Berns San Juan: Hi guys, and welcome to another episode of the Truelogic DX Podcast. This episode is going to come with a content warning. If you are prone to depression, it’s time to take your uppers. So take your antidepressants, because we’re going to talk about the state of cybersecurity in the Philippines. What a great post-Halloween episode.
So ransomware extortion cases in the Philippines have been on the up and up for the past two years. There have been 11 reported cases in the country across multiple sectors, and that was only in 2022. Year on year, the frequency by which ransomware extortion cases have been increasing in the country has been at about 57% year on year. And since January of this year alone, there have been five government agencies that have been attacked. Threat actors are utilizing more aggressive tactics than ever to pressure organizations with harassment, being involved 20 times or more in 2021, according to at least, a Palo Alto Networks report.
In 2023, Unit 42 Ransomware and Extortion Report showed that the Philippines took up the fourth spot in Southeast Asia, along with Malaysia, in terms of incidents and vulnerability to cyberattacks.
So to learn more about the state of cybersecurity in the Philippines and get to know some best practices that you might want to do, some of the places where you might want to invest to protect your business, that’s what we’re going to focus on in this episode.
Current Landscape of Cybersecurity in the Philippines
So let’s begin with the current landscape of cybersecurity in the country. It’s so sad that the IT industry in the Philippines is pretty small. If you take a look at IT-enabled services in the country, look at you, BPOs. The IT-enabled industry in the country is huge. It’s huge. It outpaces all remittances from all OFWs in any given year.
The Philippines ranked 2nd among countries that saw the most cyberattacks worldwide, amid increased use of digital platforms due to the coronavirus pandemic. And this is according to a study that was done by Kaspersky. In the same study, it showed the 2022 global ranking was topped by Mongolia, followed by the Philippines, followed by Ukraine, then Greece, then Belarus, right? Like all of us dancing between 49% to 51%.
Unfortunately, that means we moved up two spots where we used to be the 4th. In terms of incidents of cybersecurity attacks, we have now become the 2nd, right? So not a good move. This is not one of those scales where we want to be second in the world. It’s estimated that Philippine companies had paid about $1.6 million on average for ransomware attacks in 2022.
Imagine the cost of doing business, right? 1.6 million on average. That’s not the total of all ransomware paid. That’s across 22 reported incidents in 2022. It makes the country the third most extorted by ransomware in the world, next only to Japan and the Netherlands.
So remember, we tie with Malaysia in Southeast Asia, but globally, we’re behind Japan and the Netherlands. That’s from a report that was released by Sophos for 2022, which, by the way, is the security that we use in the office. The figure is double the global average of ransomware payouts, because on average, like in the world, the average payout for a ransomware incident is about $800,000. It also costs Philippine companies, on average, 1.3 million to recover from the ransomware that’s in disruption to work, opportunity losses, and so on.
All of this is despite that, the Philippine companies surveyed either have full or partial cybersecurity insurance. Now, the National Bureau of Investigation, the NBI Cybercrime Division, recorded a 200% increase in phishing in the country since we went into lockdown. Again. Sort of makes sense, right? Because everybody’s online. Like, the perfect place to victimize people.
Over 8 in 10 or about actually, to be more accurate, about 82% of small and medium businesses in the country are more concerned about cybersecurity today than they were a year ago. And rightly so. I think this is where the media has done a great job at providing coverage for cyber attacks that happen. Like, take, for example, most recently with PhilHealth. Previously, I think it was DOST. So it’s important to keep this front and center and to keep it part of the conversation so that enterprise businesses, brand owners, and business owners can take it seriously.
Top 5 Industries Targeted by Cyberattacks in the Philippines
1. Financial Sector
The industries that tend to be targeted tend to be, first, the financial sector, right? It’s probably not just me. And I appreciate this. The banks that I use, Metrobank, BPI, BDO, I use them all.
I get non-stop reminders, messages, and best practice content about not sharing your OTP. Don’t share your card number with anyone. Never share your card security code. Never accept a call asking for an OTP. Never take a call from the bank that asks for your account number. These are all great practices. And so when we say the financial sector is the most targeted by cybercrime and ransomware in the Philippines, what you’ll notice is that what they’re primarily targeting are financial institutions, because they store large amounts of sensitive financial data, right?
