Organisations must assume they are already under cyber attack by equipping themselves with online security measures that can identify and mitigate breaches, instead of just setting up cyber defences and anticipating attacks.
This point was stressed by retired senior judge Richard Magnus, chairman of the Committee of Inquiry (COI) probing the June cyber attack on public healthcare cluster SingHealth, which was Singapore's worst data breach.
"Organisations must adopt an 'assume breach' mindset. They must not only adopt a proactive defence strategy, but must also arm themselves with security systems and solutions which enable them to detect and respond to cyberthreats early," said Mr Magnus.
These must be complemented with the right people and processes, Mr Magnus said in his closing remarks yesterday before adjourning the COI, which has heard from 37 witnesses over 21 days of hearings.
During the breach in June, hackers stole the personal data of 1.5 million patients and the outpatient prescription information of 160,000 people, including Prime Minister Lee Hsien Loong.
Echoing a point some witnesses like Singapore's Commissioner of Cybersecurity David Koh had made in previous hearings, Mr Magnus said senior management has to take ownership of policy and decisions pertaining to cyber-security risks.
This includes drawing up "fit-for-purpose" organisation structures and practices that would address their specific risks and concerns.
Organisations have to also make sure they safeguard and protect information "crown jewels" in the best and most effective manner possible, said Mr Magnus.
The COI had previously heard that a mix of failings in organisational processes and staff judgment had caused the SingHealth patient records to be stolen.
Other factors include how the skilled hackers had made use of sophisticated tools to exploit vulnerabilities in Integrated Health Information Systems (IHiS), which is Singapore's central IT agency for the healthcare sector.
Yesterday, Solicitor-General Kwek Mean Luck also gave closing remarks on behalf of the Attorney-General's Chambers, which was leading evidence for the COI. Legal counsel of SingHealth, the Ministry of Health (MOH), MOH Holdings and IHiS did so too.
Mr Kwek, a senior counsel, outlined 16 recommendations that the COI has heard, of which five were cited as priority ones.
They include steps like beefing up incident response processes, improving staff's sensitivity towards cyber security and performing enhanced checks.
He noted that the parties involved in the breach have committed to follow up on the implementation of these recommendations.
In his remarks, Mr Kwek also pointed out some previously unknown details about the breach.
For instance, the COI had previously heard that in June, the attacker used a dormant local administrative account with the commonly used password hash of P@ssw0rd.
Mr Kwek revealed that administrator accounts were required to have a 15-character password, but this problematic password had only eight characters.
It had also had the same password since 2012 despite the requirement for it to be changed every three to six months.
"In the spirit of the inquiry of this COI, the focus has thus not been on fault finding, but on deep probing and learning, so that we can identify areas that we should strengthen," he said.
The COI is expected to submit a report on its findings and recommendations by Dec 31 to Mr S. Iswaran, Minister-in-charge of Cybersecurity and Minister for Communications and Information.
