SINGAPORE - Singapore has the dubious honour of ranking No. 6 in the world for having the most databases exposed to the Web last year which hackers could easily breach and exploit.
The number of such susceptible databases here was also found to have grown steadily throughout the year with increased digitalisation during the pandemic, according to the study released on Wednesday (April 27) by cyber-security firm Group-IB.
This suggests that while many organisations went digital during Covid-19, database security might not have kept up.
The United States took top spot with close to 93,700 exposed databases found, followed by China with nearly 54,800. Germany was a distant third with almost 11,200 databases. Sixth-placed Singapore had almost 5,900.
Globally, 308,000 databases detected last year were potentially open to hackers.
This comes at a time when cyber threats here have grown. A Cyber Security Agency of Singapore report last July showed that "zombie" devices linked to the Internet and infected with malware that allows hackers to control them and launch cyber attacks, trebled in numbers here during the pandemic.
Under Singapore's Personal Data Protection Act, a company can be fined up to $1 million for a data breach. But from Oct 1, this will be raised to a maximum of 10 per cent of the company's annual turnover in Singapore or $1 million, whichever is higher.
Databases opened to hackers are a concern.
"When an exposed database gets accessed by an unauthorised malicious party, the consequences can range from a data breach to a subsequent follow-up attack on the employees or customers whose information was left unsecured," said Mr Tim Bobak, Group-IB's attack surface management product lead. Group-IB is one of Interpol's official partners and has worked with its cybercrime team.
Mr Bobak said that Singapore's number of databases is found to be higher than other territories and this might simply reflect the fact that it is a highly developed area that hosts a larger number of information technology assets.
"Another reason might be the high level of digitalisation in Singapore," he said.
Mr Freddy Tan, an executive committee member of the Association of Information Security Professionals (AiSP), said that a lack of awareness of data protection and security among organisations here could be a contributing factor as well.
“If you look at economies like Australia, they have a longstanding culture around data privacy. But we don’t have such a long history on data protection,” said Mr Tan, who is also managing director of cyber-security firm Epic Cybersecurity.
He added that the focus of cyber-security professionals and management in many organisations here is on infrastructure security – such as having firewalls and anti-virus software – but not data security.
Group-IB had scanned the four most popular and commonly used database management systems globally between the first quarter of last year and the second quarter of this year. The scan did not collect and analyse the content of any exposed databases found and it was not clear which organisations the databases belonged to.
Some of the databases found could be publicly accessed without even needing a username and password.
In other cases, the databases might be protected by passwords. But Mr Bobak said passwords alone are not enough as they can be breached using lists of stolen passwords or simply "brute forced" - using software to guess the passwords by trial and error.
In Singapore, the number of exposed databases discovered grew fairly regularly, at around 1,500 databases every three months after the first quarter of last year.
There were 1,239 exposed databases discovered in the first quarter of last year. By the fourth quarter of 2021, the figure had grown to 5,882. The number jumped by almost 2,000 to hit 7,873 in the first quarter of this year.
Mr Bobak said that as more organisations go ahead with their digital transformation plans, there are more and more Internet-facing services and devices every day.
"Corporate networks keep getting more complex and extended. This leads to an increase in the total number of misconfigured databases," he said.
The main cause of not configuring databases properly here is likely human error and a failure to follow cyber-security practices.
"Information technology infrastructure is growing in both size and complexity for businesses in virtually all industries, so it's challenging to make sure everything is properly configured and secured," said Mr Bobak, noting that simple errors can lead to misconfigurations and thus exposed databases.
In Singapore, the average time it took to patch an exposed database in the first quarter of 2021 was 160 days, compared with 170.2 days globally.
It then hovered between 125 and 135 days for the next three quarters, compared with between 112 and 147 days globally.
Mr Bobak said a number of factors could contribute to the variations in the time needed to fix databases here.
The accelerating pace of digitalisation could mean firms had more assets to manage. Cyber-security teams may also be facing skill shortages and limited budgets, even as their workloads increase, with the pandemic disrupting workplaces and business processes, he said.
Group-IB said discovering issues with high-risk digital assets like databases in a timely manner is key because cyber criminals are quick in spotting opportunities to steal sensitive information or creep further into a network they have infiltrated.
The talent shortage here might not be as great as in other countries. AiSP’s Mr Tan said that there is one certified information security professional for every 2,000 people in Singapore.
Compared with another advanced digital economy like Australia, there is one such professional for every 8,000 people.
To help prevent database exposure while organisations' networks grow, Mr Bobak said it was important for them to have a complete and updated list of their digital assets, as well as use tools to help manage them.
They should also use internal virtual private networks so that servers with databases can be hidden from the Internet.
Workers should not be allowed to use a system's original log-in details, or use "admin" as the username and password. They should use strong passwords, like those at least 12 characters long. Additional ways to verify a user's identity should be in place too.