News analysis

The big task - instilling a culture of taking cyber security seriously

They say that it is better to blend cyber security into an organisation's culture and systems than to spread it on later.

Most seemed to agree with this approach throughout the final session yesterday held by a high-level panel looking into the cyber attack on SingHealth in June.

Committee of Inquiry (COI) chairman Richard Magnus concluded the 21-day hearing by recommending that organisations adopt an "assume breach" mindset.

Solicitor-General Kwek Mean Luck from the Attorney-General's Chambers also said that cyber defence is everyone's job and not just that of the IT department, touching on the importance of organisational culture.

Culture became a key focus simply because people are at the heart of all processes and systems.

People click on links in e-mails, and people interpret data such as unusual traffic trying to access a database. The issue emerged starkly through the behaviour of staff at Integrated Health Information Systems (IHiS), Singapore's central IT agency for the healthcare sector.

The COI heard that hackers first intruded into SingHealth's network in August last year after a user from the Singapore General Hospital fell prey to a phishing attack.

The COI also heard that a middle manager of cyber security at IHiS, Mr Ernest Tan, was alerted to suspicious network activities as early as June 13 by his subordinate, IHiS system engineer Benjamin Lee, who had noticed unusual traffic.

 
 
 

But Mr Tan did not report them to higher management even after Mr Lee repeatedly said that the network was under attack. Mr Tan said he did not realise the severity of the incidents even though he was told that attempts had been made to access 100,000 patient records.

"People are a potential weak link, if not the weakest link," Mr Magnus said in his closing remarks.

Intrusions into SingHealth's electronic medical records system - billed as the crown jewels of its network - began on June 27 but were discovered only on July 4 and terminated that day by a junior staff member, IHiS' database administrator, Ms Katherine Tan.

Reiterating the need to have a culture of security, Mr Kwek called on all public healthcare institutions and IHiS to adopt a "security-by-design" mindset.

Mr Magnus and Mr Kwek meant that the rank and file must be educated on cyber risks and trained IT security personnel should report to the right people, including the chief executive officer.

This is in recognition that cyber security is a risk management issue and not just a technical one.

Not only will this constitute a culture of security, but it will also cultivate "an attitude of shared responsibility", said Mr Magnus, highlighting a key takeaway from the cyber attack that led to Singapore's worst data breach.

Hackers stole the personal data of 1.5 million patients and the outpatient prescription details of 160,000 people, including Prime Minister Lee Hsien Loong.

The culture of taking cyber security seriously - at all levels - will have to be a campaign led by the senior management.

It will be a massive endeavour for the tens of thousands of staff at all the public healthcare institutions in Singapore and the 1,800 staff at IHiS. It is also something that the management at SingHealth and IHiS had said they would be committed to do.

As the COI prepares to submit its final report to Minister-in-charge of Cyber Security S. Iswaran by the year end, one takeaway for every sector is that awareness is key to cyber defence. Every employee must play a part, and it cannot be delegated to technical staff alone.

 
A version of this article appeared in the print edition of The Straits Times on December 01, 2018, with the headline 'The big task - instilling a culture of taking cyber security seriously'. Print Edition | Subscribe