IBPAP: Cyberattacks can jeopardize IT-BPM ops, lead to substantial losses

Amid the recent targeting of the government’s critical information and communications technology (ICT) systems, the Information Technology and Business Process Association of the Philippines (IBPAP) on Tuesday warned against the threat of cyberattacks on the IT-Business Process Management (IT-BPM) industry.

In a statement, IBPAP said the surge of cyberattacks on the systems of PhilHealth, the Philippine Statistics Authority, the Philippine National Police, the Department of Science and Technology, and the House of Representatives was a “serious threat that requires immediate attention.”

IBPAP said it was “deeply alarmed” by the recent cyberattacks as it “not only jeopardizes the operations of the IT-BPM industry but also the reputation of the Philippines as an attractive investment destination.”

“The Philippine IT-BPM industry, which is projected to generate revenues of $35.4 billion by the end of 2023, acknowledges that a successful cyberattack could potentially lead to substantial losses,” the group said.

“More importantly, the ramifications of cyberattacks extend beyond immediate financial losses. They can inflict lasting damage on businesses, leading to client attrition, reputational harm, and long-term financial implications,” it said.

With this, IBPAP emphasized the need to maintain a heightened state of alertness, recognizing the inherent risks from its dependence on digital technologies and systems that host substantial volumes of sensitive data.

The group outlined recommendations for countering cyber threats at the organizational level:

• Adopt a zero-trust approach: Implement a zero-trust architecture to ensure that no user or device is automatically trusted, and that verification is required at every step.
• Invest in artificial intelligence (AI) and machine learning (ML)-led threat hunting: Utilize AI and ML technologies to proactively identify and mitigate potential threats.
• Enhance threat intelligence capabilities: Develop robust threat intelligence capabilities to include monitoring and analyzing threat intelligence feeds, collaborating with peers in the sector, and leveraging threat intelligence platforms.
• Strengthen cybersecurity skills: Address the cybersecurity skills gap by investing in training and upskilling programs for employees.
• Implement strong data privacy and security measures: Establish policies and frameworks to protect sensitive data and ensure compliance with data privacy regulations.
• Regularly update and patch systems: Keep all software, applications, and systems up to date with the latest security patches and updates. Regularly scan for vulnerabilities and apply necessary patches to mitigate potential risks.
• Conduct regular security assessments: Perform regular security assessments and penetration testing to identify vulnerabilities and weaknesses in the organization’s infrastructure.
• Educate employees on cybersecurity best practices: Conduct cybersecurity awareness training programs to educate employees about common cyber threats, phishing attacks, password hygiene, and other best practices to ensure a security-conscious workforce.
• Establish incident response plans: Develop and regularly update incident response plans to effectively respond to and mitigate the impact of cyberattacks. This includes defining roles and responsibilities, establishing communication channels, and conducting regular drills and simulations to ensure preparedness.

IBPAP, likewise, urged the government to ensure data privacy and cybersecurity laws were established to deter cyberattacks and threats across sectors.

The group recommended the approval and implementation of the National Cybersecurity Plan 2023-2028, “which outlines the Philippines’ overall strategy in combating cyber threats that could cripple the economy and national security.”

IBPAP also called to certify as urgent the passage of the proposed Critical Information Infrastructure Protection Act, which provides a clear reporting mechanism and policy framework for public and private institutions in safeguarding the ICT systems of critical information infrastructures from cyber threats and attacks.

“Amend the Cybercrime Law to facilitate the legal proceedings against cybercrimes perpetrated by employees that damage the reputation of Philippine IT-BPM and other industries. IBPAP has taken the lead in communicating the urgency of addressing fraud within our sector and the inability of our members to take legal action against culpable individuals due to constraints set by current laws and regulations,” it said.

The group also advocated for public-private partnerships, calling for a cohesive approach to combat cyber threats.

“Consistent with Roadmap 2028, we pledge to participate in partnerships and collaborations with industry stakeholders, government agencies, and cybersecurity organizations to exchange threat intelligence, best practices, and cooperate on cybersecurity initiatives to create a safer Philippine cyberspace,” it said. — DVM, GMA Integrated News