• Responding innovatively to cyber risks



    Cybersecurity is a term I encounter on a daily basis—by association with words such as breaches, privacy, data protection and a myriad of other expressions.

    It’s a topic that is on the minds and lips of executives, businesses, and even the common Filipino. Much of the interest around cybersecurity in the Philippines is generated by the alleged role of a major local commercial bank in a cybercrime where a huge amount was stolen from a foreign central bank. Within a few months after that incident, our central bank penalized the local bank with an unprecedented amount of a fine imposed on any errant Philippine bank.

    And who could forget the cyberattack on the Commission on Elections (Comelec) in which 55 million voters’ records were stolen and published online? This major incident resulted in the Comelec being found by the National Privacy Commission to have violated the Data Privacy Act, and a recommendation to criminally prosecute Chairman J. Andres D. Bautista for data breach.

    Globally, organizations are constantly battling cyberattacks like denial-of-service and advanced persistent threats. The steadily increasing number of organizations falling victim to ransomware is not surprising as researchers have discovered the largest ransomware-as-a service ring. Organized cyber criminals are becoming more advanced in growing their enterprise and evading detection.

    Cybercrime is ranked as the second most reported economic crime by respondents of the 2016 PwC Global Economic Crime Survey (GECS). We now operate in a global business ecosystem that frequently spans jurisdictions. A breach in any node of that system—including third parties, such as service providers, business partners or government authorities—can compromise the organization’s digital landscape in a variety of ways.

    What’s more, cyber risk has gone beyond the traditional view of computers: globally, PwC has observed a sharp increase in attack activity involving the so-called Internet of Things, including cars and household devices.

    Security experts consider the Philippines as increasingly exposed to cyber threats, but local companies seem to think otherwise. Only 17 percent of Philippine respondents in the GECS said they had been victims of cybercrime, yet they take the threat of cybercrime less seriously. An explanation could be that yes, the cyber agenda may now be a regular feature in board discussions, but it is not on a level that’s at par with the rest of the world. For the other 83 percent who say they are not victims, many have likely been compromised without knowing it.

    As cyberattacks continue their rampage throughout the global business ecosystem, many organizations should assess their ability to respond to this challenge in the areas of (i) identifying, prioritizing and protecting the assets that are most essential to the business; (ii) understanding the threats to their industry and their business; (iii) evaluating and improving the effectiveness of existing processes and technologies; (iv) enhancing situational awareness to detect and respond to security events; (v) developing cross-functional incident response plan for effective crisis management; and (vi) establishing values and behaviors to create and promote security effectiveness.

    Conversations around these six areas would naturally lead organizations to establish their cybersecurity program and capabilities that hinge on a security strategy that’s aligned with the overall business objectives, risk appetite and tolerance levels. Mature organizations would have started their cybersecurity program fairly early on in their business with a stance on continuous risk assessment, making them resilient to cyberattacks. For less cyber-resilient entities, much of their focus would be on the incident response front as there is an increased expectation of cyberattacks being a “when” and not an “if.”

    In the said survey, only a third of Philippine organizations have an incident response plan, trailing behind its regional and global counterparts. Where there is an incident response plan, the first response is left to IT teams without adequate intervention or support from senior management and other key players. Cybersecurity is a shared responsibility that requires cross-functional disciplines. However, the composition of response teams is often fundamentally flawed, ultimately affecting the handling of breaches.

    Leaving the Philippines aside, let’s take a look at several innovative ways organizations are implementing globally to respond to rising cyber risks. According to the 2017 Global State of Information Security Survey by PwC, and the CIO and CSO magazines, many organizations are incorporating strategic initiatives such as adopting a risk-based security framework, making use of cloud-based cybersecurity, formally collaborating with others, leveraging big data analytics and investing in cybersecurity insurance.

    Adopting a risk-based cybersecurity framework

    The vast majority of organizations that took the survey have adopted a security framework, or a combination of frameworks, that have provided productive results in terms of identifying and prioritizing risks, assessing the maturity of their cybersecurity practices, and allowing them better internal and external communications.

    Harnessing the power of cloud-enabled cybersecurity

    Over the years, cloud providers have steadily invested in advanced technologies for data protection, privacy, network security and identity and access management. Many have added capabilities that allow them to enhance threat intelligence gathering and modeling, better block attacks, improve collecting learning and accelerate incident response. For these reasons, most survey respondents said they use cloud-based security services to help protect sensitive data and strengthen privacy.

    The big impact of Big Data

    A growing number of organizations are taking advantage of Big Data analytics to monitor for internal and external cybersecurity threats, improve their ability to quickly identify and respond to security incidents, have better understanding of user behavior, and expand visibility into anomalous network activity.

    Partnering up to sharpen cybersecurity intelligence

    Over the past three years, the number of organizations that embrace external collaboration has increased, citing benefits such sharing and receiving information from industry peers, Information Sharing and Analysis Centers (ISACs), government and law enforcement, and improved threat intelligence awareness.

    Cybersecurity insurance

    No amount of information sharing and advanced cybersecurity technologies can make systems foolproof against cyberattacks. That’s why many businesses are purchasing cybersecurity insurance to help mitigate the financial impact of cybercrimes when they do occur. Another benefit in getting cyber insurance is improving the understanding of their cyber-readiness.

    These initiatives may seem advanced but it won’t be surprising if local companies have started adopting similar means to manage cyber risks. Where implementing innovative cybersecurity initiatives is far off, businesses can invest in core safeguards to better defend their ecosystem against evolving threats such as having an overall information security strategy, employee training and awareness program, security baselines/standards for third parties, having a Chief Information Security Officer, conducting threat assessments, and active monitoring/analysis of security intelligence.

    If there’s one thing that has become apparent here, it is the reality that cyberattacks are here to stay. As technologies evolve and adversaries sharpen their skills, how can businesses prepare the risks of tomorrow?

    This is a difficult question to answer since it’s hard to predict the future of a situation that’s presently uncertain and continually changing. Organizations should consider assumptions in preparing for cybersecurity over the next three to five years.

    The digital age we are living in now is creating a greater avalanche of data that can be collected, analyzed and potentially compromised. Our lives and business will increasingly become digitized. The Internet of Things will release a flood of machine-to-machine information that will highlight the importance of strong encryption. Threat actors are likely to produce attacks that are even more technologically sophisticated. Assaults by nation-states will become more aggressive and possibly lead to cyberwarfare.

    This future may or may not unfold but it is vital for organizations to think ahead and anticipate possible scenarios to develop a strategy for cyber-resilience. Doing so will enable businesses accelerate their cybersecurity program that is based on the right balance of technologies, processes and people skills with an adequate touch of innovation.

    To help organizations learn more about innovative ways in responding to cyber risks, PwC is holding a Cybersecurity and Privacy forum soon. Email menen.miranda@ph.pwc.com for details.

    * * *

    Benjamin Azada is the managing principal of PricewaterhouseCoopers Consulting Services Philippines Co. Ltd. Email your comments and questions to markets@ph.pwc.com. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.


    Please follow our commenting guidelines.

    Comments are closed.