New cybersecurity tech needs to drive policy evolution, experts say

CYBERSECURITY POLICY must evolve with the emergence of new technology, experts said, noting also the importance of automatic reporting from organizations experiencing data breaches.

“The policy should evolve with the emergence of new cybersecurity technology because it affects the landscape as well,” ePLDT Enterprise Field CISO and Head of Enterprise Consulting Practice Alex Bernardino said during a panel discussion at a BusinessWorld Insights event on June 25.

He noted the PLDT network threats have evolved from denial-of-service attacks to ransomware during the pandemic.

National Privacy Commission Director of Data Security and Compliance Office Aubin Arn R. Nieva cited the progress made in legislation, such as the Cybercrime Prevention Act, the Data Privacy Act, the Consumer Protection Act, and the Internet Transactions Act.

“As you remember, back in 2012, our congressmen in Batasan Hills rushed to pass the Data Privacy Act because overseas investors did not want to invest in the Philippines because we had no data privacy regime here,” he said.

Mr. Bernardino expressed support for more “ironclad legislation” like the Cybercrime Prevention Act and the Data Privacy Law.

“We have to implement it strictly… I think that’s the missing piece now,” he said, noting that violators must be made an example of.

On June 21, the National Bureau of Investigation arrested a Manila Bulletin data security officer who admitted to hacking about 93 websites of government agencies, private companies, and overseas organizations.

The hacks involved the website of the Armed Forces of the Philippines, the mail server of the National Security Council, and an Army recruitment website.

Other government websites that were recently compromised include those of the Maritime Industry Authority, while the list of private-company victims included Jollibee Foods Corp., Maxicare Corp., and Toyota Motor Philippines Corp.

“It should not be only The National Privacy Commission that discloses the breach to the public. It was the duty of Maxicare in the first place to disclose that and inform their members that were affected,” Information and Communications Technology Assistant Secretary for Legal Affairs Renato A. Paraiso said.

Mr. Nieva said organizations that were breached should not be stigmatized and instead held up as case studies for future learning.

“The learnings should become part of our best practices,” he said.

Asked about making cybersecurity less daunting for small business owners, Mr. Nieva said the solution involves a solid privacy management program.

Mr. Nieva said negligent employees not observing the correct procedures in using company infrastructure could expose the company to threats and risks.

He also cited the need for data protection measures.

“Are we going to use artificial intelligence, machine learning, blockchain technology, neural networks in the pursuit of the company’s purpose?” he added, citing the risk posed by the technologies to client data.

“Artificial intelligence tunnels into the data you collect. The golden rule is, do not collect if you cannot protect,” he said. — Aubrey Rose A. Inosante