By Denise A. Valdez
ALTHOUGH THE Philippines may have a lot of work to do to ensure cybersecurity, one of the best ways to begin is by clustering data to easily identify assets that need intensified safeguarding, consulting firm McKinsey & Company said.
In an email interview with BusinessWorld, McKinsey Philippines associate partner Boris Van said the Philippines has “a lot to catch up on,” despite cybersecurity being a global concern among firms.
“Learning how other countries are tackling these challenges and collaborating with other governments/cyber agencies to counter cyber-attacks is important,” he said.
McKinsey Singapore associate partner Aman Dhingra said companies must have a change of perspective regarding ensuring cyber safety, moving instead to a more focused approach to what is most important in a company’s set of assets than just “throwing money at a problem.”
“Rather than starting with technological vulnerabilities (say, the insufficient patching of servers or routers), they should first protect the most critical business assets or processes (such as customer credit card information),” he said.
“Already, many large institutions have implemented multiyear programs to classify corporate data so they can focus cybersecurity efforts and policies on their most critical information assets,” Mr. Dhingra added.
KNOW WHERE TO SPEND
He said usually half of the data assets of companies are not “mission critical” — therefore, firms must learn to identify the cyber risks per set of information and direct efforts to ensuring security of the crucial data. He noted doing so may reduce cybersecurity costs by 20%.
“We surveyed 45 of the top 500 companies globally and found that more security spending does not lead to high risk management maturing — some companies spent huge sums, but were not necessarily protecting the right information assets. Therefore, it is important to know where and how much to spend,” he said.
He added, “Applying the same cybersecurity controls to all assets creates extra effort and expense. Vital assets should be protected more strongly than less important ones.”
Mr. Dhingra also said taking a more proactive than reactive stance against cyber criminals may be more effective in dealing with an ever-evolving threat.
“Companies can thwart hackers more effectively if they understand how they behave. Leading companies…maintain up-to-date intelligence on cyber criminals’ capabilities and intentions — and sometimes even their identities,” he said.
Mr. Van said ensuring data privacy is becoming more and more tricky now that digital data is increasing its value, the distinction between work and private devices is starting to blur, data sharing is becoming more open among businesses and their clients, and cyber criminals are growing more gimmicky.
“Professional cybercrime organizations, political ‘hacktivists,’ and state-sponsored groups have become more technologically advanced, in some cases outpacing the skills and resources of corporate security teams,” he said.
He noted that the passing of the national identification system law by President Rodrigo R. Duterte last month is “a major opportunity but will also naturally expose more citizen data online.”
“The key is to rapidly be secure without slowing down the adoption of technology/digital initiatives,” Mr. Van said.
Mr. Dhingra said while inadequate preparation may risk the leak of important business information, excessive and misplaced data security efforts could also hamper the conduct of work in a company.
“Companies need to make cybersecurity a broad management initiative with a mandate from senior leaders in order to protect critical information assets without placing constraints on business innovation and growth,” he said.