Reputational damage and data breaches go hand in hand

The Personal Data Protection Commission (PDPC), set up in Singapore in 2013 to promote and enforce personal data protection so as to foster an environment of trust among businesses and consumers, administers and enforces the Personal Data Protection Act (PDPA) – one of Asia’s most comprehensive data protection laws.

According to the PDPC, there were almost 7,000 complaints made in 2021. Just this year, Singapore has seen several high profile data leaks such as the breach on department store OG’s database, which compromised the personal data of its customers; as well as the attack on Singapore Airlines’ in-flight retailer KrisShop, which exposed the data of nearly 5,000 customers.

The global surge in data breaches – ominously nicknamed the “cyberdemic” – can be attributed to many reasons, with one being that organisations have not considered the unique cybersecurity needs of a hybrid workforce that is connected to less secure networks. The pressure is on organisations to ensure the secure exchange of sensitive data while managing the challenges of an increasingly sophisticated threat landscape.

PDPC is now actively regulating organisations to ensure compliance, in addition to enhancing protection against cyberattacks – particularly those which expose personal data. This is reflected in changes made to Singapore’s data protection laws that were passed in November 2020. Under amendments made to the PDPA, the maximum financial penalty for data breaches will be increased to SG$1 million or 10% of local annual turnover for organisations whose turnover exceeds S$10 million, whichever is higher. It is crucial for organisations to be aware of their accountability and understand the full scope of the PDPC to avoid falling foul of the law.

Preparation and response

The cornerstone of any organisation’s security program is guided by the “CIA” triad, being the principles of confidentiality, integrity, and availability. If an organisation fell victim to a data breach, it is certain that one or more of these principles had been jeopardised.

Confidentiality

In this context, confidentiality refers to the efforts that an organisation takes to ensure that their data is safe. Once organisations receive personal data from their employees, measures should be put in place to prevent the unauthorised access of sensitive information. Organisations should issue an updated ‘Personal Data Protection Statement’, which explains what and how personal data is collected from data subjects, so they can make an informed decision.

There must also be engagement between organisations and their employees, to ensure that employees are not just fully informed but are also able to comply with the policies. Helpful strategies include mandatory password changes, non-disclosure agreements as part of working with sensitive data, and having regular data hygiene assessments.

To maintain confidentiality, it is crucial to have a robust data protection plan that covers management policies and processes for the handling of data. There are some commonly used practices and technologies that can help in restricting access, monitoring suspicious activity, and defending against threats:

  • Employee training – The weakest link in data protection can be employees. Make data privacy relevant and relatable for employees by sharing advice that they can use to better manage their own personal data.
  • Antivirus software – Protects employee devices from viruses that can destroy data, or slow/crash the device
  • Risk assessment – A security risk assessment procedure that identifies, assesses, and implements key security controls. It also spots any defects and vulnerabilities within the security posture of an organisation.

Integrity 

Integrity is focused on ensuring that data can be trusted, and that it has not been modified. Organisations must be able to ensure the protection of data, whether it is being used or stored. For example, customers in an online banking platform naturally expect that their banking information and account balances will not be tampered with.

The integrity of an organisation’s data can be compromised either intentionally or unintentionally. Several examples of data being compromised intentionally would include bypassing intrusion detection systems to modify configuration files or changing system logs so that they cannot be detected. Human error, on the other hand, can lead to the unintentional compromising of data with coding errors, or inadequate policies, procedures, and protection mechanisms being the most common factors.

To prevent a breach of data integrity from occurring, organisations can employ a variety of countermeasures such as:

  • Digital certificates – These are issued by trusted certificate authorities to organisations so that they can verify their identity to website users. This is similar to how a passport or driver’s licence can be used to verify an individual’s identity.
  • Digital signatures – Mathematical algorithms whose main purpose is to validate the authenticity and integrity of messages, such as emails, digital documents, or credit card transactions.
  • Intrusion detection systems – These monitoring systems help to keep an eye out for any suspicious activities taking place, and generate alerts when they detect any suspicious activity taking place.

Availability

Data has little value to an organisation if it cannot be accessed when needed. Therefore, it is necessary to ensure that networks, systems, and applications are functioning. This allows authorised users to have access to the data in a timely and reliable manner.

There are many routes by which availability can be impacted, some of which include power failures and natural disasters. However, perhaps the most well-known avenue is known as a distributed denial-of-service (DDoS) attack. A DDoS attack entails the intentional and malicious disruption of a system or website, such that it cannot be accessed.

Making sure that data is available when needed is important, as a disruption of data could result in financial losses and damage the organisation’s reputation. To prevent the availability of data from impacting organisations negatively, there are a variety of methods that can be employed:

  • DDoS response plan – The creation of such a plan will allow organisations to be prepared for potential attacks and how to respond if an attack takes place.
  • Server redundancy – Setting up backup servers for the primary servers. The backup servers will be able to assume the role of the primary server, should the latter become inaccessible.
  • Regular software patching and system upgrades – Applying the latest updates to software can help to correct any errors or vulnerabilities that could be exploited.

Be prepared

The unfortunate reality is that a data breach can happen to any organisation anytime. Given that companies cannot avoid collecting personal data, it is important that organisations are up to date with the PDPC’s requirements.

To prevent data from falling into the hands of bad actors, it is crucial that organisations put security arrangements in place, have strict compliance, and get professional guidance when needed.