Professional Documents
Culture Documents
February 2019
Table of Contents
1. Introduction 3
3. PwC’s perspectives 6
5. Conclusion 10
2
Introduction
A cyberattack of unprecedented scale and Here is our summary of the key takeaways from
sophistication in Singapore was carried out on the COI’s Report, our perspectives and
Singapore Health Services Private Limited recommendations on the immediate actions that
(SingHealth) in June-July 2018. In what is touted organisations should take to lever up their cyber
as Singapore’s worst ever cyber data breach, defence based on the lessons learnt from the
hackers exfiltrated personal data and medication SingHealth incident.
records of 1.5 million citizens, including that of
Prime Minister Lee Hsien Loong.
3
COI Report on
SingHealth cyberattack
Employees did not have adequate levels of cybersecurity awareness, training, and
resources to appreciate the security implications of their findings and to respond
effectively to the attack.
Employees holding key roles in IT security incident response and reporting failed to
take appropriate, effective, or timely action, resulting in missed opportunities to
prevent the stealing and ex-filtrating of data in the attack.
The attacker was a skilled and sophisticated actor bearing the characteristics of an
Advanced Persistent Threat group.
While cyber defences will never be impregnable, and it may be difficult to prevent
an Advanced Persistent Threat from breaching the perimeter of the network, the
success of the attacker in obtaining and exfiltrating the data was not inevitable.
4
COI Report on
SingHealth cyberattack
16 Key recommendations
People Process
5
PwC’s perspectives
1
A zero-day vulnerability is a vulnerability in a system or device that has been
disclosed but is not yet patched
6
PwC’s perspectives
7
Our recommendations:
Immediate cyber defence action plan
The five key findings and sixteen recommendations In order to cultivate strong security culture, buy-in at
can be useful reference points for organisations and the highest organisational level is essential. Senior
companies in Singapore. Organisations should management needs to recognise and believe in the
always adopt a holistic, comprehensive and long- criticality of cyber security and act as champions of
term approach to protect themselves from cyber cyber security. The strategy should involve actions
threats. However, there are immediate actions that by senior management to demonstrate their
can be taken to quickly strengthen your commitment and emphasis in this area so as to
organisations' cyber defences. positively influence their employees’ behavior
toward cybersecurity.
8
Our recommendations:
Immediate cyber defence action plan
In the current landscape, it is acknowledged that The speed of detection and effectiveness of your
attackers are increasingly sophisticated and will find response to any cyber breach will be the key
a way to breach your network. The security mindset determining factor of how much damage your
will require a shift towards accepting that breaches organisation will suffer.
are inevitable, and increasing focus on active
monitoring of your networks to detect intrusions. To Process - There are many incident response plan
heighten your overall situational awareness of the templates, workflows, playbooks and best practices
threats, you should invest in both technology and available for reference. In fact, many organisations
people. should already have their own incident response
plan. However, from our experience, organisations
Technology - “The pace of cyber development is that exercise their cyber response drill regularly
like the pace of computer development. Basically a make much faster and better decisions during the
computer generation is one and a half years. With crisis time and therefore manage cyber incidents
cyber, it’s even less. Every year to a year and a much more effectively. A well-conducted cyber
half, comes a new generation of cyber techniques,” response drill is an effective way to raise
Prof. Yitzak Ben-Israel, Chairman Israel Space employees’ cyber security awareness as well as to
Agency and Israel National Council for R&D told train people on their decision making capability
Times of Israel in an interview on 22 June 2017. under pressure, which is critical for handling any
cyber incident. The drills should be conducted not
The security solutions that have been implemented just within the IT Security team, but also at some
will continue to be useful. However, as the attackers stages involve all other stakeholders in the risk
evolve their techniques and tools, your cyber management team, crisis management team and
security defences should not remain static. There senior management team. A drill could be carried
will always be emerging technological solutions that out in multiple forms, from a table top exercise to a
are effective against evolving threats and will be cyber range workshop to a red team/advisory
complementary to your existing portfolio of security simulation on the organisation. Depending on the
solutions. It will be worthwhile to be updated organisation’s resource, we recommend to use a
regularly on and take a deeper look at promising combination of different drill forms to ensure
technologies, and consider how they can be effectiveness and sustainability.
implemented to bring your security defences to the
next level.
9
Conclusion
Attacks of greater sophistication and by actors with If you have any queries, please do not hesitate
greater resources will happen, or are already on- to call your usual PwC contacts or any of the
going. Singapore’s digitisation efforts through the following PwC subject matter experts:
SMART Nation initiatives will greatly benefit the
population and economy, but will also increase the
Tan Shong Ye
surface area that attackers can target.
Digital Trust Leader
The onus is on leaders of every organisation to be shong.ye.tan@sg.pwc.com
cognisant of the ever-changing cyber threats, take
ownership of the strategy to address the risks and Jimmy Sng
Partner, Cybersecurity
personally lead the effort to protect your
jimmy.sng@sg.pwc.com
organisation.
Freddy Wee
Partner, Cybersecurity and Privacy
freddy.wee@sg.pwc.com
© 2019 PricewaterhouseCoopers Risk Services Pte. Ltd. All rights reserved. PwC refers to the PricewaterhouseCoopers Risk Services Pte. Ltd. member
firm and may sometimes refer to the PwC network. Each member firm is a separate legal entity. This content is for general information purposes only and
should not be used as a substitute for consultation with professional advisors.
10