Taking part in a recent roundtable organised by iTnews Asia and Securonix, on Managing risk and compliance in the face of emerging insider threats, Securonix’s Asia Pacific and Japan VP of sales, Neil Campbell, said cybersecurity was not just about being “perfect all the time”.
Rather it was about having the appropriate controls, to “manage your risk to a level that's acceptable to you,” he said.
Campbell noted that the financial services sector, as well as healthcare, was the two “most highly regulated” industries in the world, and with reason, because they handled extremely confidential data.
Because of this, “there are compliance obligations for both industries and (in the case of the financial sector) the Monetary Authority of Singapore (MAS) was one of the strictest regulatory bodies in the world,” he said.
Campbell noted healthcare was also “ferociously regulated” and “appropriately so as there is some really sensitive information” at risk.
However, he said healthcare “traditionally does not have the resource that is available to the finance sector to go beyond the minimum compliance requirements or even sometimes get to the compliance and try to manage risk to their satisfaction”.
He made another important point.
Campbell stressed that compliance does not always equate to being secure “and the concept of what constitutes ‘secure’ was unique to all organisations”.
National University Health Systems (NUHS) Group CISO, Winston Chew, said both the finance and healthcare sectors "have to constantly fend off" external hackers as well as look out for insider threats.
Chew said that from an information security perspective, for both industries, it is a challenge not only to fend off external threats but also insider attacks from employees “who have been granted access to sensitive data”.
Narrating an incident from the banking sector, Chew said the bank discovered that some employees, who had access to sensitive customer data as a requirement for their jobs, were misusing their access privileges.
They were accessing the bank’s database of wealthy clients and calling them up to make potential property sales in their personal capacity, he said.
“With all the cybersecurity and compliance tools in hand, the bank could not detect this and only came to know about it when a complaint was registered by one of the customers,” Chew said.
He, however, noted that not all internal data breaches, particularly in the healthcare sector, happen due to malicious intent.
“There have been incidents where employees have unknowingly shared data with people who were not authorised to have access to the data”, he said.
The added challenge for the healthcare sector was that not only does it have to protect sensitive patient data but also the “integrity and availability of the data”, he said.
Chew noted that hospitals have to protect operation theatre (OT) systems because most medical equipment was online and if they were hit by malware they “could stop functioning in the middle of an operation”.
The NUHS CISO added that while a breach in a bank could result in the loss of customer money and confidential data, in the healthcare sector it could also jeopardise the health of patients.
To the point made by Campbell, Chew reiterated that, from a business perspective, managing risk was the key.
“But does that mean compliance is complete garbage that you should throw out of the window?
“I would think not because compliance is really saying that these are the policies, these are the basic fundamental requirements.
“And if you look at the basic fundamental requirements, these are really things that you should be doing as part of cyber hygiene in the first place,” Chew said.
Recalling the early days of cybersecurity in Singapore’s healthcare industry, Chong Yoke Sin, Managing Partner, iGlobe Partners and the immediate past president of the Singapore Computer Society (SCS), noted over the years and after many incidents, the healthcare sector in Singapore has developed security protocols to safeguard systems and data.
For example, she said, thumb drives, as a general rule, are not allowed to be plugged into the network.
To a question on whether more money equals better security, she said money does offer the chance to get the right people for cybersecurity and allow for the skills up-gradation of existing staff.
Chong who is a former CEO of Singapore’s Integrated Health Information Systems (IHIS), added that getting more money for cybersecurity was usually a “huge process” for the healthcare sector.
“How much money is good for cybersecurity is also a question; we don’t have rules of thumb, is 10 percent (of the total IT budget) good, or should it be 15 percent and what is good for resiliency, that is the money you put aside for your back-ups and data centre, alternative data centre?” Chong said.
She added that from a cybersecurity perspective it was important to know “where to put your moat in your network, you can’t have a moat everywhere because it would be like using a sledgehammer to solve the problem”.
“It’s really always a balance between what I call conformance and performance… Conformance meets all the rules required for cybersecurity and performance means utility that is you cannot hamper your people so much so that it detracts them from wanting to use the systems,” she said.
Importance of culture
Chong added that the culture of an organisation was important in cybersecurity.
“Cybersecurity could lead to a culture of suspicion, where you suspect everybody and so if anything happens you would basically kill the person, that is one extreme but that would actually confound the entire culture of collaboration, which you want to flourish in your organisation,” she said.
You have to trust your people to do the right thing and also give them the “safe harbour”, to do the right thing, and to say the right things, if something happens, she said.
Adding on to what Chong said Campbell observed that from a cybersecurity perspective it was important to understand end-users and help them to grasp things that they may not understand without assistance.
“Then you can plan because you now know what your current state is and you know where the risks are, and then you can act,” Campbell added.
Singapore’s Mount Alvernia Hospital’s CEO, James Lam, noted that organised healthcare started in Singapore many decades ago and it is in a “good space” and young doctors “that are coming out of restructured hospitals” are not used to holding a pen and everything is online.
At the same time, Lam observed, that while the awareness about cybersecurity risks is quite high, “the struggle with cybersecurity is like climbing a mountain that keeps going up”.
Continuing with the analogy he added that the nearer you go to the peak, the “more money you have to spend”.
Lam noted that while cybersecurity was a basic necessity, it was not just the responsibility of the IT department.
Everybody needs to play a role and keep watch of where a potential breach can occur and for this reason, it is as much a mindset issue as it is an IT issue, he said.
Veteran technology entrepreneur, Eddie Chau noted the importance of setting national standards in cybersecurity to ensure a baseline.
In this regard Chau talked about Singapore’s Data Protection Trustmark (DPTM) scheme which is an enterprise-wide certification for organisations to demonstrate accountable data protection practices.
Chau added that going back to the fundamentals of data security was important.
Sharing his thoughts, Ken Soh, honorary treasurer of industry body SGTech’s cyber security chapter, said that while never welcome, sometimes known external attacks such as phishing are easier to handle for companies than insidious insider threats.
Soh, who is also the founding CEO of Athena Dynamics and CIO BH Global Corporation, said insider threats have the potential to cause much more persistent and complex problems.
Alibaba Group's Director, Head of Global Public Policy, Royce Wee, said compliance with laws and regulations was a bare minimum as it merely represented a corporation's license to operate in its jurisdiction.
Wee, who is also SGTech’s digital trust committee Exco, said It was more important to develop digital trust, which he said can be cultivated by:
- Understanding and meeting regulatory concerns, objectives and priorities;
- Being transparent with auditable/verifiable policies, practices and standards;
- Providing genuine choice/options to end-users; and
- Demonstrating beneficence and value to customers.
Glenn Wray, also from SGTech, spoke about the digital trust project that the organisation had embarked on to define digital trust and its components, and how digital trust could create new opportunities and strengths for Singapore and its ecosystem of corporations and workers.
The general consensus at the roundtable was on the importance of an organisation’s culture, standards in cyber hygiene and also the need to have the right policies, technology and talent to be able to identify and mitigate security threats.
While stressing the importance of adequacy of cybersecurity budgets, all the participants also agreed that cybersecurity was a never-ending race against an evolving set of insidious, persistent and advanced threats that could attack both from within an organisation as well as from outside.