COI Report – Part VII Page 225 of 425 35.3 Key considerations for recommendations 678. In drawing up the recommendations, we agree with the Solicitor-General that these should be guided by the following key considerations ab First, in the current landscape, it must be acknowledged that attackers are increasingly sophisticated and will find away to breach your network. While this means that one should adopt an assume breach mindset, it does not mean sitting back and waiting to be attacked. Instead, organisations and in particular those responsible for large databases of personal data, must adopt a “defence-in-depth” strategy. This involves (i) arming themselves with sophisticated security systems and solutions which can facilitate early and accurate detection, e.g. by adopting emerging technologies such as database activity monitoring (“DAM”), endpoint detection and response (“EDR”), managed EDR (“MDR”), NetFlow analysis and advanced behaviour-based analytics; and (ii) complementing such security systems and solutions with the right people and processes, e.g. having dedicated and trained IT security personnel reporting to the right level within the organisation, engaging external expertise as required and having staff that have the right levels of cybersecurity awareness. b) Second, at a practical level, the push towards a defence-in- depth strategy will no doubt be met with challenges given the current cybersecurity maturity levels in many organisations and the trade-offs that will need to be made vis-à-vis operational requirements and costs. Hence, we acknowledge that the transition to a defence-in-depth strategy cannot happen overnight. However, even during the transition phase, there must be prioritised efforts to adopt certain strategic and operational measures to uplift security immediately – these measures are discussed below in the specific context of IHiS and SingHealth. In addition, it is an important priority that even during the transition
