DATA BREACHES – THERE’S NO PITY PARTY

DATA BREACHES – THERE’S NO PITY PARTY

It never rains but it pours. Your data just got stolen, and the next thing you know, you’re facing a $16,000 fine. That’s why it’s crucial that data breaches do not happen and you should be aware of how you can protect your company with cyber security hand-in-hand with Personal Data Protection Act (PDPA) Compliance.

A data breach is a security incident in which information is accessed without authorisation. It usually happens when there is an unauthorised entry point into an organisation’s database that allows hackers to access customer data such as passwords, credit card numbers, banking information and other sensitive information.

Data breaches can hurt businesses and consumers in a variety of ways. They are a costly expense that can damage lives and reputation.1

What is the Personal Data Protection Act (PDPA)?

The PDPA is an act enforced by the Personal Data Protection Commission (PDPC).  It is a data protection law that comprises various rules governing the collection, use, disclosure and care of personal data. It identifies both the rights of individuals to protect their personal data and the needs of organizations to collect, use or disclose personal data.2 

10 questions to ponder if your company complies with the PDPA3

  • Do you have a Data Protection Officer?

All organisations must appoint at least one person as the Data Protection Officer (DPO).

The DPO function is management’s responsibility and, ideally, the appointed DPO should be part of the management team. The operational DPO functions, however, may be delegated to one or a few employees, or outsourced to a service provider (Data Protection Service Provider).  

Once you have decided on the person(s) to appoint, it is important to brief him/her on his/her roles and responsibilities. Next step is to inform all your staff on who the DPO is so that they can forward all PDPA-related queries and feedback to him/her.  

  • Do you notify the customer of your purpose in collecting, using or disclosing his/her personal data?
    The customer should be fully aware of what and why their personal data is collected/used/disclosed for.
  • Do you seek the customer’s consent when collecting, using or disclosing his/her personal data?
    The customer should give their consent when their data is used, collected or disclosed.
  • Do you allow the customer to withdraw consent at any time when collecting, using or disclosing his/her personal data?

            The customer should be allowed to withdraw consent at any time regarding their Personal data. 

  • Do you have an adequate response (within 30 days) when individuals ask about how their personal data has been used?

If you are unable to provide it within 30 days, you must inform the individual within 30 days and let him/her know when you can respond. 

  • Do you allow the correction of Personal data?
    Are customers allowed to correct or update their data maintained by the organisation?
     
  • Are security arrangements in place to protect all personal data under your organisation?

Establish security arrangements to protect personal data under your organisation. This is to prevent unauthorised access, collection, use or disclosure of the data and other similar risks.

  • Did you dispose of personal data that is no longer needed?

Stop holding on to personal data when you no longer have any business or legal use for it.

  • Did you check the Do Not Call Registry before doing telemarketing?

If you conduct telemarketing to subscribers or users of Singapore telephone numbers, you will need to submit the telephone numbers on your telemarketing list for checks against the Do Not Call (DNC) Registry, unless the subscriber or user has given his/her clear and unambiguous consent to receive such messages.

  • Communicate your data protection policies, practices and processes

Provide the business contact information of your DPO so that your customers   can contact him/her for PDPA-related queries or complaints

How does Cyber Security help to mitigate the risk of data breach? 

A data breach is very much avoidable with the correct measures in place.
It is not wise for organisations to skimp on cyber security expenses. In this age when data is so valuable, a breach has certain irreversible consequences.
 

Ways to mitigate the risk of data breach with cyber security 

  • Critical Infrastructure Security

Cyber security helps in securing your IT infrastructure as a whole which secures any mission critical applications that cannot afford any downtime.

Common attacks such as DDoS, can be prevented with adequate firewall in place to detect any incoming attacks through a mitigation facility. Through this method, customers’ IP addresses are masked with a Virtual IP so that all data traffic will be redirected before it reaches their network. 4

  • IP Address

Usually, an organisation may have a server with an externally facing IP, exposed to the internet, within a DMZ. These servers have static IP addresses which are accessible from anywhere with an Internet connection.

It is consequential for organisations to ensure this public address range is frequently scanned for exploits and weaknesses to ensure that crucial data is not leaked. 

