WITH recent spectacular examples of cybercrime such as the Bangladesh Bank heist and the hacking of the Comelec voter information database just weeks before last month’s elections fresh in everyone’s mind, The Manila Times’ fourth business forum on Thursday at the Marriott Hotel at Resorts World couldn’t have been more timely. As the country rapidly moves toward a more digitally-capable, regionally- and globally-integrated financial sector, balancing liberalization with security has become a critical task.
The challenge faced by the sector is staggering. According to IBM’s Philippine country head Luis Pineda, an average enterprise—average in terms of the entire spectrum of businesses across the whole economy—sees about 200,000 cyber threats per year; other data suggests that the number of incidents is growing by well over 100 percent annually. Statistics are difficult to gather, but rough estimates of the global costs of cybercrime range from $375 billion to $575 billion per year; estimates of the cost of transnational crime in the Asean region alone are about $90 billion annually.
What most people do not realize is how sophisticated the digital bandits have become. About 80 percent of cyber attacks are carried out by organized crime rings that are very often more astute businessmen than their targets; the Bangladesh Bank heist, for instance, has recently been traced to a well-known Russian group that has been responsible for dozens of similar, albeit smaller attacks.
Although the cybercriminals are very sophisticated, their work is greatly aided by the general lack of preparedness of firms to defend themselves against the threat. According to IBM’s Pineda, less than five percent of banks even have a cohesive plan for digital security. In terms of actual preparedness in the Philippines, about 17 percent of enterprises are reasonably well-prepared; about 56 percent have at least some security measures; but 27 percent have virtually no defenses at all. Little wonder, then, that more than half—about 55 percent—of cyber attacks are eventually traced to an internal source; sometimes these are intentional, but more often they are the result of simple errors that are taken advantage of by the cybercriminals.
Aggravating the risk is the rapidity with which the financial sector’s business model is changing. Pineda calls it the “uber effect,” after the ride-sharing business that is wrecking the conventional model of public transportation in some places. Non- traditional financial services, payment systems, mobile applications, and e-commerce are not just blurring the line between conventional and unconventional enterprises, they are completely obliterating it; Pineda cited statistics that indicate venture capital investment in this rich new financial landscape has grown by something like 600 percent in the past four years, and within about 10 years could wipe out about 30 percent of traditional banking sector jobs.
That evolution by itself makes for rich hunting grounds for digital corsairs, particularly as conventional banks that may not be very well equipped to do so sail into the unknown waters of new business to avoid being “flattened,” as Pineda put it. For the Philippines and most of Asean, the risks are amplified by the ongoing efforts toward economic integration, where the disparity in economic strength and preparedness for regulatory harmonization adds a layer of contagion risk, where even reasonable protections in one country can be undone by shortcomings in another.
Short of encouraging everyone to close all their bank accounts, never use the Internet or a cell phone, and use cash for every transaction, there is no way to avoid the risk or entirely prevent the occurrence of serious cybercrime. That’s the price we pay for developing systems of convenience; as long as we learn from the flaws when they are exposed, and otherwise avoid the avoidable, we will be doing the best we can expect.