“Many enterprises, particularly small- and medium-sized enterprises, lack awareness and/or have low adoption of Internet security best practices to safeguard their domains, websites and email servers,” CSA said.
“This puts customers of these companies at risk because their data and details of their transactions with the company may not be properly secured.”
Mr Teo said the ratings will allow users to do “health checks” on whether the websites they visit have the necessary security protocols.
“Individuals need to be aware of cyber risks, be capable of protecting themselves, and be responsible for their own safety and security online,” he said.
CSA said it will engage businesses in other sectors like banking and finance as well as healthcare, and similarly publish their ratings.
The ratings are part of an Internet hygiene portal, a new one-stop platform with resources and self-assessment tools to help businesses adopt Internet security best practices as they digitalise.
“As Singapore builds up its digital economy and more businesses go online, cyber threats such as ransomware and phishing will remain major concerns,” CSA said.
Mr Teo said COVID-19 has accelerated the adoption of digital technologies in everyday life, be it in digital payments, shopping, chatting with friends, travelling or business.
“Securing the digital domain and ensuring a trusted cyberspace will enable all of us to enjoy the fruits of the digital revolution, and its promise of economic progress and a better life,” he said.
RATING CYBERSECURITY OF MEDICAL DEVICES
CSA also confirmed that it will rate medical devices according to the level of their cybersecurity provisions, in an extension of its cybersecurity labelling scheme.
The scheme was introduced in 2020 to help consumers make informed choices when buying increasingly pervasive network-connected smart devices, which hackers can exploit to steal personal data. Such devices include home routers and IP cameras.
Likewise, CSA said medical devices are now increasingly connected to hospitals and home networks, in the intranet and Internet.
“While these connected medical devices benefit patients and healthcare providers, particularly in real-time monitoring of health status, rising connectivity could also increase cybersecurity risks and compromise patients’ personal information, clinical data or treatment protocols, ultimately affecting patient health outcomes,” the agency said.
Plans to include medical devices in the labelling scheme were announced as early as July, when tech website ZDNet quoted CSA chief executive David Koh as saying that medical devices needed to be secure as they could cause personal injury.
The ZDNet report, citing a CSA document, said medical devices would fall under the scheme if they handled sensitive data such as personal identifiable information and had the ability to “collect, store, process, or transfer data”.
They would also be connected to other systems and services, with the ability to communicate using wired or wireless networks either autonomously or manually.
CSA said the rating of medical devices will incentivise manufacturers to adopt a security-by-design approach to develop more secure products for the medical device industry.
“This will also enable consumers and healthcare providers to make informed decisions about the use of devices, as they can identify products according to their cybersecurity provisions,” it said.
Medical devices will be rated one of four levels. Level 1 means the device meets baseline regulatory requirements, aligned with the Health Sciences Authority’s current registration requirements for medical devices.
Each subsequent level represents an additional layer of testing to ensure the device meets improved cybersecurity requirements, such as device and data requirements.
“For the higher levels of the scheme, a formal consultation with the medical device industry and associations will be held in the coming month to seek feedback on their proposed requirements, including the timeline for implementation,” CSA said.
“More details on the industry consultation and registration (for the medical device labelling scheme) will be announced in due course.”