These were among the basic failings that opened the door to Singapore’s worst data breach, according to the public report by a high-level panel tasked to probe last June’s cyber attack on SingHealth.
And such lax cyber-security practices were no match for the sophisticated cyber attackers, believed to be state-linked. In fact, the Singapore authorities contacted foreign law enforcement agencies for information on the users behind servers linked to the attack.
The 453-page report also offers 16 recommendations – seven of them classified as “priority” – to shore up defense at organizations responsible for critical information infrastructure (CII) systems.
Among other things, CII owners including SingHealth must set rules, to be reviewed at least once a year, to protect their systems against cyber-security threats.
All administrators must use two-factor authentication, and the use of passphrase instead of passwords should be considered. The industry and the Government should also share threat intelligence.
One key recommendation is that SingHealth appoint its own cyber-security “risk man” rather than rely solely on its IT management vendor, Integrated Health Information Systems (IHiS), for such oversight.
At present, all the domain expertise and resources to detect and manage cyber-security risks lie with IHiS, which the Committee of Inquiry (COI) said is “difficult to sustain” in the long run.