First published on todayonline.com on 23 Feb 2019.

Collaboration between governments, educational institutions, professional bodies and enterprises is needed, but companies and individuals can also take action to protect data and develop cyberawareness.

SINGAPORE: In most offices across the island, it is a common sight to see employees not taking fire drills as seriously as they should, with some even lamenting that these are a waste of time.

This, despite the fact that fires are a very real threat and could have disastrous consequences in high-rise office buildings.

The same could be said for cybersecurity and all the training and policies that companies try to put in place, said Mr Erman Tan, president of the Singapore Human Resources Institute (SHRI), who used the analogy to explain the challenges that firms face in getting their staff to take cybersecurity seriously.

“People will think: ‘Why do we have fire drills when we never encounter fires? It’s the same for cybersecurity. People will always feel it will never happen to them, or it will never happen to their company.”

While Singapore has one of the best infrastructure, technologies and legislation in place to deal with cyberthreats, it is no coincidence that the human factor — long seen as the weakest link in the chain, or the first line of defence — had contributed to some of the recent data breaches which made headlines here.

In June last year, Singapore suffered its worst-ever cyberattack where hackers broke into SingHealth’s IT systems to steal the data of 1.5 million patients and records of the outpatient medication given to Prime Minister Lee Hsien Loong.

A Committee of Inquiry (COI) found that it was a result of lapses by employees who ignored warning signs of a potential breach, and vulnerabilities with the system.

For example, an IHiS employee was singled out for misunderstanding what constituted a security incident and failed to comply with incident reporting processes. A senior manager of IHiS’ security management department was also reluctant to raise the alarm to his superiors despite knowing about suspicious logins to the patient database, for fear of working “non-stop” to “deliver answers” to top management.

A Committee of Inquiry (COI) found that it was a result of lapses by employees who ignored warning signs of a potential breach, and vulnerabilities with the system.

For example, an IHiS employee was singled out for misunderstanding what constituted a security incident and failed to comply with incident reporting processes. A senior manager of IHiS’ security management department was also reluctant to raise the alarm to his superiors despite knowing about suspicious logins to the patient database, for fear of working “non-stop” to “deliver answers” to top management.