One method to mitigate this is to use application layer defenses, consult a network firewall provider that has strong application layer protection. A firewall should have the ability to inspect the content of traffic and block malicious requests. Another method of mitigation can be by having a dynamic IP address that changes over time and is different each time you connect to the internet. Dynamic IP address reduces the chance of IP address hacking as it is changing over time and is difficult for hackers to decode. 5

  • Cloud Services

Is the convenience of the Internet still as enticing after knowing the threats? Fret not! Put in place your cloud security to mitigate the risk of data breach when storing your data in the cloud!

Insufficient due diligence will cost you greatly, hire the right people to monitor what’s going on in your workspaces can help you avoid or hold back data breaches or you can consult a unified cloud management platform. 6

Conclusion

All in all, cyber threats are imminent and impending, the PDPA is a very important legislature in data handling and exchange. Hackers will continue to mine the cyberspace for any information that they can exploit financially and it is important to be ready when the push comes to shove. 

Netpluz can be your one stop solution for all cyber security services that your company might require. Our managed cyber security services include cloud based simple and cost effective solution to mitigate and protect against any external threats, such as D-DOS attacks, secures any backend network and mission critical applications that cannot afford any downtime. 

Please feel free to book an appointment by submitting your information here for a free consultation.

Author: Ong Wei Zhao

References

1 https://cyber-armada.com/data-breach.html#:~:targetText=What%20is%20a%20Data%20Breach%3F,and%20take%20time%20to%20repair.

2 https://www.pdpc.gov.sg/Legislation-and-Guidelines/Personal-Data-Protection-Act-Overview

3 https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Help-for-Oragnisations/dp-starter-kit—171017.pdf 

4 https://www.cloudflare.com/learning/ddos/what-is-a-ddos-attack/

5 https://www.sciencedirect.com/topics/computer-science/internal-server

6 https://medium.com/swlh/7-ways-to-secure-your-office-365-from-data-breach-86537dcb70db

LIVE Webinar | Understanding SME’s Obligation in Data Protection and Cybersecurity

Zooming into the responsibilities of Business, IT and Compliance during and post COVID-19

26 June 2020 | 2.30 PM to 4.00 PM

We know the importance of PDPA and we wanted to share that knowledge with our clients so take this opportunity to uncover what PDPA means for your company and department through this complimentary webinar with Straits Interactive, one of the experts in the field of data protection.

SMEs today operate in an increasingly connected and competitive digital economy where individuals’ online and real-world activities generate huge amounts of data, especially during circuit-breaker where everyone must work remotely from home. 

SMEs have had to scramble to arrange employees to connect back to the office.  Have you taken a look at the privacy and IT risks involved in using the free apps as well as the paid apps?  Do you know what you need to look out for?  No matter how good your multiple cybersecurity tools are, an attacker will eventually find a way into your network through vulnerabilities during a lapse. Join us for the 1-hour session with Straits Interactive to find out about the role and accountability of IT departments, and approach to mitigate the cyber threat and risk. 

Topics covered:

  • Latest PDPA updates
  • Digitalisation & WFH Risks 
  • Roadmap to PDPA Compliance
  • The common problems faced by businesses
  • eSentinel™ – 360° Defense in Depth
  • and many more!

The Presenters:

  1. Alvin Toh, Chief Marketing Officer, Straits Interactive Pte Ltd
  2. Kenneth Wee, Commercial Director, Netpluz Asia Pte Ltd

 

 

PDPA Compliance – Is Your Corporation’s Data Free From Cyber Threats Such As Data Breaching?

Cyber activities are becoming more common than you think. According to a survey report released by the Cyber Security Agency of Singapore (CSA), there has been a huge increase in cyber threats such as data breach.

Businesses in Singapore suffered losses of around S$58 million in 2018, representing an increase of about 31 percent from 20171.

With the risk of high loss due to cyber threats, this blog article aims to share some simple and cost-effective ways to keep your business safe in the upcoming year.

To begin, let’s first have a basic understanding of the possible cybercrime and its impact. 

What is data breach?

