Photo from PIXABAY

By Adrian Paul B. Conoza, Special Features Assistant Editor

Since the coronavirus crisis has accelerated the use of digital means, organizations have been undergoing their respective digital transformations. Alongside this move, however, cyberattacks like malware and phishing have escalated, which for businesses might result in losing important information, as well as crippled operations and consumer trust.

In a recent BusinessWorld Insights forum, themed “Improving Cybersecurity in the Digital World,” experts from government and private sectors recognized the need for seriously implemented policies as well as comprehensive solutions for businesses amid increasing threats from cyberattacks.

Melchor T. Plabasan, director and head of the Technology Risk and Innovation Supervision Department of the Bangko Sentral ng Pilipinas (BSP), noted that amid the growth of digitalization, there has likewise been an increase in threat actors trying to exploit consumers and organizations that cybersecurity has now become a “never-ending battle” across sectors.

From the central bank’s end, he shared, the top three incidents in 2021 spotted by the BSP’s cyberthreats surveillance are card-not-present fraud, phishing, and account takeover or identity theft.

“There is now what we call more elbow room on the part of these threat actors on attack surfaces by which they can operate,” he observed.

Citing findings from Checkpoint Threat Intelligence Report, Globe Business Enterprise Group Vice-President for Partner Ecosystem Francisco Claravall noted that cyberattacks have threatened the Philippines more than Southeast Asian neighbors.

According to Checkpoint’s findings, an average of 2,115 weekly attacks were found in Philippine organizations from both government and private sectors.

“We actually see [the] government as actually the top [sector] being attacked, followed by manufacturing and then finance and banking,” he added, noting as well that most of the attacks occurred through email attachments.

Another finding Mr. Claravall noted was that most Philippine organizations (64%) were exploited through remote code execution, which is defined as an attack where a threat actor illegally accesses and manipulates a computer or server without authorization from its owner.

Ana Margarita Sanchez, vice-president for strategy and engagement at Philpacific Insurance Brokers & Managers, Inc. (Philinsure), pointed out that as the move “to the web on the cloud” drives an exponential growth of data stored online in the future, exposure to cyberthreats are bound to increase. This should alarm Philippine companies to better secure themselves digitally since losses from cyberthreats are very costly.

Ms. Sanchez cited a study by online marketing firm Reboot Digital PR Services, which revealed the Philippines is the ninth least cyber secure in Asia, mainly due to a huge number of phishing and malware-hosting sites.

“Can we afford the loss of our data? Because it costs money when our systems are breached. The cost of repairing our data systems and of restoring the data — that’s something that every business owner should consider and even our government,” she said.

“And when we lose our data, we’re not only talking about data and system recovery costs. We’re also talking about business interruption, reputational and brand costs, and also legal and regulatory costs,” she added.

Ms. Sanchez highlighted that cyberattacks cost a global average of US$ 200,000, or about P11 million — which puts small and medium enterprises (SMEs) mostly at risk.

“SMEs in Asia-Pacific are actually very exposed… and the fear is real for these businesses because even Cisco came out with the study that 56% of Asia-Pacific SMEs have suffered a cyber incident in the last twelve months,” she added.

Implementing policies

Given the stronger need for cybersecurity in the country, Allan S. Cabanlong, founder and chief executive officer of CyberGuardians, Inc., stressed throughout the forum that the Philippine government needs to fully implement the National Cybersecurity Plan 2022, which was drafted and launched by the Department of Information and Communications Technology back in 2016 and 2017.

The plan envisions having a trusted and resilient information infrastructure, or infostructure, in the country. Its goals include assuring the continuous operation of the nation’s critical infostructures, public and military networks; implementing cyber-resiliency measures to enhance ability to respond to threats before, during and after attacks; effective coordination with law enforcement agencies; and a cybersecurity-educated society.

“The main challenge now with the government is the implementation. All the plans have been laid out already. The laws have been created already, although there are other laws that are still sought,” Mr. Cabanlong, who is also a former DICT assistant secretary, said.

