Burden of data protection rests on firms and governments

The onus is on companies and government agencies to ensure that data breaches are taken seriously, according to a senior executive at Singapore’s national cyber security agency.

“History has shown that leaving the industry to self-regulate does not work,” said Ng Hoo Ming, deputy chief executive of operations at the Cyber Security Agency of Singapore, at the recent RSA Conference Asia-Pacific and Japan.

This was seen with the Facebook-Cambridge Analytica data scandal, where Facebook’s CEO and COO have publicly apologised and pledged to work with regulators regarding the alleged harvesting and use of personal data, he added.

In his keynote address, Ng stressed the importance of sound corporate data governance and regulations, such as the European Union’s (EU’s) General Data Protection Regulation (GDPR), in raising the cyber security bar of organisations.

In Singapore, there is a move to toughen breach reporting rules under the Personal Data Protection Act (PDPA), based on the results of a public consultation.

Ng noted that data breaches can erode public trust in digital services. For example, it was discovered late last year that Uber had covered up a massive breach involving the personal information of about 57 million individuals, of which 380,000 were Singaporeans.

While implementing cyber security safeguards are important, breaches should not derail Singapore’s plans for a smart nation, Ng said, referring to the country’s largest data breach where demographic data of some 1.5 million patients in a SingHealth health database was compromised.

Separately, Singapore’s Securities Investors Association informed its members on 25 July that the personal data of some 70,000 members were stolen five years ago.

Ng said the push for efficiency and convenience should not come at the expense of data protection or cyber security. “There must be no trade-off between the two; we must strive for both just as much.”

In another conference keynote, Rohit Ghai, president at cyber security firm RSA, offered a more positive outlook on the current state of cyber security.

“Cyber security is getting better, not worse, even as cyber security has come to the end of the silver bullet fantasy, where we’re no longer lusting after the latest in gizmos,” Ghai said.

Instead, Ghai sees a new focus on managing risk through business-centric security, where organisations aim to stay in the “Goldilocks zone of risk” between “recklessness and complacency”.

In a separate media roundtable discussion, a group of industry experts noted that the shortage of cyber security skillsets has resulted in firms casting their nets wider in search of talent.

Organisations recognise that “cyber security is a multifaceted problem that can’t be addressed through a single skillset”, said Zulfikar Ramzan, CTO at RSA. “The reality is…there is a mismatch in terms of the skills taught in universities and schools, and what is needed in the real world.”

This shortage has forced organisations to be more creative in their search for cyber security talent, sometimes seeking out potential candidates in unexpected places.

Although some candidates may not have the relevant IT background, with the “right attitude and aptitude, you can invest in them and retrain them”, said Narelle Devine, chief information security officer at the Australian government’s department of human services.

In fact, cyber security personnel with diverse backgrounds can bring different skills and approaches, said Magda Lilia Chelly, managing director at Responsible Cyber, a cyber security training provider.

The cyber security teams of today may be made up of an unexpected assortment of skillsets that range from technical to psychology and legal, she added.