In today’s internet world, data breaches are becoming more common for businesses, regardless of the organisation’s size and complexity. Data breach is a security vulnerability where confidential data or sensitive information is released to untrusted websites or misused by cybercriminals. This means that data is at risk of being stolen, transmitted or viewed by unauthorised people outside of your company, which can also be known as a data leak.

Data Breach data prevention

How does data breach occur?

Some business owners may think that having a single firewall is sufficient enough to deal with a cyberattack. This mindset increases the attractiveness of the cybercrime industry and provides more targets for attackers to make their profit.  A data breach can happen to an organisation in multiple ways such as 

Employee Focus attacks: Cybercriminals could send malicious emails that look valid and real to simply request the targeted employees to send in the required details. Employees who have been deceived will unknowingly leak important information that provides hackers with access to all your organisation’s data.

Alternatively, it could be due to sharing of private information to the wrong person. For instance, attaching an important document that contains customer details to someone outside of your organisation who does not have any permission or right to view, and the file can be read by them without any further authentication, like a password.

Malware attack: The data that your organisation owns is very attractive to cybercriminals. To obtain those valuable data, cybercriminals could use malware to hack into your system. One of those is known as Ransomware, which is a malicious program used to acquire a significant amount of data and likely to perform encryption in a single attack. With that, the cybercriminal is able to demand and threaten for payment from the victim in exchange for a decryption key.

Outcome Of Data Breach

Upon data breach, there are many lethal results that could lead to termination of business operation, temporarily or permanently. Data breaches can damage both business and consumers in terms of reputation, which is costly and timely to be repaired. Moreover, businesses may face additional damages in the form of fines or penalties. These consequences may vary due to the type of data breaches and violation of the Personal Data Protection Act.

What is the Personal Data Protection Act (PDPA)? 

PDPA is a law that aims to protect all relevant information of an individual such as NRIC, bank account details, among other information against any organisation that is likely to have revealed, collected and used it, despite the credibility of the information. With PDPA, this means that all corporations in Singapore will have to follow a set of baseline standards when managing possession of all individual’s data, even by the firm’s own employees.

How is the PDPA enforced?

The Personal Data Protection Commission (PDPC) has been established to manage and enforce PDPA. The PDPC will determine if a business is not in compliance with PDPA, and the particular company may receive instructions and consequences, such as terminating any collection, use, and disclosure of data in business operations. The company would also be expected to pay fines not exceeding S$1 million.

Protecting against data breach with cybersecurity

With the growth of the internet, there are different security needs such as the application, cloud, mobile, network and endpoint securities. Also, data loss prevention, identify and access management. Cybersecurity is the general IT term to cover different defence remedies and it will allow your corporate to secure the system against any cyberattacks that may lead to data breaches.

Cybersecurity Practices To Mitigate The Risk of Data Breach

These are some easy and effective cybersecurity methods that can ensure that all vulnerable devices, applications, networks, and data in your company’s holding are being protected against any threats.

Secure All Network and Device

This can be done by first installing security software that includes anti-virus and anti-spam filters, which can help your business reduce the possibility of falling for phishing emails and mitigate malware infection.

Also, a firewall could be applied together to track the in and out traffic between all your company computers and the internet. With a firewall in place, the business internal network can be further secured.   

Secure With Encryption

Always make sure that your data in files are encrypted in secret code or password when sharing on to the internet. This helps to reduce the risk of data being stolen or destructed online.

Enforce Cybersecurity Policies

By stating out the relevant rules and regulations, your employees can be educated on security issues and things to take note of when they are visiting internet sites or emails.

Conclusion

The right cybersecurity is needed in order to mitigate your corporate’s sensitive data such as financial information, trade secrets or intellectual property of the customers or users. With cyber attackers and hackers becoming more prominent and creative it is difficult to acquire an effective solution. Not to worry! At Netpluz, we have partnered with leading cybersecurity vendors such as Nexusguard, Sophos, Druva and many more that can provide a variety of cybersecurity solutions that can help your company reduce the negative impacts of data breaching and at the same time save cost.

Click here to find out more about ways to defend your data, or email us to arrange for an appointment with our experienced manager, and we will provide ways for you to become more secure. 

