Ensuring new work arrangements do not lead to increased risks (PQ Reply by Minister Josephine Teo)

Ensuring new work arrangements do not lead to increased cybersecurity risks

Fourteenth Parliament of Singapore – First Session for the Sitting on 15 February 2022

Question

Mr Yip Hon Weng asked the Prime Minister since public service employees started working from home (a) whether there are any cases of data lapses or an increased risk of it and, if so, how are they dealt with; and (b) how are cyber security practices and audits being revised to adapt to the new hybrid work format.

Answer

Written answer by Mrs Josephine Teo, Minister for Communications and Information and Minister-in-charge of Smart Nation and Cybersecurity (for the Prime Minister)

The Government remains committed to upholding high standards of cyber and data security regardless of the mode of working. Due to COVID-19, hybrid work arrangements have been adopted extensively by Public Service officers since 2020. Despite this, there have been no reported data lapses arising from work-from-home arrangements from January 2020 to December 2021.

Hybrid work arrangements are not without cybersecurity risk. The Government has progressively enhanced our cyber and data security measures to ensure that the new work arrangements do not lead to increased risks.

The first measure is ensuring secure remote access to the Government’s InfoComm Technology (ICT) systems. With more ICT systems needing to be accessed remotely by officers working from home, the risk of cyber-attacks initiated over the public internet increases. To mitigate this, remote access to systems with classified data is allowed only via a secure Government-issued laptop with a Virtual Private Network (VPN) connection to the Government network. Higher risk activities, such as creating new accounts and changing access rights, continue to be done in-person to reduce the risks of unauthorised changes.

Another measure implemented to enhance security is the remote updating of software on officers’ laptops. Prior to the shift towards hybrid work arrangements, the majority of officers’ laptops were updated in the office. To mitigate the risk from software vulnerability due to outdated software on officers’ laptops, the Government enhanced its network infrastructure to enable remote updating.

Beyond the specific risks arising from a hybrid working environment, it is important that the Public Service maintains a strong culture of cyber and data security.

The Government conducts annual phishing exercises and annual Cyber and Data Security Quiz to ensure that officers remain vigilant against evolving threats. Officers are also regularly reminded on the best practices for remote work, such as securing their home network and the appropriate use of video-conferencing tools.