E-commerce and digitalization have significantly impacted various aspects of people’s lives, especially during the pandemic and the emergence of the new digital economy.
These advancements have brought about increased convenience and efficiency, positively influencing daily routines and overall well-being.
However, along with the benefits of digitalization, there has also been a rise in cybersecurity threats. U.S. Ambassador to the Philippines, MaryKay Carlson, emphasized this concern during her address to journalists from across the country on June 6 at the Radisson Blu in Cebu City, marking the beginning of the two-day event titled “Building Blocks: The U.S.-Philippine Partnership for a Prosperous and Cyber-secure Digital Economy.”
Recent data provided by Carlson from the American cybersecurity firm Kroll reveals that businesses in the country, regardless of their size, are vulnerable to cyberattacks. Three out of every four businesses have fallen victim to various types of cyberattacks, making the Philippines one of the most vulnerable nations in the Indo-Pacific region when it comes to cyber threats.
“This is particularly concerning because the majority of companies in the Philippines are small and medium enterprises (SMEs). Cyberattacks can have devastating effects on small businesses, which often lack the same level of digital protection as larger companies,” she explained.
Carlson highlighted the need to reject the acceptance of vulnerability as the norm and underscored the significance of preventing malicious actors from compromising security, thus safeguarding the country’s economic recovery.
Recent data from the Philippine Stock Exchange Inc. (PSEI) has underscored the severe potential consequences of successful cyberattacks on critical digital infrastructures in the country. If hackers or malicious actors manage to breach these vital systems, businesses could suffer daily losses exceeding P6 billion.
This illustrates the critical importance of implementing comprehensive cybersecurity safeguards to defend the Philippines’ economic interests and avert substantial financial consequences, cybersecurity experts claimed.
Carlos Ely Tingson, Kroll’s senior vice president in the Cyber Risk practice, stated that cybercriminals, engaging in activities such as hacking, phishing, identity theft, ransomware attacks, and online fraud, pose a significant threat to cybersecurity in the country, targeting individuals, businesses, and government organizations.
The most pressing threat incidents they have observed over the past two years (2021-2022) are in the form of business email compromise (BEC), a type of cyberattack that specifically targets organizations through email communication.
The basic goal of a BEC attack is to deceive the recipient into performing unauthorized actions, such as transferring funds to fraudulent accounts, sharing sensitive information, or initiating other actions that benefit the attacker. The attackers often use social engineering techniques, carefully crafted emails, and advanced deception tactics to create a sense of urgency, legitimacy, or importance in their communications.
“It’s quite high in 2021 because it was considered as the year of vulnerabilities and exploits. Most memorable is yong proxy log on vulnerability, which affected a lot of emails. That’s why in 2021, there was high BEC,” Tingson said.
There’s also ransomware, a type of malicious software (malware) that encrypts files or locks down a victim’s computer system, making them inaccessible until a ransom is paid to the attacker.
It is a form of cyber extortion where the attacker demands payment, usually in the form of cryptocurrency, in exchange for decrypting the files or restoring access to the compromised system.
“It’s quite static, from 33% to 32% in 2022, and we’ve actually seen a dip in ransomware activities in the 3rd Quarter of 2022, but it went back again in the 4th Quarter,” he said.
Furthermore, Tingson stated that illegal access, which is typically associated with insider threats, is a major cybersecurity risk. He said they’ve observed a rise in dark web activities in 2022, with threat actors actively recruiting insiders to gain access to targeted organizations.
An example of this is when ransomware threat actors target educational institutions, attempting to obtain students’ login credentials and using them to gain unauthorized access to the institution’s network and exploit it for their own purposes.
Addressing cybersecurity threats in the Philippines
But addressing this issue poses a significant challenge due to lack of awareness and education, weak infrastructure, lack of policies and regulations, and the shortage of cybersecurity experts, which the Philippines, like other countries with emerging digital economies, is grappling with.
According to John Avila, a senior economic growth specialist at the United States Agency for International Development’s (USAID) Office of Economic Development and Governance, the demand for skilled cybersecurity professionals has been steadily increasing in response to the growing number of cyber threats and the escalating importance of digital security.
