How to Protect Your Organisation from Data Breaches

Introduction

While the proliferation of data and the growing reliance on technology have brought about unprecedented opportunities for innovation and efficiency, it has also given rise to significant vulnerabilities, most notably the increasing danger of data breaches. Organisations across all sectors are now custodians of vast amounts of sensitive information, including personal and business data. As cybercriminals become more sophisticated, the risk of unauthorised access or theft has escalated dramatically.

The consequences of a data breach can be severe, affecting not only the financial standing of an organisation but also its reputation and the trust of its stakeholders. Furthermore, regulatory bodies are imposing stricter requirements and heavier penalties for inadequate data protection.

In light of this, the Cyber Security Agency of Singapore (“CSA“) has issued advisories on protecting individuals and organisations from data breaches, providing guidance on the common causes of data breach, preventive measures to take, and how to respond to a data breach. In particular, the advisory on “Protecting Your Organisation from Data Breaches” (“Organisation Advisory“) sets out cybersecurity measures that organisations are recommended to adopt to secure their infrastructure and systems, as well as guidance on developing a data breach response plan.

Managing data breaches is as much a technical matter as it is a legal issue, requiring an understanding of both aspects and how they interact. With a unique expertise combining rule of law and technology, Rajah & Tann provides holistic risk management solutions, including advice on data breach prevention and the development of a data breach response plan. Organisations looking to strengthen their data security frameworks may feel free to contact our team.

This Update highlights the key measures in CSA’s Organisation Advisory.

Organisation Advisory – Key Measures

Cybersecurity Measures

The Organisation Advisory sets out recommended cybersecurity measures for organisations to secure their infrastructure and systems, including the following:

1. Update systems, software and applications regularly to patch known vulnerabilities.
2. Perform antivirus scans regularly and keep antivirus software updated.
3. Review user accounts periodically and remove accounts that are no longer needed.
4. Install and use Virtual Private Network (VPN) for network infrastructure devices, endpoint devices, and other remote access systems.
5. Encrypt important or sensitive data.
6. Limit privileged access to authorised personnel, especially for sensitive systems.
7. Restrict internet access such as through blacklisting or whitelisting.
8. Review and only enable the necessary network ports and services that are required.
9. Consider establishing a monitoring system or process to track: (i) authentication logs for remote services and for suspicious account behaviour; (ii) databases for suspicious activities; and (iii) outbound network traffic for unauthorised communications or data transmissions.
10. Maintain an updated backup of all the important data to facilitate restoration in the event of a ransomware attack or a data breach resulting in data loss.
11. Conduct security awareness training for employees.

Organisations should also develop a data security plan specific to the company’s context that outlines how sensitive company data should be used and the destruction of data that is no longer needed.

The Organisation Advisory sets out additional recommended measures for organisations with an online presence:

1. Avoid requesting and storing personally identifiable information (“PII“) where possible. If necessary, encrypt the PII before saving the data in the database.
2. Avoid storing credit card information on your website by using a secure payment gateway. If necessary, organisations should follow standards such as the PCI Data Security Standards.
3. Enforce the need for customers to use a strong password for their online accounts, and implement multi-factor authentication as part of the login process.
4. Install Transport Layer Security (TLS) certificates on your web server to secure and safeguard any data that is sent from the browser to the web server.
5. Install web application firewalls and security plugins to block unauthorised traffic and malicious requests from accessing your network or system.
6. Conduct regular code reviews and vulnerability assessments before and after deploying your web servers.

Data Breach Response Plan

Organisations should develop a data breach response plan that covers administrative and containment/recovery actions if a data breach is detected. The Organisation Advisory provides the following guidance on the structure of such data breach response plan:

1. Administrative Actions

• • Lodge a police report if criminal activities is suspected.
  • If you believe that PII was compromised, report the incident to the Personal Data Protection Commission.
  • Reach out to affected customers and take steps to secure their accounts.
  • Develop a crisis communication plan for communicating how the company is managing the data breach.

2. Containment/Recovery Actions

• • Conduct an internal investigation to determine how the data breach occurred.
  • Isolate the compromised system from the Internet or network by disconnecting all affected systems.
  • Prevent further unauthorised access to the system. Disable or reset the passwords of compromised user accounts and isolate the causes of the data breach in the system.
  • Perform an antivirus scan to detect and remove any malware and patch all systems and software.
  • Monitor the database and systems for any further suspicious activities.

Concluding Words

It is vital for organisations and individuals alike to secure the data in their possession. This is not only to protect against theft and misuse, but – for organisations in particular – also serves to ensure compliance with data protection regulatory requirements.

Organisations looking for advice on dealing with data breaches may contact our team, which includes a multi-disciplinary line-up from Rajah & Tann Singapore LLP and Rajah & Tann Cybersecurity, to provide a holistic assessment of your organisation’s data breach risks and advice on to address those risks. Businesses may also consult us on the development and implementation of a data breach response plan, which is not only strongly recommended in advisories but also forms part of data protection obligations in Singapore.

For more information, please see the following links:

• Press release on “Protecting Yourself and Your Organisation from Data Breaches”
• CSA Advisory on “Protecting Your Organisation from Data Breaches”