Singapore faces exposed database risks
Singapore has the dubious honour of ranking No 6 in the world for having the most databases exposed to the Web last year which hackers could easily breach and exploit.
The number of such susceptible databases here was also found to have grown steadily throughout the year with increased digitalisation during the pandemic, according to the study released on Wednesday by cyber-security firm Group-ib.
This suggests that while many organisations went digital during COVID-19, database security might not have kept up.
The United States took top spot with close to 93,700 exposed databases found, followed by China with nearly 54,800. Germany was a distant third with almost 11,200 databases. Sixth-placed Singapore had almost 5,900.
Globally, 308,000 databases detected last year were potentially open to hackers.
This comes at a time when cyber threats here have grown. A Cyber Security Agency of Singapore report last July showed that "zombie" devices linked to the Internet and infected with malware that allows hackers to control them and launch cyber attacks, trebled in numbers here during the pandemic.
Under Singapore's Personal Data Protection Act, a company can be fined up to US$1 million for a data breach. But from October 1, this will be raised to a maximum of 10 per cent of the company's annual turnover in Singapore or $1 million, whichever is higher.
"When an exposed database gets accessed by an unauthorised malicious party, the consequences can range from a data breach to a subsequent follow-up attack on the employees or customers whose information was left unsecured," said Tim Bobak, Groupib's attack surface management product lead.
Group-ib is one of Interpol's official partners and has worked with its cybercrime team.
Bobak said that Singapore's number of databases is found to be higher than other territories and this might simply reflect the fact that it is a highly developed area that hosts a larger number of information technology assets.
"Another reason might be the high level of digitalisation in Singapore," he said.
Freddy Tan, an executive committee member of the Association of Information Security Professionals (AISP), said that a lack of awareness of data protection and security among organisations here could also be a contributing factor.
“If you look at economies like Australia, they have a longstanding culture around data privacy. But we don’t have such a long history on data protection,” said Tan, who is also managing director of cybersecurity firm Epic Cybersecurity.
He added that the focus of cyber-security professionals and management in many organisations here is on infrastructure security – such as having firewalls and anti-virus software – but not data security.
In Singapore, the number of exposed databases discovered grew fairly regularly, at around 1,500 databases every three months after the first quarter of last year.
There were 1,239 exposed databases discovered in the first quarter of last year. By the fourth quarter of 2021, the figure had grown to 5,882. The number jumped by almost 2,000 to hit 7,873 in the first quarter of this year.
Bobak said that as more organisations go ahead with their digital transformation plans, there are more and more Internet-facing services and devices every day.
"Corporate networks keep getting more complex and extended. This leads to an increase in the total number of misconfigured databases," he said.
The main cause of not configuring databases properly here is likely human error and a failure to follow cyber-security practices.
"Information technology infrastructure is growing in both size and complexity for businesses in virtually all industries, so it's challenging to make sure everything is properly configured and secured," said Bobak, noting that simple errors can lead to misconfigurations and thus exposed databases.
The accelerating pace of digitalisation could mean firms had more assets to manage. Cyber-security teams may also be facing skill shortages and limited budgets, even as their workloads increase, with the pandemic disrupting workplaces and business processes, he said.
The talent shortage here might not be as great as in other countries. AISP’S Tan said that there is one certified information security professional for every 2,000 people in Singapore.
To help prevent database exposure while organisations' networks grow, Bobak said it was important for them to have a complete and updated list of their digital assets, as well as use tools to help manage them.