SINGAPORE - Organisations must assume they are already under cyber attack by equipping themselves with online security measures that can identify and mitigate breaches, instead of just setting up cyber defences and anticipating attacks.
This point was stressed by Mr Richard Magnus, chairman of the Committee of Inquiry (COI) probing the June cyber attack on public healthcare cluster SingHealth, which is Singapore's worst-ever data breach.
"Organisations must adopt an 'assume breach' mindset. They must not only adopt a proactive defence strategy, but must also arm themselves with security systems and solutions which enable them to detect and respond to cyber threats early," said Mr Magnus.
These, he added, must be complemented with the right people and processes.
Mr Magnus, a retired senior judge, was giving his closing remarks on Friday (Nov 30) before adjourning the COI, which has heard from 37 witnesses over 20 days of hearings.
Echoing a point some witnesses like Singapore's Commissioner of Cybersecurity David Koh had made in previous hearings, Mr Magnus said senior management has to take ownership of policy and decisions pertaining to cyber-security risks.
This, he added, includes drawing up "fit-for-purpose" organisation structures and practices that would address their specific risks and concerns.
Organisations have to also make sure they safeguard and protect information "crown jewels" in the best and most effective manner possible, said Mr Magnus.
The COI had previously heard that a mix of failings in organisational processes and staff judgment had caused the SingHealth patient records to be stolen.
Other factors include how the skilled hackers had made use of sophisticated tools to exploit vulnerabilities in the Integrated Health Information Systems (IHiS), which is Singapore's central IT agency for the healthcare sector.
Mr Magnus gave his closing remarks after the legal counsels of SingHealth, the Ministry of Health (MOH), MOH holdings and IHiS gave theirs.
On Friday, Solicitor-General Kwek Mean Luck also gave closing remarks on behalf of the Attorney-General's Chambers (AGC), which was leading evidence for the COI.
Mr Kwek, a Senior Counsel, outlined 16 recommendations that the COI has heard over the course of its proceedings, of which five were highlighted as priority ones.
These include steps like improving incident response processes, improving staff's sensitivity towards cyber security and performing enhanced checks.
Mr Kwek noted that the parties involved in the breach have committed to follow up on the implementation of these recommendations.
In his remarks, Mr Kwek also pointed out some previously unknown details about the breach.
For instance, the COI had previously heard that in June, the attacker used a dormant local administrative account with the commonly used password hash of P@ssw0rd.
Mr Kwek revealed that administrator accounts were required to have a 15-character password, but this problematic password only had eight characters.
It also had the same password since 2012, despite being required to be changed every three to six months.
But while more could have been done to deter or slow the data breach, Mr Kwek underscored that the attack was carried out by an advanced persistent threat actor who had "planned and executed with patience".
"In the spirit of the inquiry of this COI, the focus has thus not been on fault-finding, but on deep probing and learning, so that we can identify areas that we should strengthen," he said.
"In this respect, we have learnt valuable lessons from the COI, not least through the sharing of expertise on cyber defence by the expert witnesses and CSA. These lessons will help us to shore up defences against the increasingly sophisticated nature of cyber attacks."
The COI is expected to submit a report on its findings and recommendations by Dec 31 to Mr S. Iswaran, Minister-in-charge of Cyber Security and Minister for Communications and Information.