By Edwin Concepcion
Businesses in the Philippines are embracing digital transformation in tandem with developing infosecurity systems and data protection guardrails. As such, personal data may be left vulnerable to hackers, whether stored or in transit. Hackers are adapting their techniques at an alarming rate – an evolution that has been largely accelerated by the power of Generative AI, leading to attacks that are more sophisticated and realistic. This demands that our response focuses not only on technical defences but also on comprehensive data protection strategies.
How Hackers Have Evolved and How to Guard Against Them Today
From 2020 to 2022, roughly 3,000 cyberattacks and 54,000 cyber threats were observed in the Philippines, as reported by the Department of Information and Communications Technology (DICT) earlier this year. Since January 2023, five government agencies have been attacked. These are alarming statistics on-trend with the surge in cyberattacks globally, symptomatic of hackers’ diversifying tactics that we need to be able to recognise and guard against.
- Precise Social Engineering and Targeted Attacks
The age of broad, indiscriminate attacks is waning. Hackers now exploit social engineering tactics, such as spear phishing and pretexting, psychologically manipulating their victims into divulging sensitive information. In Verizon’s 2023 Data Breach Investigation Report, 74% of breaches involved human interaction, which includes social engineering attacks – of which 50% are pretexting incidents, nearly twice last year’s total.
To counter such threats, data protection calls for heightened user awareness and better cyber hygiene practices. While individuals may be more vulnerable to cyber attacks, on the corporate front, regular training sessions can equip employees with the practical skills to identify suspicious emails, ensuring that they remain vigilant against manipulation. Scammers can alter legitimate organisation names and websites, so extra steps must be taken to verify the official sources of information on the organisation.
- Ransomware and Elevated Extortion
Ransomware attacks have evolved from simple data encryption to “double extortion” tactics, where hackers not only hold data hostage but threaten to release sensitive information publicly if their demands aren’t met.
Similar to dealing with phishing emails, organisations should ensure their personnel are informed about threat actor techniques. If you are an employer, educate your staff on reporting suspicious emails, such as those with malicious attachments. To improve workforce awareness, organisations can test their personnel with simulated real-world phishing emails.
- Deep Fakes That Fool
AI-driven technology has ushered in the era of deepfakes – initially developed for creative purposes, its ability to deliver convincing replications of anyone’s voice or appearance is now being harnessed for malicious intent.
As such, verifying digital content has become imperative for data protection. Within an organisation, employees should verify access or action requests through multiple channels, especially if it involves high-risk actions.
- IoT and Connected Devices
Where stored data used to be siloed into devices, the proliferation of the Internet of Things (IoT) has brought the convenience of connectivity but also amplified security risks. Unsecured devices can serve as gateways for hackers to infiltrate networks as they have zero-day vulnerabilities and require manual updating.
A data protection stance emphasises securing not only traditional IT systems but also IoT devices and managing their risks. Implementing strong network segmentation and regularly updating IoT firmware can significantly reduce vulnerabilities. Companies should conduct regular network vulnerability security scans to assess for possible gaps within the organisation’s infrastructure and to ensure that these issues are fixed as quickly as possible.
- Supply Chain Vulnerabilities
The interconnected nature of businesses has increased the number of weak links in supply chains that hackers can now target and compromise business information. Key weaknesses include third-party vendors with access to organisational data and systems, weak information security practices, and vendor data storage or software vulnerabilities.
To counter this risk, data protection strategies should encompass thorough vendor assessments, contractual obligations for security standards, and contingency plans for supply chain disruptions. According to the fourth principle of Accountability in the Philippine Data Privacy Act (DPA), Personal Information Controllers and Processors (PICs and PIPs) should demonstrate accountability for the data entrusted to them by implementing measures to secure the data and governing data sharing with third parties and data transfer arrangements.
Having a Plan: When You’re Exposed to a Cyberattack
Preparedness is the cornerstone of data protection. Beyond technical safeguards, businesses should consider proactive measures such as having a good Business Continuity Management (BCM) framework that helps organisations ensure minimum downtime and resume operations quickly if a crisis hits. This includes a Data Protection Management Plan (DPMP) that integrates a robust breach response, so that the organisation can act swiftly and decisively during such incidents. By extension, having a crisis communications playbook tailored to data breaches ensures transparent and timely communication with stakeholders during an incident, safeguarding both trust and reputation.
The Philippine National Privacy Commission (NPC), requires all PICs and PIPs to have a Security Incident Management Policy. This comprises having a security incident response team to mitigate the effects of the breach, and laying out measures that minimise the occurrence of such incidents.
According to the NPC, a hacking incident is considered a confidentiality breach. In addition to notifying the affected data subjects of the incident, you must also report it to the NPC if the breach involves all of the following:
- sensitive personal information that may be exploited for identity fraud;
- an unauthorised person is in possession of the personal data; and
- the PIC or the NPC believes that the breach poses risk of serious harm to the affected.
However, the NPC can allow for a delay in notification “to the extent necessary to determine the scope of the breach” and contain it.
After-Effects: Refining the Data Protection Strategy
Once the incident has been handled, the organisation should evaluate the plan, their response and consider the actions that they should take to prevent future breaches and refine their data breach response.
The DPA also specifies eight rights of data subjects, one of which is “the right to damages” where data subjects can claim compensation for damages due to unlawfully obtained personal data. As an organisation, you may anticipate such damage claims by having a data breach insurance in place to mitigate the financial impact of the breach.
Conclusion: Evolving with the Tactics
As hackers evolve, our defences must evolve in tandem. In the era of Gen AI, data protection is not just a safeguard – it’s a strategic imperative.
By understanding the shifting landscape of cyber threats and embracing a data protection perspective, organisations can proactively adapt to new tactics. And by equipping employees with knowledge, investing in advanced technologies, and fostering a culture of vigilance, we stand better protected online against increasingly sophisticated threats.
(The author is the Philippine Country Manager of Straits Interactive)
