IT-BPM sector faces pressure to report cyber incidents
THE PHILIPPINES鈥 information technology-business process management (IT-BPM) sector is facing increased pressure to report cybersecurity breaches, an expert said.
鈥淚 think there is double pressure to do reporting because you report to someone abroad,鈥 Dominic Vincent D. Ligot, head of artificial intelligence and research at the Information Technology & Business Process Association of the Philippines (IBPAP), said during a forum on Wednesday.
鈥淭hese firms are interested in knowing if there are cybersecurity policies in place,鈥 he said in a separate interview with 大象传媒. 鈥淓specially those coming from places like Europe, where they have very strict privacy laws. Of course, the US is our biggest geography,鈥 he said.
鈥淏ut you have the likes of JPMorgan Chase & Co. These are banks. They would not send work here if they were not confident that they can secure the data,鈥 he added.
When asked about the impact of cybersecurity incidents on IT-BPM firms, he highlighted the potential loss of credibility.
鈥淥ther than India, the Philippines is the next choice. But, for example, if we see the credibility of the Philippines fall, then the third-rate countries will be the ones to step up,鈥 he said.
Mr. Ligot noted that cases of cyber breaches in IT-BPM are low. One of the most recent ones involved Maxicare Healthcare Corp., a third party.
He said that as the industry creates more jobs in the country, it should also be mindful of its third-party relationships.
鈥淭he problem is no one really reports incidents because our laws and policies prevent companies from reporting, and unfortunately, this is being weaponized by the threat actors,鈥 said Angel T. Redoble, chairman and founding president of the Philippine Institute of Cyber Security Professionals.
He said cybercriminals threaten firms that if they do not pay, they will tell regulators that they have been compromised.
鈥淚t鈥檚 not encouraging our organizations or businesses to report because you get penalized,鈥 Mr.聽Redoble added.
He also said firms do not necessarily have to build their own cybersecurity systems but can outsource third-party services, which must be end to end.
鈥淎n end-to-end cybersecurity practice covers the four layers of defense: the governance layer, the risk layer, the compliance layer, and the operations layer,鈥 Mr.聽Redoble said.
Internally, he said properly informed and equipped users become a force multiplier. This means that as you secure the users, the business and enterprise follow through.
鈥淪o instead of calling them your weakest link, you start training them to become your force multiplier and your cybersecurity evangelist. With the change of mindset, you change the culture of the organization,鈥 he said.
Mr. Ligot said IBPAP put together a framework called the 4Es, which comprises education, engineering, enforcement, and ethics, intended not just for AI. 鈥 Aubrey Rose A. Inosante
