It is no surprise to read almost on a daily basis, why data breaches keep happening.
This is despite the media continuously highlighting the perils and reports on breaches happening worldwide on a daily basis.
Therefore we hope that it is time the government, in drafting the Digital Economy policy, requires all organisations to conduct a risk assessment and implement measures to match their cybersecurity risk profiles.
Instead of introducing and enforcing a standard rule, each organisation should be allowed to carry out a risk assessment and using the findings, build their own cybersecurity risk profile and then put in place a comprehensive cyber resilient framework that recognised and mitigates the risks identified.
A cyber resilient framework should, at the minimum have the following:-
Data protection, encryption, access controls, pentesting and vulnerability assessments
Multifactor or minimum 2 factor authentication (2FA) for all inbound connections
Reporting and accountability to undertake an annual compliance certification, document weaknesses and remediation plans and reporting to the authorities within a prescribed time frame. Certain of our authorities has issued guidelines for this for different sector and applications. Hopefully the policy for the Digital Economy will standardise and set a uniform guideline for the reporting.
Concurrent with the reporting requirement, each organisation are required to have an incident response plan to detect, respond, recover and preserve the data in the event of any breach.
Majority of the breaches happening are due to human error. Especially when people handle sensitive information. Everyone tends to make mistakes. In drafting and including cybersecurity in the policy for the Digital Economy, we can’t take human out of the equation - the users will be there forever and not disappeared. The challenge for those drafting the policy would be how to ensure organisations add human risks into risks profiles so that clients data and their reputation are protected.
Current and future cyber risks required a new and modern approach and it is indeed a daunting challenge for all.