Cybersecurity gaps could jeopardize 75% of Philippines’ BPO market —USAID report

The Philippines could jeopardize the US portion of its business processing outsourcing (BPO) market—amounting to 75% percent of the $23-billion sector—if the gaps in the country’s cybersecurity capacity remain unaddressed, a report by the United States Agency for International Development (USAID) has shown.

The report, developed by IBM for USAID’s Better Access and Connectivity (BEACON), finds that in 2021, the Philippines had the highest numbers of users attacked by banking Trojans—a type of malicious software—in the Asia-Pacific, and was the fourth most targeted country by cybercriminals overall.

The report recommended that the Philippines invest in its cybersecurity capacity and address its shortage of cybersecurity professionals to weather increasing and relentless cyber-attacks and information security breaches.

“The nations that do not respond well to the wave of cyber-crime will at best stagnate their BPO markets, and will at worst, lose their BPO market share to other nations that prioritize cybersecurity,” it said.

Cyber sector issues

The study found there is a global shortage of cybersecurity professionals, the situation is even “more acute in developing countries where technical talent gaps are the largest.”

In the Philippines, while the majority of the cyber workforce is well-educated and hold a STEM degree, their salary is woeful compared to their US counterparts, even adjusting for the cost-of-living difference between the two nations.

"[T]his enormous difference may help to explain the movement of cyber workforce members from the Philippines to the US markets," the report said.

Another problem for the Philippines is that "cybersecurity job roles and responsibilities are not defined clearly at a national level," with the DICT noting that the country's cybersecurity sector is still in its "infancy."

"Though the Civil Service Commission is the national government agency that sets job descriptions, there are none for cybersecurity, and ICT job descriptions currently available are, at best, archaic," the report said.

If the Philippines does not address these issues, the study concludes, it will "fail to substantially increase the size of its cyber workforce in the nation’s business market; continue to have great difficulty recruiting and retaining cyber talent within the national government departments/agencies; and be unable to take advantage of a burgeoning world demand for cyber expertise (i.e., via the Philippines’ BPO market)."

Recommendations

To address the gaps, the USAID study presented solutions divided into two tracks: incremental solutions and jumpstart/adaptive solutions.

Track 1: Incremental solutions. These are "natural evolutions" or the “extensions” of existing cybersecurity activities and are considered to be “low-risk.”

These include:

• encouraging cyber awareness at all levels, beginning in school;
• ensuring the government, especially the DICT, is staffed with "competent cybersecurity personnel" and that cybersecurity initiatives are sufficiently funded;
• creating a common cyber lexicon "so that various sectors of Filipino society are not 'talking past each other' in meetings and forums meant to foster collaboration"; and
• ensuring that Filipinos have viable defenses in the event of cyber attacks, such as the ability to freeze their credit.

Track 2: Jumpstart/adaptive solutions. These are more radical and designed to “prime the pump for a more robust Philippine cybersecurity ecosystem.”

Recommendations under this track include:

• the appointment of an executive agency for cybersecurity that will
  • review and adjust laws and policies;
  • create cyber apprentice programs and offer tax incentives to create such;
  • provide grants to create cyber centers of excellence;
  • provide vouchers which will pay for graduates' first-time CISSP (Certified Information Systems Security Professional) certification and other certifications; and
  • fund scholarship programs;
• implement a cybersecurity curriculum, requiring CHED and TESDA to develop these for the students and trainees in their respective purviews;
• enhance and implement cybersecurity legal training for judges;
• make the government's cyber pay scale competitive; and
• sponsor a national cyber consortium.

The report stressed that if only Track 1 or the "incremental solutions" are implemented, without the "jumpstart" to the industry offered by the second group of recommendations, 75 percent of the Philippines' BPO sector, representing the US portion, "may soon be jeopardized."

If cyber staff shortages are allowed to continue, it added, real negative consequences will result.

In June, the BPO industry reported it surpassed its revenue target of $29.1 billion and 1.43 million full-time employees for 2022. — BM, GMA Integrated News