COI Report – Part VII Page 272 of 425 (i) IT security updates are shared with IHiS staff through a Chief Information Security Officer (“CISO”) blog created by Kim Chuan; ii) CSG sends out weekly email blasts sharing the latest news in IT industry security trends iii) Email blasts to inform IHiS staff of security policies and responsibilities, as well as to alert staff of security vulnerabilities and iv) Provision of IT security information on the IHiS intranet. 790. However, these efforts failed to equip IHiS staff, in particular the SMD, to respond effectively to the Cyber Attack. 791. Current efforts at increasing cybersecurity awareness by SingHealth and IHiS have focused on employee on-boarding, and periodic dissemination of cybersecurity best practices via various channels, as highlighted above. Although the existing measures reflect effort and good intentions on the part of management, it is telling that at least in the area of creating awareness about the risks of phishing, a disturbing number of SingHealth staff fell prey to the phishing emails twice or more. 792. Aside from the phishing exercises conducted on SingHealth staff, there was noway to assess if IHiS and SingHealth staff absorbed and understood the cyber hygiene habits required of them. The bare efforts by IHiS in relation to their own staff in particular, were not operationalised in a manner that ensured that information disseminated was in fact even read by any of the staff. 793. The Cyber Attack has demonstrated that it only takes one employee to trigger a potentially disastrous cyber incident. In order to ensure that each and every member of staff is educated sufficiently, to identify and report cyber incidents, current efforts in SingHealth and IHiS must be improved upon.
