PDPA & Incident Response: Managing Data Breaches for SME
2021 sees the amended Personal Data Protection Act (PDPA) in Singapore taking effect, with several key updates including a mandatory data breach notification. Under the amended PDPA, organisations are required to notify the Personal Data Protection Commission (PDPC) in the event of a breach that meets the following criteria:
- Significant Harm
Organisations must assess if a data breach causes significant harm to affected individuals. Significant harm ranges from physical and psychological to financial and reputational harm.
- Significant Scale
If a data breach involves the personal data of 500 or more individuals, the organisation needs to notify the PDPC. This criteria applies even if the data does not fall under prescribed personal data in the PDP (DBN) Regulations 2021.
Organisations of all sizes in Singapore need to comply with the PDPA. However, small and medium enterprises (SMEs) often face challenges in mitigating cyber risks and managing data breaches.
Common Challenges Faced By SMEs
1. Cybersecurity Takes A Back Seat
With limited resources available, SMEs often prioritise business growth over cyber security and allocate their resources accordingly. As a result, organisations may not be prepared to manage a data breach when it happens.
2. Technical Controls
A lack of cyber risk management know-how could lead to poor choice of technical controls. Insufficient or inadequate security measures make SMEs more vulnerable to data breaches.
3. Limited IT Security Staff
Small businesses have fewer manpower compared to larger organisations, with IT staff often doubling as cybersecurity personnel. However, cybersecurity requires a different skillset that may not be effectively provided by the company’s workforce.
Prepare For & Manage Data Breaches with an Incident Response Plan
Planning is essential to mitigate cyber risks and manage data breaches. A cyber incident response plan provides your organisation with an actionable plan to prepare for and manage a cyber attack. It details exact guidelines and protocols to follow for detecting, responding to, and recovering from a cyber attack or data breach.
Why SMEs Need an Incident Response Plan
1. Reduce Vulnerability
According to the Singapore Cyber Landscape 2020 report by the Cyber Security Agency of Singapore, SMEs comprised the majority of ransomware cases reported in 2020. Business leaders may have the mentality that, with larger organisations in the market, attackers won’t see SMEs as an attractive target. On the contrary, cyber criminals are more likely to seek the path of least resistance, resulting in small businesses being targeted. SMEs could be collateral damage as the attackers gain access to target other organisations through them.
By proactively developing and implementing a robust incident response plan, SMEs would be less vulnerable to attacks.
2. Regulatory Compliance with the PDPA and MAS TRM Guidelines
Regulatory bodies such as the PDPC and the Monetary Authority of Singapore (MAS) require organisations within their governance to notify them in case of data breaches. A comprehensive incident response plan ensures your organisation is compliant with the regulations and upholds core responsibility in the event of a data breach. Core responsibilities under the PDPA include taking the necessary actions to contain, assess, report the breach to the PDPC and affected individuals, and evaluate the company’s response (C.A.R.E.).
3. Fast & Effective Response
Managing a data breach is not just about acting quickly, but acting smartly. A cyber incident response plan ensures your organisation will take the appropriate actions when faced with a data breach, minimising risk from action bias and hastily-made decisions.
By preparing responses in advance, SMEs can map out required resources, optimise processes, and recover from cyber incidents more effectively. This will reduce downtime and mitigate losses from data breaches and cyber attacks.
How CSIntelligence Safeguards Your SME
CSIntelligence provides customised cyber security solutions, working closely with you to review policies and procedures, and ensuring technical controls are in tandem with compliance requirements. We are experienced in building cyber resiliency for organisations through robust cybersecurity governance, management and operations.
As an ISO 27001 certified managed security service provider in Singapore, we also offer 24×7 advanced threat monitoring, detection, and remediation for endpoints, servers, and mobile devices through our Managed PDR service. Contact us today for a non-obligatory discussion.