threats that come with it," said David Koh, CSA chief executive.v
With that said, prevention is better than cure. It is fundamental that SMEs breach-proof their data by ensuring that security practices are properly in place. Here are the top 5 security best practices that you should implement for your business:
1. Tighten password security
Passwords are key to the security of your confidential data. Attacks against user credentials, including brute force, sniffing, host-based access and theft of password databases, remain very strong attack vectors warranting the use of effective password management controls. Consider these best practices for password management:
- Use multi-factor authentication (e.g. username and password with one-time PINs)
- Implement log-in abuse detection system that monitors connections, login counts, cookies, IP addresses and other related data
- Remove or disable default accounts, and conducting regular audits to ensure that inactive accounts are denied access.
2. Deploy the necessary protection
Up-to-date antivirus and anti-malware softwares are a must. You should also have firewalls in place to block unauthorised access to your network.Web Application Firewall (WAF) is also another essential defence that protects your web servers from malicious traffic and targeted attacks by filtering and blocking attempts to compromise the system. Whole disk encryption should be deployed on all laptops, mobile devices and systems hosting sensitive data.
3. Conduct regular tests and audits
One of the most effective ways to protect your business from a data breach is to first find out if you are vulnerable to one. With regular vulnerability assessments and penetration tests, you can identify and mitigate weaknesses in your systems and deploy the necessary solutions to remove the risk of data theft. Deploy solutions to detect abnormal flows of data which will help in spotting potential cyberattacks.
4. Limit access to sensitive data
Data breaches can be due to malicious activity, but it is also commonly due to inadvertent disclosure from internal staff or ex-employees. It is therefore important to control and restrict the access of your data only to those who need it and always monitor users with extended privileges. For example, a user might have the access to edit certain documents or files but are denied access to download customer databases. Not only does this help to minimise illegal data leaks, it also reduces human error. Also ensure that all inactive accounts are timely removed to prevent inappropriate extraction of confidential information.
5. Evaluate your security policies continually
Regularly review and refine your protection methods to ensure they stay relevant to your changing IT infrastructure, challenges and employee dynamics. Diligent auditing of user activities and recording of changes implemented to the system will help you trace the root cause of the data breaches. Always take time after an incident to conduct a post-mortem analysis and make necessary improvements to your policies.
"With Singapore fast evolving into a Smart Nation, many industries are moving into digital and this naturally widens the surface for cyberattacks. Thus the industry conversation has moved beyond "if" to the questions of "when," and "what" is the impact," said Dr Lim Woo Lip, Vice President Cyber Security & SmartHub.
Protecting against a breach requires a multi-layered effort. SMEs should remain vigilant in such times by implementing a thorough security plan that consists of a myriad of strategies that work hand-in-hand to offer thorough and effective protection.
Click here to download a copy of infographics on how to safeguard your critical information against data breaches.
GDPR is coming and there's nowhere to run
Four areas of concerns to tackle before European Union's new data protection regulation sets in.
In Cybersecurity, a battle of bots
Will 2018 shape up to be a battle of the bots as both attackers and defenders become more sophisticated?
Are enterprises ready for Singapore Cyber Security Bill?
Singapore has witnessed its fair share of cyber attacks over the past few years. With the passing of Singapore Cyber Security Bill, is it sufficient to secure the enterprises? Find out more.