Increase in the number of reported data incidents within the government, most due to human error: SNDGO



[ad_1]

SINGAPORE: More data incidents have been reported within the government, the Smart Nation and Digital Government Office (SNDGO) said in a statement on Wednesday (November 11).

A total of 75 data incidents were reported in fiscal year (FY) 2019, an increase of 47 percent from 51 incidents in fiscal year 2018. 37 incidents were reported in the first half of fiscal year 2020 through December 30. September, similar to the same period in the previous year.

Most of the reported incidents were due to human error, SNDGO said, including the inadvertent emailing of sensitive data to the wrong recipients and the loss of IT equipment containing sensitive data.

Another main cause of the incidents was the failure to follow processes in place to protect data, SNDGO said, including the implementation of software that contains bugs to save time, which could have led to a breach.

“Most of the incidents were assessed to have no significant impact on the agency or affected individuals, as protective measures had been implemented to mitigate the risk of data breaches,” he said.

“For example, lost IT equipment was encrypted; the confidential data contained in it would not be usable by unauthorized users trying to extract data from these devices.”

READ: The government accepts 5 measures to improve data security, to establish a single contact for the public to report breaches

This comes as SNDGO said it has implemented 18 of the 24 key initiatives recommended by the Public Sector Data Review Committee in the findings published in November last year.

The committee, which inspected 336 systems in 94 public sector agencies, found that about three-quarters of the agencies had at least one finding of non-compliance with a government manual on data policies and standards.

The initiatives implemented include improving audit and third-party management frameworks, improving processes to respond to data incidents in a timely manner, and strengthening accountability for data security at all levels.

“We are on track to implement the remaining technical measures as planned: 80 percent of systems will be covered by the end of 2021 and all systems by the end of 2023,” SNDGO said.

These measures include tools that prevent the loss of confidential data in government systems and devices and automate user account management to ensure regular and timely reviews of access to IT systems that contain sensitive data.

INCREASE IN INCIDENTS OF DATA REPORTED IN LINE WITH GLOBAL TRENDS

SNDGO said the increase in reported incidents was “in tandem” with trends observed in the private sector and globally, which have seen a “general increase” in data incidents.

“The increase in the number of reported data incidents can be attributed in part to increased awareness, vigilance and a better understanding among public officials of what constitutes a data incident,” he added.

“Public officials regularly participate in data security measures to build a culture of learning and greater awareness.”

READ: Government agencies have fixed 80% of high-risk data security issues found in review: SNDGG

SNDGO said the government will continue to invest in technical tools as the first line of defense against data compromise.

This includes a government-wide Data Loss Prevention (DLP) program, which will be integrated into ICT systems and user devices, and will be completed by the end of next year.

An ICT system comprises hardware, software, data, and the people who use them.

The DLP program will address common causes of data incidents in the public sector, such as the inadvertent transfer of documents containing sensitive data during bulk data transfers.

It will use a combination of technical and process controls to detect risky user actions that may result in data loss and guide users to take appropriate actions.

For example, when a public official attempts to extract confidential data from his work laptop using authorized storage media, the DLP tool will highlight this risky activity and require the official to confirm the action before proceeding.

MORE MUST BE DONE TO ADDRESS HUMAN ERROR

However, SNDGO said in its update on the government’s personal data protection efforts this year that “more must also be done to address the root cause of human error.”

“While the policies and processes on handling confidential data are generally robust, many of the data incidents occurred because officers did not follow these established procedures and protocols,” he said.

“The agents responsible for these data incidents had been duly sanctioned, with punitive measures that ranged from counseling and formal reprimands to financial sanctions.”

Update on government data protection efforts

The risk of data incidents cannot be completely eliminated, SNDGO said. (Infographic: SNDGO)

In an unintentional data disclosure incident that took place from June to October 2019, officials and supervisors of the Singapore Accounting Commission (SAC) were sanctioned by formal warning letters or financial penalties of up to half a month’s salary.

A SAC official had unknowingly attached a file containing the personal information of 6,541 people, including contact details and test results, in emails that were sent to 41 people in 22 organizations, SNDGO said.

An email data protection tool implemented in October 2019 had alerted the sender that the email contained sensitive data.

“SAC immediately rectified the error and prevented further unauthorized disclosure of the data,” the SNDGO report said.

“The SAC also convened a committee to investigate the incident and make recommendations to improve the organization’s personal data protection practices.”

INSUFFICIENT DISCIPLINARY ACTIONS

Despite that, SNDGO said in its report that disciplinary actions were not enough, adding that it was necessary to ensure that public officials better understand the importance of data security.

Next year, the Government will intensify efforts to increase awareness and knowledge of data security among public officials, including launching “more intensive” campaigns to engage officials in data security and share data. lessons learned from past data incidents in newsletters and workshops.

“Beginning in 2021, the Government will conduct regular ICT and data incident management exercises for public agencies and public officials to practice and improve their incident management processes,” SNDGO said.

“These are the first steps in instilling a culture of excellence in the secure sharing and use of data, which will require sustained efforts over many years at all levels of the organization.”

[ad_2]