Sense, resist and react: the ultimate cybersecurity strategy for Philippine companies

SUITS THE C-SUITE By Warren R. Bituin

Business World (02/20/2017 – p.S1/4)

(First of two parts)

2016 will probably go down in history as the year when most Filipinos truly understood the real threats of cyber attacks on their day-to-day lives. While technology and cybersecurity professionals have been advocating cybersecurity for many years, the events of last year, particularly the Comeleak and the Bangladesh Bank hacking, brought to the fore the issue of cyber risk.

These incidents point to the increasing reality that any organization, anywhere in the world, may be hacked one day — if it has not been hacked already. One must be ready for this eventuality. Thus, a robust incident response program is essential for any organization. Without it, the organization runs the risk of significant financial loss either due to fraud, regulatory sanction, or prolonged operational downtime, not mentioning the severe reputational damage to the company’s brand.

It is critical, therefore, that the team responsible for responding to cyber incidents understands clearly the incident response program and knows exactly how to implement it in order to protect the organization.

Otherwise, it may be too late to contain the fallout of an attack.

When a major cyber attack happens, the organization that is in crisis will need to contend with many issues. The priority is to determine if there is any financial impact or any invaluable intellectual property stolen, while trying to maintain business-as-usual activities as much as possible.

However, there will also be the increased, though unwanted, attention from media, regulators, and from concerned stakeholders, especially in the case of family-led group of companies, which is common in the Philippines. Without a formal incident response program in place, the chance of less damage to the organization diminishes.

In EY’s 19th Global Information Security Survey 2016-17, which had as respondents more than 1,700 Chief Information Officers (CIOs), Chief Information Security Officers (CISOs) and other executives around the world, including the Philippines, EY identified three high-level components of a cybersecurity strategy. By enhancing their capabilities with respect to these components, organizations can better protect themselves from a cyber attack. These components are:

1. Sharpen your senses
2. Upgrade your resistance to attacks
3. React better

Resistance has traditionally been the area where organizations have focused most of their resources. In our dealings with public and private organizations, we have noted that most technology investments have a large component of cyber risk solutions in them. Many have also started to expand their cybersecurity teams, and thanks to the regulators and industry movers, the shared responsibilities of the boards, executives, CIO/CISO, and the business insofar as cybersecurity is concerned, are now becoming the norm.

Not surprisingly, our survey found that Philippine companies’ capability is high in this area — but with some room for improvement in the security awareness subcomponent, especially since the majority of respondents consider careless/malicious employees as the most likely source of an attack. Interestingly though, only 10% of local respondents said that their information security function is fully meeting their organization’s needs and 81% cited lack of skilled resources as the main obstacle in meeting these needs.

Capability was lower in terms of anticipating cybersecurity threats (i.e., sharpening the senses). About 70% of the respondents have said that they have nonexistent or informal threat intelligence capabilities, which highlights a major area for improvement. Organizations must have an effective threat intelligence capability in order to anticipate any future attack to their environment so they can react proactively.

Considering the growing sophistication of attack vectors and the proliferation of advanced persistent attackers, organizations must continually scan the horizon for risks and install the necessary security mechanisms to identify and manage their vulnerabilities. To update themselves, a majority of the local respondents either collaborate and share data with their peers in the industry or have dedicated personnel that subscribe to open source resources.

However, cyber threat intelligence, which is supplied by a host of external providers, will not give an organization sufficient visibility of the dangers it faces unless they are properly interpreted. Organizations also need to have effective internal cyber trend intelligence programs in place to make sense of the information they receive, and to filter data relevant to their own business and sector. The survey showed that only 40% of the respondents said that they have security operation centers (SOC) to provide real-time network security monitoring. Moreover, 79% said their vulnerability identification capabilities are either nil or ad-hoc. Thus, more progress needs to be made in these areas.

In next week’s article, we will continue the discussion on developing an effective cybersecurity strategy by looking at the third component, which is the ability to react to and quickly recover from a cyber attack.

This article is for general information only and is not a substitute for professional advice where the facts and circumstances warrant. The views and opinion expressed above are those of the author and do not necessarily represent the views of EY or SGV & Co.

Warren R. Bituin is the Partner In-Charge of IT Services of SGV & Co. and is an Advisory Partner for Cyber Risk Services