In a Frost & Sullivan study commissioned by Microsoft titled Understanding the Cybersecurity Threat Landcape in Asia Pacific: Securing the Modern Enterprise in a Digital World, it was revealed that the potential economic loss in the Philippines due to cybersecurity incidents can hit USD 3.5 billion, equivalent to 1.1% of the country's total gross domestic product of USD 305 billion.
The study involved a survey of 1,300 business and IT decision makers spanning from mid-sized organizations (250-499 employees) to large organizations (over 500 employees). The study aims to provide the respondents with insights on the economic cost of cybersecurity breaches in the region and identify the lapses in organizations' cybersecurity strategies.
“As companies embrace the opportunities presented by cloud and mobile computing to connect with customers and optimize operations, they take on new risks,” said Hans Bayaborda, Managing Director of Microsoft Philippines. “With traditional IT boundaries disappearing, the adversaries now have many new targets to attack. Companies face the risk of significant financial loss, damage to customer satisfaction and market reputation — as has been made all too clear by recent high-profile breaches.”
The cost of cybercrime
Calculating the cost of cybercrime, Frost & Sullivan formulated an economic loss model based on macro-economic data and insights shared by the survey respondents. This model factors in three kinds of losses caused by a cybersecurity breach.
"The first of which is the direct loss and that is the revenue that you lose when you have a cybersecurity incident. There is also the indirect cost which refers to the value of the customers that were lost due to reputational damage. The third layer, which is the hardest one, is the general loss,” said Mary Jo Schrade, Assistant General Counsel, Microsoft Digital Crimes Unit, Microsoft Asia
“Although the direct losses from cybersecurity breaches are most visible, they are but just the tip of the iceberg,” said Edison Yu, Vice President and Asia Pacific Head of Enterprise for Frost & Sullivan. “There are many other hidden losses that we have to consider from both the indirect and induced perspectives, and the economic loss for organizations suffering from cybersecurity attacks can be often underestimated.”
"Consider an establishment where all credit cards of all those who shopped there are affected. It's pretty logical to consider if you want to shop in that store anymore. And so when you don't shop in that store anymore because you think that your credit card is not safe there, then they have to let go a lot of people,” Schrade added.
Frost & Sullivan elaborates that the third kind of loss, which is induced loss, refers to the impact of the breach to the broader ecosystem and economy, reflecting on the decrease in both consumer and enterprise spending.
More doesn’t mean better
While high-profile cybersecurity breaches, such as ransomware, are garnering attention from enterprises, the study also reveals that Philippine organizations are more concerned about data corruption and data exfiltration as these have the highest impact with the slowest recovery time. Moreover, the practice of putting up a complex cybersecurity infrastructure actually beats the purpose of making an organization secure.
"One of the things that is interesting is companies that have more than 50 security solutions have thought that they have a higher percentage of security incidents. A conclusion that you could draw from that: it is complex to manage so many things, and that more doesn't necessarily mean better," Schrade explained.
In addition, Frost & Sullivan presented that 46% of respondents superficially see a cybersecurity strategy is simply safeguarding the organization against breaches than a strategic business enabler. Only 25% of the respondents see a cybersecurity strategy as a digital transformation enabler.
“The ever-changing threat environment is challenging, but there are ways to be more effective using the right blend of modern technology, strategy, and expertise,” Bayaborda added. “Microsoft is empowering businesses in the Philippines to take advantage of digital transformation by enabling them to embrace the technology that’s available to them, securely through its secure platform of products and services, combined with unique intelligence and broad industry partnerships.”
"When your business goes into digital transformation, you should already factor security into the design. One recent example is the case of Jollibee. Jollibee's ordering website was assessed and the National Telecommunications Commission (NTC) found vulnerabilities on it. Apparently, when Jollibee put up the website, security was not a consideration. NTC is now asking them to remediate the weaknesses of the website," said Angel “Lito” S. Averia, Jr., President, Philippine Computer Emergency Response Team.
"Cybersecurity should be a practice. We have to develop a cybersecurity culture, and make our place and employees in the organization aware, and that awareness should be translated into a cybersecurity culture that observes practices such as the regular changing of passwords and not providing what is more than needed. CIOs should take this opportunity as the management is now more aware," Averia added.
Making the modern enterprise more secure
Frost & Sullivan concludes the study with a number of recommendations on how to make the modern enterprise more secure in today's digital world.
"Maximize the tools. Always keep in mind, you should always prioritize. One of the key things in the study is the fact that more doesn't mean better. The more security tools that you have doesn't mean you are secured. Think of what's the best as far as the different options that you have. Make sure that the people that you have are trained to utilize these tools. The best tool is useless, unless people know how to actually use it," said Raul Cortez, Corporate, External, and Legal Affairs Lead, Microsoft Philippines.
“Practice continuous compliance. With assessment and review, you are well aware of what is happening in your various environments. We need to understand that there are threats and we can prevent those threats from coming into fruition. But also, make it sure that we comply with certain obligations one of the things that people have mentioned is that privacy is actually top-of-mind as far as number of companies are concerned. With privacy, we have a number of compliance obligations that we have. With the right tools, you could actually have a more compliant working environment,” Cortez added.
“Lastly, look at AI. Because of the number of threats and amount of data that we process, we should harness the power of AI. There is the fact that you do not need so many people in order to analyze data. AI does that for you and identifies the threats for you. Hopefully, you could leverage AI and use automation to actually increase capacity and focus on whatever your core business is,” Cortez concluded.