Advertisement complex protection system, ignoring whether this makes work processes for others in the company more complicated or inconvenient. This often creates conflicts between the technical administrators and the non-technical users.
The blocking of internet surfing on work computers is a good example.
It may help to prevent a cyber attack, but it causes inconvenience and inefficiency.
Organisations like SingHealth must rethink the idea of placing the key responsibility of cyber security in the hands of technical administrators.
Instead, data users should play a more direct role in data security, as they know better who can access the data, and what it contains, and are thereby well placed to be the first line of defence against a breach.
And they don’t even have to be IT or cyber security experts to do so.
Hence, organisations should divide their data users into smaller groups, and let the users protect the data in these groups, thereby ensuring control over who sees the data and has the right of use.
To use an analogy of doors, technical administrators would continue to protect the “main door”, while all the ‘internal doors” are locked by data users as an additional security measure, and both parties work together to fortify the entire cyber security system.
Some local healthcare companies here have adopted such an approach.
Even without technical staff, they are able to safely encrypt and protect their data by using a data encryption device such as a USB token or Bluetooth.
An encryption key allows them to customise what to encrypt based on the company’s needs.
For example, an administrative staff can choose to encrypt the fields of patients’ names, identity card numbers and dates of birth.
Clearly, not every piece of data that an organisation handles need to be encrypted, so it needs to lay out clear guidelines of what information needs to be secured and how often it should be done based on the nature of its business and its work processes.
The process is not cumbersome. A two-gigabyte file takes about 20 seconds to encrypt. Encrypting an NRIC number takes only two seconds.
Once encrypted, the data can be stored securely on the cloud. It can also be shared with external parties as long as they are provided the same data security key.
What this essentially means is that organisations can make use of this system to limit the number of people who can see the data as only those with user privileges may ‘unlock’ the encrypted data with their security key.
Such technology already exists in the market and is relatively cheap.
For a small clinic with say two doctors and three assistants, the system may cost only a few hundred dollars a year. For larger organisations, which require more sub departments and keys, the cost will also not be prohibitive.
The key is extremely secure, because it is physically separated from all online devices and cannot be hacked.
All keys come in pairs, and the second key is a “rescue” key of sorts that allows the user to recover any information lost and reset his password, in the event he misplaces it or if it is accidentally destroyed.
Such a practice makes business sense, as it is more affordable to let data users within the company safeguard data rather than having to fork out a larger sum to an external service provider.
In the unlikely event that there is an internal data breach, the culprit is easily narrowed down.
As for external threats, a hacker would have to penetrate the “main door”, then find himself in more “locked rooms” with multiple smaller “locked doors”. He will therefore need more time and effort to “break into” each and every one.
Even if some of smaller “doors” are compromised, the majority of the data remains safe, and the loss is kept to a minimum.
So clearly, a decentralised user-controlled security system can strengthen cyber security.
This is especially so today, with cloud and blockchain technologies making it feasible for data security to be user-controlled within a cohesive central system.
The notion of decentralised user-controlled security maybe a recent concept in the market, and the technology new.
Nevertheless, in order to embrace the new, traditional administrators must be willing to adapt and take the fight back to the hackers.
ABOUT THE AUTHORS:
Desmond Hsu and Jean Chua are respectively Chief Executive and Director of Communications and Corporate Affairs at Fast and Safe Technology.