Warning up on diverse, intricate cyber threats this year
As digital technologies continue to disrupt the cyberspace, a global leader in broad, integrated and automated cybersecurity solutions has advised organizations to prepare against varied and sophisticated cyber threats this year.
In the recently held 5th National Anti-Cybercrime Summit, spearheaded by the Philippine National Police – Anti-Cybercrime Group (PNP-ACG), Nap Castillo, Fortinet’s regional pre-sales consultant for Southeast Asia and Hong Kong, said that as business organizations and individuals increasingly rely on technology for their daily activities, they also expose themselves to many dangers lurking online.
“Users can easily fall prey to cybercrime, especially now that cybercriminals are using a wide range of approaches to snare their victims,” said Castillo. “As such, cybercrime today is no longer just a technology issue. It is turning into a serious economic problem that can impact the financial well-being of individuals, as well as the survival of organizations.”
Police Director Napoleon Taas, chief information officer of PNP and the guest speaker of the event, could not agree more. He noted that despite being in the long battle against cyber-criminality, the country remains vulnerable to cyberattacks. In fact, PNP-ACG revealed that in 2016, the country is also ranked 8th by experts as most vulnerable to attacks by malicious software or malware on mobile devices. The country also recorded around 16,000 malware attacks as of last year.
“The Philippines has now 67 million internet users. While this puts the country in a good spot, it also means that we are at risk of cyber threats posed by criminals,” said Taas.
To prevent these cyberattacks, Castillo said that it is important to deploy an intelligent and integrated layered defense, capable of detecting even unknown threats.
“Despite their efforts, most firms are not able to figure out the root causes of their infections, and are constantly getting re-infected. As such, they need to put in place more and better security controls in their devices, especially for mobile usage and peer to peer and proxy applications. Their security solutions must also evolve into expert systems built around integrated security technologies, actionable threat intelligence, and dynamically configurable and interactive security fabrics,” added Castillo.
General Data Protection Regulation compliance
Fortinet also urged the Philippines to make final preparations to abide by the General Data Protection Regulation (GDPR), effective 25 May 2018.
This law protects the personal information of all citizens of the European Union (EU) and will be enforced through fines, sanctions, and injured-party compensation. It is quite similar to an existing law in the Philippines, the Data Privacy Act of 2012, which subjects any business located in the country to stringent data protection laws that could cost offending organizations fines and jail time of up to six years.
As such, industries impacted by GDPR will need to review all business processes involving personally identifiable information (PII) and assess their organizational readiness to meet the 72-hour data breach reporting mandate.
The GDPR finely balances the rights of EU citizens to control their personal data against the responsibilities of organizations to protect that data both in the course of normal operations as well as in the case of data breaches. Significant new EU personal information protections include the right to explicitly approve personal data usage and a “right to be forgotten,” enabling people to demand that an organization purge any personal data about them. While businesses and governments with a physical presence in the EU will need to abide by GDPR, it may also apply to firms with significant EU customer or client bases.
Despite the impending deadline, most Asia Pacific businesses, which serve the EU market or have significant transactions that capture PII are still not fully prepared. According to the third biennial EY Global Forensic Data Analytics Survey by Ernst & Young (EY), only 12 per cent of firms in APAC have a GDPR compliance plan in place.
“While GDPR affects private and public sector organizations handling PII, certain key industries will have heightened exposure as a result of the volumes of PII data they handle as well as the nature of their business,” said Peerapong Jongvibool, Regional Director for Southeast Asia and Hong Kong, Fortinet. “These include e-commerce-based organizations operating internationally, as well as companies that serve significant numbers of tourists, visitors, or expatriates from the EU.”
Fortinet lists the top three industries impacted by GDPR:
Retail − Retail businesses most likely to curate GDPR-relevant PII data include cross-border e-commerce operations, multi-venue retail chains, hospitality, travel, and F&B businesses. Brick-and-mortar businesses serving EU customers can also find themselves liable to GDPR PII protections. Paying with a credit or debit card, providing shipping address information and participating in a customer loyalty program all fall under the protection of GDPR.
Healthcare − GDPR extends its coverage to non-EU organizations storing or processing the medical information of EU persons. GDPR enacts particularly stringent protection and processes for handling particular types of PII medical information. In general, an organization may collect and process personal medical information only if it is necessary for patient treatment and diagnosis, and with the explicit consent of the patient. GDPR also mentions genetic data as an area of particular concern.
Financial Services – Financial organizations often maintain huge stockpiles of PII data on account holders. They also consume and generate vast quantities of highly personal marketing data to support selling financial services and assessing creditworthiness of commercial and individual customers.
Organizations preparing for GDPR must focus on reconfiguring their business processes and IT architectures, as well as reducing exposure of PII data.
Fortinet advises enterprises in the Philippines to take the following steps to accelerate GDPR compliance:
Engage a third-party firm to assess data protection practices and exposure to GDPR rules.
Conduct a comprehensive data audit to understand data source, collection and processing. It should include documenting where GDPR-impacted data is stored, how it is communicated between systems within the domain, and any external clouds or third-party data custodians.
Determine how long it takes for data-breach detection and mitigation and what is required to improve these processes to meet GDPR requirements. This element of the action plan should also include a detailed security assessment.
“At the end of the day, complying with GDPR may well turn out to be the right thing to do to protect the privacy and interests of all stakeholder communities linked to an organization,” concluded Jongvibool. “As onerous as GDPR might seem, it could mark a big step towards restoring public confidence in the ability of businesses to deliver social benefits while simultaneously curbing social risks.”/ac