Avila pointed out that there are only a few cybersecurity professionals in the Philippines, which raises concerns as it poses challenges for organizations in effectively protecting their systems and data.
“One of the things we discovered is that the government lacked capacity for certified cybersecurity professionals. There was a time when the government didn’t even have cybersecurity professionals. So, we’re doing that—basically, we’re [helping] train people across the government, especially in critical sectors,” said Avila.
“We conducted a study with IBM on cyber workforce in the Philippines, and really the needs here are very big. The problem here is basically a workforce problem when it comes to cyber security. I think there’s already a degree of awareness, but we need people to man those emergency response teams, to man those offices in government as well as in the private sector,” he added.
Based on the National Cybersecurity Talent Workforce Assessment Report of the Philippines that the USAID Better
Access and Connectivity (BEACON) conducted with IBM, in Asia-Pacific (APAC), the Philippines had the highest number of users attacked by banking Trojans, a type of malicious software, making it the fourth most targeted country by cybercriminals.
“These data points and the cybersecurity information found during research suggest, unfortunately, that the Philippines is poised to jeopardize the U.S. portion of its Business Process Outsourcing (BPO) market, which is 75 percent of the $23 billion Philippine BPO market,” the study stated.
It claimed further that burgeoning global internet market is an opportunity for countries that respond successfully to the rising tide of cybercrime. Nations that fail to respond effectively to the surge of cybercrime will, at best, stagnate their BPO businesses and, at worst, lose market share to other countries that prioritize cybersecurity.
Avila suggested that the Philippine government should take two actions: establish a plan with workforce targets and actively implement it, and create plantilla items within the government for cybersecurity personnel.
“Right now, the government does not have in its plantilla, a cybersecurity professional, nor the job description, nor the salary commensurate to that professional,” he said.
He mentioned that the government is fully aware of this situation and is collaborating with the Department of Budget and Management (DBM) and the Civil Service Commission (CSC) to develop specific plantilla items.
Avila emphasized that this initiative aligns with the Marcos administration’s efforts towards digital transformation.
Tingson also added that there are efforts from the private sector, as well as professional groups like Kroll, to collaborate with educational institutions and provide cybersecurity education to students.
“We just recently partnered with USAID to help in addressing the cybersecurity workforce gap. We’re offering mentorship programs, we’re offering free training to Filipinos, a part of which is the certified in cybersecurity campaign. We’re actually aiming to certify for free, it’s an open program,” he said.
Tingson also said part of the problem in addressing cybersecurity threats is that “the country has no reportorial requirements for cyber incidents”, which he had raised last year.
“A lot of companies get hacked and they just keep silent about it. Most companies here do not report to the authorities,” he explained.
“I’m happy to note that in the first draft of the National Cybersecurity Plan that the Department of Information and Communications Technology (DICT) is drafting now, they are already putting up mandatory reporting mechanisms for cyber incidents and they will put it in the Cybersecurity Act, which would hopefully be implemented soon,” added Tingson.
Investor loss due to lack of cybersecurity safeguards
Saptarshi Basu, a diplomat specializing in economic affairs at the US Embassy in Manila, stated that the Philippines is among the countries attracting interest from American tech companies for investment.
However, he emphasized the importance of the country being well-prepared to address cybersecurity challenges.
“One of the areas we’re working on is directly with some of the largest American companies—Google, Amazon—they’re looking at the Philippines, specifically in a number of areas, but their investment decisions will rely on the largest question on the business environment here,” Basu said.
“The other part of the question is cyber challenges—the Philippines is not the only place that American tech companies want to invest, but I think that ensuring that this country is well-prepared to deal with the cyber issues,” he said, could potentially influence their decision to consider investing.
Avila supported this, explaining that companies considering investments are increasingly assessing the cyber readiness or digital readiness of countries.
On this, he said the Philippines “ranked relatively poor” if compared with the rest of the Association of Southeast Asian Nations (ASEAN).
“If investors use these indices as a decision-making tool for where they’re going to invest, then, yes. The answer would be it will be an important consideration,” Avila stated.