By Prethiba Esvary
Last year, approximately 1.5 million patients’ non-medical records were stolen from the SingHealth (a group of healthcare institutions in Singapore) database. About 160,000 patient’s medical records — including that of the currentSingapore Prime Minister Lee Hsien Loong’s —were accessed illegally. This is one example of a huge case of data breach.
Remember the CIMB Clicks password issue that took place last year? People claimed that they could log in despite adding a few invalid characters after the required 8-character
password. Then there was the issue of fraudulent debit card transactions. Several CIMB customers complained that there were unauthorised Paypal transactions made via their debit cards.
Our question is how can hackers get access to what you would think are high-security systems? Was this a human error or simply due to the absence of a robust security system?
THE FACTS
A study by Frost & Sullivan revealed that Malaysia is looking at a possible loss of USD12.2 billion (approx. RM50.7billion) due to cybersecurity attacks. Frost & Sullivan Asia Pacific Marketing VP Saipan Agarwal said, “Cybersecurity attacks have resulted in job losses across different functions in three out of five organisations that have experienced cyber incidents over the last 12 months.”
In reference to the SingHealth database hack, Associate Director of LGMS CK Fow said that most of the time, cybersecurity attacks are due to human error and they usually come from within the organisation.
Organisations tend to place more importance on back-end security (servers, firewalls, intrusion prevention systems), he added. “They may forget the most important part,
which is the front-end security, such as end-user computers,” he said.
With regards to the CIMB Clicks password issue, the bank said they have beefed up their security by accommodating passwords of 8 to 20 characters in length and by adding reCaptcha. As to the fraudulent transactions, CIMB confirmed in a public FAQ released
that this matter was separate from CIMB Clicks. A question raised was why wasn’t there an OTP (one-time password) issued to customers to warn them of suspicious transactions?
According to CIMB, “The use of OTP is a policy adopted by ecommerce site owners. Whilst online transactions on Malaysian websites require an OTP (called 3D authentication), many international websites such as Facebook or PayPal do not require an OTP (called Non-3D transactions)”. How can consumers protect themselves in that case?
THE SOLUTION
1) Two-step verification method on Google.
This means that every time you sign into your Google account, you’ll need to put a password and verification code. The code is sent via text message, voice call, or Google’s mobile app. This way, even if hackers somehow got a hold of your password, they can’t log in.
2) Strengthen your CRM platform security
If you’re using a CRM platform, there is the two-factor authentication approach. You can
set this up for every user’s login, log in through API (for developers and client applications)
and also, for access to particular features such as reports and apps.
The second security measure you can take is to include IP range restrictions. This means you will be restricting users to log in only from your company network or a VPN (virtual private network).
Lastly, it would be good to add spam filters and malware protection to your system.
3) Check the website domain
Since hackers are now mimicking other ‘https’ sites, what you can do is to check the domain. Say you have an account on amazon.com. Hackers can easily create a website that looks exactly like amazon.com. But if you look closely, you may see that the domain
is actually amaz0n.com. That’s because no two users can purchase/ have the same domain.
You can also look at the following:
• Company address and phone number – If these aren’t available, then something is not right.
• Prices – If they are incredibly low, something is fishy.
• Return policy – Any reputable site would have a section on product returns and shipment.
• Privacy policy – A legitimate site would have details on how they are using your data and how they are safeguarding it.
4) Check the security settings on ecommerce sites
If you’re a Paypal user, you can enable the ‘Paypal security key’, which acts as a second
authentication factor. So, in addition to keying in your password, you would have to key in a security code/ OTP which will be sent to you via SMS.
5) Use a foolproof password
It is understandable why people would use their IC/ birthdays as their go-to password, and that too for EVERY account. It’s easy to remember! But say you lost your entire wallet one day, someone breaks into your home and gets a hold of your bank cards and identification card. They can easily transfer out all the money you have in all your bank accounts.
Secondly, ensure that all your passwords have a combination of numbers, letters, and
special characters. It’ll make it impossible for hackers to guess what your password is.
IN A NUTSHELL
Both human error and a lack of multi-layer security on your front and back-end systems
are the main cause for all of these cyberattacks. With regards to the former, it is crucial that your organisation takes measures to prevent employees from ‘copying databases’ or ‘sensitive data’ and to also put in a place something to detect if and when they have done so. Implementing the right security measures is key!
