IT-BPM sector faces pressure to report cyber incidents

THE PHILIPPINES’ information technology-business process management (IT-BPM) sector is facing increased pressure to report cybersecurity breaches, an expert said.

“I think there is double pressure to do reporting because you report to someone abroad,” Dominic Vincent D. Ligot, head of artificial intelligence and research at the Information Technology & Business Process Association of the Philippines (IBPAP), said during a forum on Wednesday.

“These firms are interested in knowing if there are cybersecurity policies in place,” he said in a separate interview with BusinessWorld. “Especially those coming from places like Europe, where they have very strict privacy laws. Of course, the US is our biggest geography,” he said.

“But you have the likes of JPMorgan Chase & Co. These are banks. They would not send work here if they were not confident that they can secure the data,” he added.

When asked about the impact of cybersecurity incidents on IT-BPM firms, he highlighted the potential loss of credibility.

“Other than India, the Philippines is the next choice. But, for example, if we see the credibility of the Philippines fall, then the third-rate countries will be the ones to step up,” he said.

Mr. Ligot noted that cases of cyber breaches in IT-BPM are low. One of the most recent ones involved Maxicare Healthcare Corp., a third party.

He said that as the industry creates more jobs in the country, it should also be mindful of its third-party relationships.

“The problem is no one really reports incidents because our laws and policies prevent companies from reporting, and unfortunately, this is being weaponized by the threat actors,” said Angel T. Redoble, chairman and founding president of the Philippine Institute of Cyber Security Professionals.

He said cybercriminals threaten firms that if they do not pay, they will tell regulators that they have been compromised.

“It’s not encouraging our organizations or businesses to report because you get penalized,” Mr. Redoble added.

He also said firms do not necessarily have to build their own cybersecurity systems but can outsource third-party services, which must be end to end.

“An end-to-end cybersecurity practice covers the four layers of defense: the governance layer, the risk layer, the compliance layer, and the operations layer,” Mr. Redoble said.

Internally, he said properly informed and equipped users become a force multiplier. This means that as you secure the users, the business and enterprise follow through.

“So instead of calling them your weakest link, you start training them to become your force multiplier and your cybersecurity evangelist. With the change of mindset, you change the culture of the organization,” he said.

Mr. Ligot said IBPAP put together a framework called the 4Es, which comprises education, engineering, enforcement, and ethics, intended not just for AI. — Aubrey Rose A. Inosante