Author: Ada Foo Jiaxin

References

1 CISOMAG. “Around 6,200 Cyber-Attacks Reported in Singapore Last Year: CSA.” CISO MAG | Cyber Security Magazine, 20 June 2019, www.cisomag.com/around-6200-cyber-attacks-reported-in-singapore-last-year-csa/

Irwin, Luke. “The 6 Most Common Ways Data Breaches Occur – IT Governance Blog.” IT Governance Blog, 11 Mar. 2019, www.itgovernance.eu/blog/en/the-6-most-common-ways-data-breaches-occur.

“What Is Cyber Security Threat Mitigation? Webopedia Definition.” Webopedia.Com, 2019, www.webopedia.com/TERM/C/cyber-security-threat-mitigation.html#:~:targetText=Cyber%20security%20threat%20mitigation%20refers,when%20security%20attacks%20do%20happen.

What is Cybersecurity (Cyber Security)? Everything You Need to Know. “What Is Cybersecurity (Cyber Security)? Everything You Need to Know.” SearchSecurity, 2019, 

“How to Protect Your Business from Cyber Threats | Business.Gov.Au.” Business.Gov.Au, 15 Oct. 2019, www.business.gov.au/Risk-management/Cyber-security/How-to-protect-your-business-from-cyber-threats.

What happened recently with so much Data Breaches news coverage?

One of the key challenges for organisations today is how to safeguard their information systems and digital infrastructure from attacks by malicious hackers and cybercriminals. Current concerns for most companies are often related to data breaches, with so much media coverage focusing on recent cases. 

In light of recent data breaches discovered on Singtel and Ninja Van, Personal Data Protection Commission (PDPC) mentioned:

“Despite having received professional advice to take precautions against such vulnerabilities, the organisation omitted to conduct a full code review…and hence failed to discover (the vulnerability) that was exploited in this case.”

No matter how certain organisations are about their defences, there are always risks to their security because of frequent changes and updates made to their digital infrastructure.

Due to these issues, vulnerability assessment and penetration testing (VAPT) come in place as a solution to identify the unknown vulnerabilities and set immediate remediation to mitigate cybersecurity risk for the company.

According to PDPC, eight organisations were found to be in breach of the Personal Data Protection Act (PDPA). 

  • Ninja Logistics for failing to put in place reasonable security arrangements to protect customers’ data in relation to a tracking function on the company’s website, allowing the data to be accessed publicly.
  • EU Holidays, penalty of $15,000, for not protecting customers’ personal data and not having written policies and practices to comply with the PDPA. 
  • Marshall Cavendish ($40,000), Singtel ($25,000) and SearchAsia Consulting ($7,000); and a warning issued to another two – Tan Tock Seng Hospital and CampVision.
  • Directions were also imposed on iClick Media for breaching the Accountability Obligation.

Is Your company ready for Vulnerability Assessment & Penetration Testing (VAPT)?

Vulnerability Assessment & Penetration Testing (VAPT) is necessary to spot your vulnerability. VAPT result shall deliver quality assessment through the eyes of both a hacker and an experienced and certified security expert to discover where you can improve your security posture.

The findings (vulnerabilities) would be delivered as reports that shall be used to effectively remediate any of the vulnerabilities and answer these following questions:

  • How vulnerable are you from the internet or intranet?
  • What are the exploitable vulnerabilities?
  • Are the operating system patches current?
  • Do you have unnecessary service running?

“Knowing your vulnerability and the way in which the attackers could exploit them are one of the greatest insights you can get in improving your security program.”

Want to know how we can help you discover vulnerabilities through VAPT?

 

 

 

 

 

VAPT

Reference

Singtel fined $25,000 and Ninja Van $90,000 for data breaches, The Strait Times, Nov 5, 2019. – https://www.straitstimes.com/business/companies-markets/singtel-fined-25000-and-ninja-van-90000-for-data-breaches

New Commission’s Decisions on 4 November 2019, PDPC, Nov 4, 2019https://www.pdpc.gov.sg/pdpc/news/latest-updates/2019/11/new-commissions-decisions-on-4-november-2019