The Singapore government’s Committee of Inquiry (COI) that looked into the unprecedented cyber attack on SingHealth’s IT systems released a public report this week, detailing security lapses leading to the incident as well as recommendations to improve the public healthcare group’s cyber defences.
Although made in the aftermath of the attack and tailored to the operational environment of SingHealth, the recommendations included in the 425-page report equally apply to any organisation looking to shore up its cyber hygiene.
These include viewing cyber security as a risk management issue and not just a technical one, plugging security gaps in the network and end-point devices, enhancing employee awareness of cyber security, securing privileged accounts and boosting incident response processes.
Now, anyone in cyber security would appreciate the COI’s recommendations, but it is widely known that many organisations do not always adhere to them for various reasons, whether it is complacency on the part of management and cyber security teams, or the lack of resources.
In SingHealth’s case, it was a combination of factors – including the startling fact that a non-IT staff was tasked with managing the compromised server – that gave the perpetrators leeway to execute the typical cyber kill chain: infecting a PC with malware via spear phishing, establishing connections with C2 servers, and making lateral movements across a network before exfiltrating data.
While what happened to SingHealth was unfortunate, the incident – and the COI report – serves as stark reminder for organisations to take cyber security more seriously, and to avoid the fallacy that it could never happen to them. Remember, it takes just one loophole or an oversight for an attacker to breach a system.