With the enactment of Personal Data Protection Act (PDPA) and Computer Misuse and Cybersecurity Act (CMCA), Singapore businesses are faced with greater pressure to ensure data protection. Cyberattacks were estimated to cost the global economy US$450 billion in 2016, and over US$2 trillion by 2019 – quadrupling in three years! Although many organisations are already investing in cybersecurity and taking measures to protect data, these alone are not adequate. Subverting the traditional priority list, business customers and end-users are demanding better cybersecurity and data protection when selecting product and service vendors. They expect to be explicitly informed and explain to on how their data are properly safeguarded. According to Gemalto’s 2016 global survey, almost 70 per cent of customers agree businesses are most responsible for protecting these data, but more worryingly, the same people also believe these businesses do not take data protection seriously. This begs the question – are businesses working hard to protect customers’ data and accurately relaying this message to the customers?
To bridge the understanding between the two parties, here are five steps that businesses should already be taking to protect their own and customers’ data. 1. Dig deep to know your data Chinese philosopher Sun Tzu spoke about knowing your enemy and knowing yourself. Businesses need to understand what they’re dealing with in order to protect themselves. Start doing a data sweep to comprehend all the data that the business has produced and collected, as well as where the data are housed and discarded. Businesses are responsible to safeguard personal identifiable information including names, contact numbers, email-addresses, and credit cards. In Singapore, they are expected to completely destroy personal data once there is no longer a purpose for their use, or are liable to legal actions. 2. Two-factor authentication is the way to go The next step is to employ a two-factor authentication (2FA), providing an extra layer of security should user IDs or passwords become compromised. Financial institutions and banks, which deal with huge monetary transactions, are readily using physical tokens and SMS technology to authenticate transactions for their customers. Singapore banks such as DBS and UOB have ditched physical tokens, switching to digital tokens and biometric, and improving the mobile and internet banking experience for over millions of their customers. Secured applications can only be accessed by one person, on one device alone. Cybercriminals will not be able to use lost or stolen devices to login with other credentials. 3. Let’s encrypt everything Third step is to safeguard data from intruders via encryption, protecting the confidentiality of stored digital data and ensure access is only provided to authorized parties. Businesses should start identifying their most sensitive assets, understanding what and where are their valuable data before going ahead with encryption. Encryption applies protection directly to the data, ensuring the information remains secure wherever it resides even in the event of a perimeter breach. This will help prevent disruption to your business flow. 4. Secure! Secure those breaches! Businesses need to make a distinction between defending against cyberattacks (which involves using security software, establishing perimeter controls, etc.) and making their data “secure”. Hackers will continue to mount cyberattacks for as long as the internet exists, but their endgame remains to steal data. This makes data encryption an indispensable step of a business’ holistic security strategy. With everything considered, organizations that have installed security software will still be left helpless if their systems are successfully penetrated by cyberattacks. However they have a choice now to render important and sensitive data unreadable to the hackers. These breaches are termed “secure breaches”. Secure breaches come with a number of benefits, such as lower risk of compromising user information; having more time for companies to contain the breach; and to trigger an alert requesting their users to take further preventive measures, fitting into an organization’s broader incident response plan. Gemalto’s 2016 Breach Level Index revealed that only 4.2 per cent of worldwide breaches were “secure breaches”, a small uptick from 4 per cent in 2015. We are optimistic and see great potential for organizations to adopt the concept of secure breach to beef up their security. 5. Educate your staff and customers Our last advice is to make cybersecurity an integral part of the workplace culture. Organizations need to instill among their employees the critical role in helping to protect everybody’s data – this means making security a collaborative and continuous cultural initiative. No doubt it will take some time to effectively implement such changes across all levels, however over time, these cultural shifts will be significantly advantageous to bolstering a company’s data protection practices.
Alex Tay Yen Shih, ASEAN Head Enterprise & Cybersecurity, Gemalto