How we protect citizen data here at GovTech
Ask people what happens in October, and they won’t think twice before saying Halloween. But as it turns out, October isn’t just about Jack ‘O’ Lanterns and pumpkin spice lattes.
Since 2004, it has also been Cybersecurity Awareness Month.
And here’s the thing. Every year that goes by, the focus on cybersecurity becomes more relevant because our lives are pretty much digital diaries these days.
To mark the occasion, we sat down with Lim Rui Sian, GovTech Cyber Security Engineer, who’s all about making sure our data stays where it should be: safe and secure.
What is the overarching cybersecurity strategy of GovTech when it comes to safeguarding citizen data?
GovTech’s overarching cybersecurity strategy to enhance data security is to govern the management of data in all stages of its lifecycle, support efforts to safely use and exploit data, and encourage effective data management practices. There are data protection policies that provide governance on how personal data is managed in Agencies. Our team ensures that all data that passes through our product is encrypted in all states (at rest and in transit).
What measures are in place to detect and prevent unauthorised access to databases containing citizen information?
Data sharing across the government is a huge opportunity for services to be more streamlined and convenient for the citizens. Compared to just a few years ago, citizens now can access a whole bunch of services at their fingertips. But there are also risks. Our role is to balance the increasing complexity of securing the data and citizen usability. At GovTech, we’ve implemented several measures to detect and prevent unauthourised access to databases containing citizen information.
One such measure is the use of audit logs, which can be exported and retained centrally using the Government on Commercial Cloud (GCC) depending on product requirements. Additionally, we provide agencies with guidelines on proper network segmentation to ensure that databases are not exposed to the internet and that only traffic from restricted sources can access them. These measures help to ensure that citizen information is protected from unauthourised access.
How do you keep your security measures updated to defend against ever-evolving cyber threats?
To defend against ever-evolving cyber threats, we prioritise innovation and agility when creating solutions and security measures. We also stay up to date with the latest security threats and best practices through ongoing education and training for our employees, as well as regular security audits and assessments. Also, we work closely with industry partners and government agencies to stay informed about emerging threats and new security technologies. This allows us to continuously update and improve our security measures to stay ahead of the latest threats.
How is AI or machine learning utilised in your cybersecurity measures, if at all?
Yes, we use AI and machine learning to detect and respond to security threats in real time. This includes using machine learning algorithms to analyse network traffic and identify potential threats, as well as using AI-powered security tools to automate threat detection and response. For example: We use AI to enhance the Government Cybersecurity Operations Centre (GCSOC). We collaborate with key partners and also our partner services – this helps us expose threats quickly and mitigate threats early by initiating automated responses.
What kind of regular audits or assessments does GovTech undergo to ensure cybersecurity compliance?
Products from GovTech are subject to regular security audits and assessments periodically to ensure compliance with industry standards and government regulations. These include scoping the engagements for rigorous penetration tests and vulnerability assessments. In addition, GovTech has a programme to leverage the expertise of the community by encouraging white hats to highlight vulnerabilities in our products. This further strengthens the overall security posture of our software products.
Have you ever had to recover from a security incident, and what lessons were learned that might benefit others?
Not yet! But that’s a scenario we’re prepared for as well. While I have not been involved in a security incident, I believe it is important to have a comprehensive incident response plan in place, including clear communication protocols and a well-defined chain of command. During a security incident, clarity of process and responsibilities will ensure a prompt and effective response. At the product level, there should be a schedule in place for regular testing and updating of security measures. This is important given the pace at which malicious actors update their tactics, techniques, and procedures (TTPs) in today’s context. Hence, timely updates and patching are crucial to ensure they are effective against the latest threats.
What would you say is the weakest link in cybersecurity and how is GovTech addressing this?
Well, to be honest, I believe that the weakest link in cybersecurity is often humans. This can happen via errors such as system misconfigurations or falling for phishing scams. To combat this, GovTech heavily audits software products developed in-house to ensure that there are proper procedures in place for anything that is not already an automatic process.
Additionally, GovTech prioritises education and training for its employees to ensure they are aware of the latest security threats and best practices. Simulated phishing campaigns are also conducted to ensure that public officers are alert and know how to respond in the case of an attack.
Do you have any special considerations for protecting the data of vulnerable populations?
I’ve got something interesting to share – typically, we think of vulnerable populations as the elderly and the young. However, a recent report highlighted that young adults are equally, if not more susceptible to scams where their sensitive personal data is compromised. Hence, I believe that any measures protecting personal data should be encompassing and not specific to any particular segment of the population.
How much of the responsibility for cybersecurity would you say lies with the end user, and what steps can citizens take to better protect their own data when interacting with government services?
We’ve put measures across multiple levels to protect citizen data. However, given that the individual ultimately owns their personal data, end users need to play their part in protecting their own data as well. Citizens can take steps to better protect their data by using strong passwords or passphrases, enabling two-factor authentication, and being cautious when clicking on links or downloading attachments from unknown sources.
In addition, it pays to possess a healthy dose of scepticism in the digital world.