Cases of Data Lapses Since Public Service Employees Started Working from Home and Preventive Measures
Prime Minister's OfficeSpeakers
Summary
This question concerns Mr Yip Hon Weng’s inquiry regarding potential data lapses since Public Service employees began working from home and how cybersecurity practices have adapted to hybrid work arrangements. Minister Josephine Teo responded that no data lapses were reported between January 2020 and December 2021 and that security measures have been progressively enhanced to manage hybrid work risks. These measures include mandating Government-issued laptops and Virtual Private Network connections for classified data, while higher-risk activities like changing access rights continue to be performed in-person. Additionally, the Government enhanced its infrastructure to allow for remote software updates and maintains a culture of vigilance through annual phishing exercises and cybersecurity quizzes. Officers are also regularly reminded of best practices, such as securing home networks and using video-conferencing tools appropriately, to uphold high standards of data security.
Transcript
7 Mr Yip Hon Weng asked the Prime Minister since Public Service employees started working from home (a) whether there are any cases of data lapses or an increased risk of it and, if so, how are they dealt with; and (b) how are cybersecurity practices and audits being revised to adapt to the new hybrid work format.
Mrs Josephine Teo (for the Prime Minister): The Government remains committed to upholding high standards of cyber and data security, regardless of the mode of working. Due to COVID-19, hybrid work arrangements have been adopted extensively by Public Service officers since 2020. Despite this, there have been no reported data lapses arising from work-from-home arrangements from January 2020 to December 2021.
Hybrid work arrangements are not without cybersecurity risk. The Government has progressively enhanced our cyber and data security measures to ensure that the new work arrangements do not lead to increased risks.
The first measure is ensuring secure remote access to the Government’s InfoComm Technology (ICT) systems. With more ICT systems needing to be accessed remotely by officers working from home, the risk of cyber attacks initiated over the public Internet increases. To mitigate this, remote access to systems with classified data is allowed only via a secure Government-issued laptop with a Virtual Private Network (VPN) connection to the Government network. Higher-risk activities, such as creating new accounts and changing access rights, continue to be done in-person to reduce the risks of unauthorised changes.
Another measure implemented to enhance security is the remote updating of software on officers’ laptops. Prior to the shift towards hybrid work arrangements, the majority of officers’ laptops were updated in the office. To mitigate the risk from software vulnerability due to outdated software on officers’ laptops, the Government enhanced its network infrastructure to enable remote updating.
Beyond the specific risks arising from a hybrid working environment, it is important that the Public Service maintains a strong culture of cyber and data security.
The Government conducts annual phishing exercises and the annual Cyber and Data Security Quiz to ensure that officers remain vigilant against evolving threats. Officers are also regularly reminded on the best practices for remote work, such as securing their home network and the appropriate use of video-conferencing tools.