Security boost for IT devices used by civil servants

People are often said to be the weakest link in the IT security chain. So, to reduce threats due to negligence, the authorities here are making it much tougher for unauthorised users to access information from civil servants' laptops and computers.

Officials have put out a bulk tender on behalf of government ministries, departments, statutory boards, organs of state and universities for advanced disk encryption software.

The number of people losing their electronic devices globally underscores the importance of such software that makes computer data unreadable to thieves.

In tender documents seen by The Straits Times, potential contractors are to supply full disk encryption as well as two-factor authentication (2FA) technologies that will work together to prevent unauthorised access.

At the encryption level, people will have to enter the right personal identification number (PIN).

They will then be prompted to use something that they have - a public sector smartcard or a security token - to verify that they are the rightful users. This step provides an added layer of security in what is known as 2FA.

The public sector smartcard is already being used by tens of thousands of civil servants to read their government secure e-mail. They insert the cards in card readers built into their computers.

But in the tender documents, the Infocomm Development Authority (IDA) stated that the card must be inserted even before the computer is allowed to boot up. This will secure all other data stored in civil servants' computers, not just their e-mail.

Security tokens - which bank customers are familiar with for generating one-time passwords - are also expected to prevent computers from booting up when they are in the wrong hands.

The tender closes on Aug 29.

"When we think of data breaches, we tend to picture attackers breaking into an organisation's network," said Mr Eugene Teo, senior manager of security response at United States- based security firm Symantec. "But the carelessness of individual users is (also) exposing organisations to major data breaches," he added.

Theft or loss of computers or hard drives accounted for over a quarter of the 253 personal data breaches globally last year, according to Symantec's 2014 Internet Security Threat Report.

It was one of the top three causes of data loss last year; the other two were hacking and accidental disclosure by sending data to a wrong e-mail address, for instance.

In 2012, device loss also accounted for about one-quarter of data breaches. But the number of breaches last year almost doubled those in 2012.

One high-profile case last year was the loss of a portable hard drive with the personal data of half a million student loan borrowers by a Canadian government agency. The drive lacked password and encryption protection.

itham@sph.com.sg

This article was published on Aug 14 in The Straits Times.

Get a copy of The Straits Times or go to straitstimes.com for more stories.