The high profile committee of inquiry (COI) for the biggest hack to ever hit Singapore in the form of the widely publicised SingHealth data breach is finally wrapped up with a summary of recommendations put forth. While the COI results provide some form of closure to this unfortunate incident, I fear that if we do not target what to me, is a key factor in why the breach escalated to such an extent in the first place, the possibility of another breach may not be as remote as hoped.
I do not query the importance of the factors that have been raised by the COI. What however remains glaringly obvious is the culture of not reporting incidences to higher ups. I am aware that two employees had failed to report the incidences in a timely manner. While the reasons cited have been a fear of working late and a desire to confirm that a breach had occurred respectively, I have a suspicion that the failure to report rapidly may run deeper than that.
I suspect that I would not be alone in thinking that there might have been a culture of implicit fear of senior management in SingHealth. By no means would this be applicable only to SingHealth. I would venture to assume that this culture of fear exists in many organisations in Singapore. Due to the hierarchical nature of our reporting structures, many junior employees do not want to be seen as the person "troubling" the seniors. No one wants to stick out. After all, what if they were wrong and there were no breaches after all? What would the reprisals be?
As a result of this type of mentality, an opportunity to catch the breach as it occurred may have been missed, leading to the data of over 1.5 million people being breached (including the private information of the Prime Minister of Singapore). By ignoring the possibility of a culture of fear existing within SingHealth, have the COI missed an opportunity to address this giant elephant in the room?
The "top down" approach is prevalent in Singapore. Indeed it comes from the very heart of the corridors of power. Haven't we all been brought up with the ideology of "the government is always right" ? Aren't we all implicitly encouraged not to over question - to keep our opinions to ourselves? Could this attitude of fear have translated into why the two employees chose not to escalate the potential breaches?
For the COI to be meaningful, it has to be brutally honest. In this case, it appears to me that they may have missed a trick. Or perhaps, are the people appointed to the COI so "senior" that they have forgotten what it was like to be a junior member of staff in the establishment?