Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019
COI Report – Part VII Page 315 of 425 “[p]roper training and a solid exercise program would have ensured personnel knew and understood their roles and responsibilities in helping to prevent the Cyber Attack on SingHealth.” Gen. Alexander’s conclusion was buttressed by other experts. Dr Lim testified that exercises are vital to training, help to strengthen SOPs, and ensure that staff do not just “go through the motions”. Vivek also recommended that everyone participate in exercises that simulate real-life scenarios, so that they are able to respond in the event of an incident. 917. Evidence has been led that IHiS was involved in three TTXes from 2016 to 2018. However, a review of the list of participants for the exercises conducted in 2016 and 2017 reveals that only staff from CSG, SMD, and Cluster management including Cluster CIOs and Cluster ISOs, attended the exercises. It is telling that line operational IT staff were not involved, even though they would, in many instances, be the first responders involved in identifying, detecting and responding to a cyber attack. Responding to a security breach involves more than the people in charge of cybersecurity. As stated by Dr Lim, cybersecurity involves all staff in an organisation, because the impact of a cyber attack affects the whole organisation. Technical staff are usually the first to spring into action following an incident as they seek to identify the problem, assess damage and start remediation. It is therefore essential for them to be involved in exercises, for the response plans and procedures to be ingrained in them. 918. Running real-world drills beyond tabletop is also a good way to test an incident response plan. In the context of IHiS, this would have allowed the SIRT and senior management to go through the full process of responding to and managing an attack. For example, a third-party vendor can be hired to oversee running the drill, to avoid internal bias, and provide a report that can be used for later assessment. 919. Testing incident response processes should also involve senior management and even members of the board of directors. This is a basic requirement of corporate risk management. Senior executives and board members should be prepared to respond to major crises caused by cyber attacks,