Aside from implementation, Mr. Cabanlong continued, putting the right people to handle cybersecurity and developing the cybersecurity workforce in the country are also important.

Agreeing with Mr. Cabanlong, central bank’s Mr. Plabasan noted that while the Philippines has a Cybercrime Prevention Act, a cybersecurity law is still needed to clearly delineate the responsibilities of the government and the private sector in terms of protecting critical infrastructure.

“Although the National Cybersecurity Plan also identifies these critical sectors that need to be protected, we believe that this should be enacted into law because cybersecurity is a very expensive endeavor, [and] so that there [will be] steady source of funding that would finance activities related to protecting our systems,” Mr. Plabasan said.

Initial steps for businesses

On the other hand, businesses should start “cybersecuring” themselves by having a security assessment of their company, creating their zero-trust framework, and staying up-to-date on the evolving threat landscape, Mr. Claravall advised.

“Keep your team, as well as your executive stakeholders, informed; because unless they know what’s happening, they will not mind you,” Mr. Claravall said.

Mr. Plabasan remarked that a cybersecurity culture must be built among organizations, particularly embedding cybersecurity across all facets of their operations.

“We also need to make the board aware or, sometimes, to moderately scare them about the risk that the organization is facing, so that they can also fully support initiatives to strengthen the cybersecurity posture of their organization,” he said.

Mr. Claravall added that businesses should assess the impact of losing critical data, out of which they should create a business continuity plan.

“When a cyber breach happens, where is your critical data?” he said. “You have to make sure that you have that plan in place and then make sure you review and test your incident response plan. This should not be at a time when you’re just starting to test what you’ve planned.”

The Globe Business executive also stressed that in getting cybersecurity solutions, companies should not pick and assemble them on their own.

“Most customers try to do it per product and try to assemble it. What we realize is you don’t really choose a solution or a product. Look for a strategic partner that can understand your needs end to end,” Mr. Claravall said.

“That’s why things like managed security services are actually booming right now because the expertise is there for you to be able to avail of it,” he added. “You have to worry about technology and you don’t have to worry about making sure you keep the people, upskill them, and train them.”

Innovations for cybersecurity

Globe Business, for its part, has been offering clients bundles of cybersecurity services, which include endpoint security cloud applications, as well as governance, risk management, consulting, and incident management solutions.

“We think of ourselves as curating the best solutions that customers may need,” Mr. Claravall said.

The Globe Business executive also mentioned a solution called incident management response retained, which he observed their brand has succeeded in getting client companies subscribed to.

“A company without sort of an incident management response retainer, when something happens to them, will crumble from scratch on how to handle the situation. This retainer helps them, in the event something happens, to respond in an organized and quick manner,” he explained.

Another safety net businesses can go to is insurance, as Philinsure’s Ms. Sanchez shared.

Philinsure’s cyber insurance called CyberSecure, as advertised, intends to accompany companies by coming up with an immediate breach response in case of a suspected data or security breach; as well as by providing experts to regain access, replace, or restore data; and getting reimbursements.

Through neoinsurance, businesses can assess their risk, automatically get a quotation, and easily get CyberSecure on a single online platform.

“Usually if it’s cyber insurance, it’s voluminous pages of things you must go through. But here, we’ve made it kind of plug and play,” Ms. Sanchez said. “In our platform, at least, there are several options for enterprises, particularly for SMEs who are the most vulnerable at this point in time.”

Ms. Sanchez hopes that more insurers will get into the cyber insurance space as this kind of protection is becoming more critical as a fiscal response to any cyber breaches.

This session of BusinessWorld Insights is in partnership with Globe Business and is supported by the Asia Society-Philippines, British Chamber of Commerce of the Philippines, Financial Executives Institute of the Philippines, Management Association of the Philippines, Philippine Chamber of Commerce and Industry, Philippine Franchise Association, and The Philippine STAR.