Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019
38.2 A Security Awareness Programme should be implemented to reduce organisational risk 794. Providing security awareness training is a reliable way to reduce the insider threat and alter user behaviours. However, current efforts at creating security awareness must be improved inline with best practices. 795. It is recommended that a security awareness programme for all staff be implemented, which must be completed on a regular basis, to ensure they understand and exhibit the necessary behaviours and skills to help ensure the security of the organisation. This is inline with best practice standards set out in the Center for Internet Security (“CIS”) Controls 796. A comprehensive security awareness programme would educate staff not only on how to identify a cyber incident (by educating them on what to look for in a cyber incident and what the threats are, but on how to react in case of a cyber incident (e.g. by reporting it. The understanding in this day and age must be that incidents can and will occur frequently, and it is therefore critical that all staff, at all levels, know how to react. One means by which to then assess staff understanding of this information, is to implement an online questionnaire testing the staff’s ability to recognise indicators of a cyber attack, and their awareness of reporting lines and procedures. 797. The training must express the idea that cybersecurity is everyone’s responsibility not just the IT department. Staff across all domain areas, not just those in the security team, must be trained in cybersecurity detection and response. Vivek’s expert opinion is that the training could be a two-day programme, where staff are sensitised to how cyber attacks have evolved, how attacks play out, the modus operandi of cyber attackers today, and the kind of weaknesses that maybe exploited by an attacker. In addition to that, TTXes and 63 CIS Controls Version 7 at sub-control 17.3. .
