cyber security laws and regulations
3 min

Seven Ways to Effectively Manage Data Privacy and Information Security Risks

Posted by: TÜV SÜD Expert Date: 18 Aug 2023

As globalisation brings the world closer, data security obligations of a business are no longer confined to its geographical location. The General Data Protection Regulation (GDPR) has already transformed how European residents can control their data. Singapore is taking the security of its business data seriously and has been working on the Personal Data Protection Act (PDPA) since 2013. The PDPA works with sector-specific data protection acts such as the Banking Act and Insurance Act.[1]

In Fiscal Year 2021 alone, a staggering 178 data breaches were reported, marking a significant escalation from the 108 incidents documented in the previous year. This represents a daunting 66% increase in the overall number of reported data breaches. Market researches show that cybercrime could cost victims more than $8 globally in 2023 and that criminals can breach 93% of business networks.[2]

In this article, we discuss in greater detail the ISO/IEC 27001 cybersecurity standard.


Types of Cybersecurity Risks

Cybersecurity threats continue to increase in size, risk, and complexity. The risk is a sum of the likelihood of the threat and its impact. Common cybersecurity threats are:

  1. Malware attacks – It is the process of alluring users to click on a link or fill out a form on a counterfeit website. Malware also exploits the vulnerabilities of web browsers or operating systems to infiltrate a user’s computer. The malware then monitors user activities and sends the data to the hacker. Types of malware attacks include trojan horses, ransomware, worms, wiper, spyware, fileless malware, and website manipulation.
  2. Social engineering attacks – These attacks use psychological triggers to manipulate a user into divulging sensitive information. The most common social engineering attacks are:

    a. Phishing – Fraudulent links or emails that seem to come from legitimate sources that bait users into providing sensitive information.

    b. Malvertising – Online advertising that a hacker controls and uses to install malware into a computer by merely clicking or viewing.

    c. Drive-by-downloads – It hacks the website using browsers or operating system’s vulnerabilities and installs malware when a user visits the website.

    d. Scareware – This method tricks the user by convincing them that they have downloaded illegal content. It then offers a fix which leads to users downloading and installing malware.

    e. Honey trap – The hacker assumes a fake identity, usually that of an attractive female, and lures the user into giving up sensitive information.

    f. Tailgating or piggybacking – The threat actor enters a secure building following authorised personnel.
  3. Software supply chain attacks – This attack exploits weak links in a software update to install itself in a company’s IT or supply chain system. It exploits the trust businesses have in the software updates of their third-party vendors.
  4. Advanced persistent threats (APT) – APTs are normally affected against large businesses, nations, governments, and other high-value targets. They tend to stay undetected for extended periods exfiltrating sensitive data.
  5. Distributed denial-of-service (DDoS) – DDoS attacks aim to overwhelm the system resources and make it stop functioning and deny access to legitimate users. Hackers compromise many geographically distributed systems and use them to target a single business.
  6. Man-in-the-middle attacks (MitM) – Attackers place themselves between a user and a remote system. While a user thinks he is accessing a remote server, he is filling out all sensitive information on a system in the middle
  7. Password attacks – Hackers use different methods like sniffing, social engineering, guessing, or brute-force or dictionary attacks to access a system password and connect to a network.

How Organisations Can Satisfy Stringent Legal Regulations Based on IEC and ISO Standards

Businesses need to safeguard themselves against such cyberattacks. The attacks could be state-sponsored or from terrorists, industrial spies, crime groups, hacktivists, black hat hackers, or malicious insiders. You can take the following steps to meet the cybersecurity regulations in line with the IEC and ISO standards:

Establish an Information Security Management System (ISMS)

The ISMS requirements in ISO/IEC 27001 define how you manage the risk to people, processes, services, and technology. Using the ISMS, businesses can manage their threats, vulnerabilities, and impacts and design controls to protect the confidentiality, integrity, and availability of data.

You can regulate and restrict access to critical systems and networks and meet the legal, regulatory, and contractual requirements.

Conduct Independent Audits

An independent ISMS certification audit ensures your business complies with the ISO/IEC 27001 standard. Through audits, you can demonstrate your cyber-risk approach to local, national, and international cyber security laws and regulations such as GDPR in the European Union, CCPA in California, and PDPA in Singapore.

Implement a Privacy Information Management System (PIMS)

ISO/IEC 27701, an extension of ISO/IEC 27001, gives a comprehensive set of operational controls which help businesses implement, maintain, and improve the PIMS. It maps its recommendations to the EU GDPR, the data privacy and cybersecurity law for appropriate technical and organisational measures.

Have an Incident Response Plan

The incident response plan helps you avoid litigation risk. It ensures that your business complies with the breach notification requirements of the data security law applicable in your country. ISO 22301 provides principles to manage incidents and prepare for a response.

Ensure Suppliers Are a Part of Your Cybersecurity Strategy

Suppliers are an integral part of your operations, and your legal risk mitigation strategy must consider that. Your risk management strategy should include the risk profile of the suppliers also.

Get a Cyber-Insurance

Businesses must have cyber insurance to cover any legal costs or penalties due to settlement claims or class action lawsuits.

Conclusion

Proactive cybersecurity measures prevent your business from lawsuits, damage to reputation, and business operations disruption. While the chances of a business never experiencing a cyberattack are less, you can greatly reduce the risk by having a strategic plan that complies with the ISO/IEC 27001 standard.

It is best to have a trusted ISO/IEC 27001 certification body to meet the demands of PDPA regulations and cyber security law in Singapore.

TÜV SÜD provides training for:

Next Steps

Site Selector