fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Guarding against common types of data breaches in Singapore

data breaches in Singapore
Guarding your organization against data breaches in Singapore is essential to avoid the imposition of penalties by the PDPC.

A cyber-attack is a real possibility. Cyber-attacks have increased dramatically in the last year, particularly with remote working due to the COVID-19 epidemic. The Cyber Security Agency of Singapore released its 2020 report on July 8, 2021, reporting a 154% increase in recorded ransomware attacks – a total of 89 cases compared to 35 in 2019.

The attacks primarily impacted small and medium-sized firms (SMEs) in the manufacturing, retail, and healthcare sectors, as they are less equipped and prepared to defend themselves against cyber-attacks. The surge in such attacks serves as a clear message to enterprises to invest resources to defend their systems and plan for cyber-attacks.

To protect your Organization against common types of data breaches in Singapore, here are recommendations proposed by the PDPC based on various issues faced:

Data breaches in Singapore due to Coding Issues 

Design before coding. Design before coding and undertake extensive impact analysis (e.g., traceability and dependency analysis) of any software or code modifications to identify the potential implications of these changes. Organizations should also carefully document their code design, updates, and analysis for proper assessment, review, and verification.

Invest effort to document all software functional and technical specifications. The value of this documentation will become clearer as the original developers leave the project and new developers take up software maintenance and upgrades. Without good documentation, developers frequently have no references to rely back on and may wind up making inaccurate assumptions about code logic.

Ensure that the program has been properly tested, including unit testing, regression testing, security testing, and user acceptance testing (UAT). Most organizations fail to recognize that effective testing can assist them in identifying programming flaws before launching a system. Adequate testing resources should be assigned, and a thorough UAT should ensure good test coverage of scenarios, including various user journeys and exception handling. Organizations must also confirm that the proposed UAT scenarios correspond to real-world usage. This can be accomplished by a thorough collection of business requirements and identifying relevant usage scenarios by possible users. The firm owner should be in charge of these.

Perform code reviews. In addition to examining their own code, code authors can perform peer code reviews, which can be useful for discovering programming problems and supplementing other forms of testing. A code review can be quite successful when undertaken by an experienced developer.

Data breaches in Singapore are avoidable, following the recommendations set by PDPC

Also Read: What you need to know about appointing a Data Protection Officer in Singapore

Data breaches in Singapore due to Configuration Issues

harden system configuration instead of relying on default settings to be sufficiently secure, by making suitable adjustments to settings. Here are a few examples:

  • Firewall configuration: By default, block all traffic and allow only particular traffic to identified services. 
  • Turn off any services that are not in use while configuring your web server.

Automate the build and deployment processes to reduce the number of manual stages and, as a result, the likelihood of a human mistake. For example, instead of manually typing out commands each time a new build of an application is necessary, execute prepared scripts. This can reduce typing errors and the potential to miss out on commands or deploy the new build to the wrong environment.

Systematically manage configuration settings:

  • Create a baseline configuration settings document. This baseline should be updated and reviewed regularly. This serves as a reference point for configuration changes and restoration, and it is also useful if the server needs to be rebuilt.
  • Establish configuration management, code management, and code deployment protocols. This guarantees that configuration updates are managed methodically.
  • When troubleshooting, make a note of any configuration changes you make. This is useful for review, updating the baseline, or reverting to previous settings if necessary.
  • Conduct regular security reviews and testing to ensure that the actual configuration settings in use conform to the stated values.
Data breaches in Singapore must be prevented to retain client’s trust with Organizations handling their data.

Data breaches in Singapore due to Malware and Phishing

Conduct phishing simulation exercises regularly to train your employees to be wary. This is in addition to any existing employee education. Organizations should put mechanisms in place to routinely assess their employees’ level of awareness.

Educate staff and remind them regularly to be on the lookout for phishing and other forms of social engineering. Even with the most modern security systems in place, careless employees’ activities can give an entry point for cyber-attacks.

Consider restricting Internet access, especially if endpoints have direct access to substantial volumes of personal or sensitive data. When these endpoints, such as employee laptops, are compromised, the risk of personal data exfiltration increases.

Ensure that any personal information in your Organization’s possession is automatically and routinely backed up. Ransomware’s goal is to disrupt business operations by preventing access to operational data. Regular backups can be a successful recovery strategy. Backups should be performed offline and kept off-site for increased security. It is also critical to ensure that the backup data can be restored.

Data breaches in Singapore due to Security and Responsibility Issues 

Instead of using real data, create synthetic data (false personal data or data anonymized from real data) for development and testing in non-production situations. Synthetic data can be generated from scratch using commercial tools1 or anonymized production data2.

Controlling access to personal data is an excellent way to keep it safe. Without suitable access control procedures (e.g., requiring user login), any webpage or document on a publicly available website/web application can be indexed by search engines and appear in search results, making it easily accessible to anybody.

Assign unambiguous responsibility for ICT security to the designated individual(s) or team. During maintenance, system patching, security scanning, and log file anomaly detection are all examples of ICT security. This can be done by your company, a competent vendor, or through a joint/split arrangement. If it is to be done by a vendor, explicitly identify the contract’s scope of work and areas of responsibility.

Data breaches in Singapore is recurring and must be stopped following these useful recommendations by the PDPC

Data breaches in Singapore due to Accounts and Passwords

Review user accounts regularly and delete accounts that are no longer needed.

Make certain that no credentials are exposed in code or configuration files. Declare this clearly in your ICT policy, and make sure your employees and vendors are aware. During the security assessment and scanning process, keep an eye out for such dangers.

Reduce the possibility of brute force attacks. Allowing unlimited unsuccessful login attempts makes a system more vulnerable to brute force assaults. A hacker can attempt an infinite number of logins. Locking the user account after a predetermined number of failed login attempts, adding a delay after a failed login attempt, or utilizing CAPTCHAs are all ways to prevent or slow down brute force assaults.

Adopt and put in place a robust password policy. Organizations can use the following password best practices:

  • Enforce a password history policy to prevent employees from reusing past passwords.
  • Encourage users to use passwords that are long and difficult yet easy to remember, such as “Iwant2l@se10kg.”
  • Users should be discouraged from using the same password across several systems.

Some administrative accounts should be subject to stricter criteria. Access to administrative accounts with 2FA or MFA would require an additional round(s) of authentication, such as a temporary code sent securely to the administrator’s mobile phone. As a result, simply using a stolen password to access an account will not suffice. This is critical for administrative accounts to systems that hold vast amounts of personal data or personal data that is confidential or sensitive because a breach of such data could negatively impact the individuals impacted.

Also Read: Vulnerability assessment Singapore: The complete checklist

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us