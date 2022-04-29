Singapore has the dubious honour of ranking No. 6 in the world for having the most databases exposed to the Web last year, which hackers could easily breach and exploit.

The number of such susceptible databases here was also found to have grown steadily throughout the year with increased digitalisation during the pandemic, according to the study released on Wednesday by cyber-security firm Group-IB.

This suggests that while many organisations went digital during Covid-19, database security might not have kept up.

The United States took top spot with close to 93,700 exposed databases found. Sixth-placed Singapore had almost 5,900 (see table).

Globally, 308,000 databases detected last year were potentially open to hackers.

This comes at a time when cyber threats here have grown. A Cyber Security Agency of Singapore report last July showed that "zombie" devices linked to the Internet and infected with malware that allows hackers to control them and launch cyber attacks trebled in numbers here during the pandemic.

Under Singapore's Personal Data Protection Act, a company can be fined up to $1 million for a data breach. But from Oct 1, this will be raised to a maximum of 10 per cent of the firm's annual turnover here, or $1 million, whichever is higher.

Databases that are at risk of being hacked are a concern. "When an exposed database gets accessed by an unauthorised malicious party, the consequences can range from a data breach to a follow-up attack on the employees or customers whose information was left unsecured," said Mr Tim Bobak, Group-IB's attack surface management product lead.

Group-IB is one of Interpol's official partners and has worked with its cybercrime team.

Mr Bobak said the number of databases found in Singapore is higher than in other territories and this might reflect how it is a highly developed area that hosts a larger number of information technology assets. "Another reason might be the high level of digitalisation in Singapore," he said.

Mr Freddy Tan, an executive committee member of the Association of Information Security Professionals (AiSP), said a lack of awareness of data security among organisations here could be a factor too.

"If you look at economies like Australia, they have a longstanding culture around data privacy. But we don't have such a long history on data protection," said Mr Tan, who is also managing director of cyber-security firm Epic Cybersecurity.

Group-IB had scanned the four most commonly used database management systems globally. It found that some databases could be publicly accessed without even needing a username and password.

In other cases, the databases might be protected by passwords. But Mr Bobak said passwords alone are not enough as they can be breached using lists of stolen passwords or simply with "brute force" - using software to guess the passwords by trial and error.

In Singapore, the number of exposed databases found grew from 1,239 in the first quarter of last year to 5,882 in the fourth quarter.

Mr Bobak said that as more organisations go ahead with their digital transformation plans, there will be more and more Internet-facing services and devices every day. "Corporate networks keep getting more complex and extended. This leads to an increase in the total number of misconfigured databases."

The main cause of databases not being configured properly here is likely human error and a failure to follow cyber-security practices.

"IT infrastructure is growing in both size and complexity for businesses in virtually all industries, so it's challenging to make sure everything is properly configured and secured," said Mr Bobak.

In Singapore, the average time it took to patch an exposed database in the first quarter of 2021 was 160 days. It was between 125 and 135 days for the next three quarters.

Mr Bobak said the variations in time needed to fix databases here could be partly due to the accelerating pace of digitalisation, which could mean firms had more assets to manage. Cyber-security teams may also be facing skill shortages and limited budgets.

But the talent shortage here might not be as great as in other countries. AiSP's Mr Tan said that there is one certified information security professional for every 2,000 people in Singapore.

In comparison, for Australia, another advanced digital economy, there is one such professional for every 8,000 people.