And that’s valuable to cybercriminals. Phishing scams asking for your OTP. Like, how would they ever do that if they didn’t know your card number? How would they ever do that if they didn’t know your account number, right? So it’s not so much that the major financial institutions in the country are the targets of cybercrime, but it is the customers of these institutions that get targeted by cybercrime.
2. Government Sector
We’ve seen this, right? Government data. Government agencies control a lot of our information. When you go to PhilHealth, you’re going to see your medical history, the company you’re employed with, the address of your company, your address, and your SSS number, it’s all going to be there. And so if I wanted to sell the data of millions of Filipinos to illicit marketers, they would be a great source of that data.
3. Healthcare Sector
Like, again, looking at you, MakatiMed, and you, Cardinal, and all of you, other hospitals out there, that, A, are not fully digital, but, B, are also not fully secure, right? Like, there is doctor-patient confidentiality for a reason. We’re very private when it comes to our medical records. But these institutions don’t have the most sophisticated security behind them.
I will say, for the banks, kudos to them. They do have pretty sophisticated security. Like, I love it.
4. Education Sector
The education sector is also a target. This much I will say, for the education sector, the only reason it’s not such a big deal is because the education sector’s move to digitalization has been painfully slow, right? For institutions that groom the next generation of leaders and innovators, you guys are painfully slow to lead and innovate, right? Like, painfully slow.
5. Retail Sector
And then, of course, there’s the retail sector, right? Vulnerable to ransomware attacks. And they do process large amounts of data. They will know your name, they will know your address because they deliver that. And then they can use ransomware to encrypt that data. They can use a ransom, right, to release that data to lock people out of their PCs and so on.
Historical Cybersecurity Lapses in the Philippines
So I know that I’m sounding alarm bells, but I have proof. Like, in my Halloween basket, I brought the proof. So 2016, February, the COMELEC leak. Do you guys remember that? Two groups of hackers. This was Anonymous Philippines and LulzSec Pilipinas. As an act of political protest, they defaced the COMELEC’s website. And they did say that they managed to acquire 340 GB of voter data, right? From 55 million Filipino voters. If Filipinos were more digitally savvy, that would have alarmed us. Instead, it lasted for three news cycles and disappeared.
Okay, next April 2023, a massive data hack that exposed 817 GB of both applicant and employee records in multiple agencies, including the PNP, the NBI, the SAF, the Special Action Force, and also including the BIR, put the personal information of millions of Filipinos at risk, right? Like, that’s a lot. That’s a lot. That was just this year.
Next, September 22. This year. PhilHealth. All right, the Medusa ransomware and it’s a big deal. 700 GB worth of your most sensitive information is now in the hands of people who we don’t know. On October 12, The PSA disclosed that personal and sensitive data from its community-based monitoring system had been accessed by malicious entities. Quote Unquote, malicious entities. Evil spirits.
Okay. October 15. The website of the House of Representatives, the website of the Congress, and the Senate had also been hacked. Hackers identified themselves as the 3MUSKETEERZ and uploaded over the weekend an image of the troll face meme on the Congress.Gov.PH website, right? And they left a message that said, like, “April fools”, kahit October pa lang. Fix your website.” Again, they’re lucky that this was just a wake-up call. That this was just a wake-up call hack. But it still talks about the vulnerability of the system.
Last October 2022, a Filipino hacker did voluntary vulnerability testing on a bunch of Philippine agencies. And on a tweet on Twitter currently known as X, he claims that he was able to gain access to at least five major government agencies. Diablox Phantom claimed that he had hacked into the servers of the Philippine Statistics Office, right, the PSA, which handles the country’s national identification cards, therefore exposing all of our information.
He also said, Diablox Phantom, by the way, also said he managed to breach the DOST because the password to the damn website was admin123. Come on, guys. Come on, guys, right? And then the DICT confirmed that the sandbox version of its website had been hacked.
So in short, we’re not strangers to ransomware, cybersecurity issues, and penetration. We’re not strangers to this. It happens on a large scale. Again, if we were more digitally savvy if we were more digitally educated, this would alarm us, right?
Like, do you guys know the impact of Cambridge Analytica on the US 2016 election? And that wasn’t even as illicit as this, right? Can you imagine what a really smart bad player could do with all of that information? The amount of targeting they could do on specific Filipinos, the blackmail that you guys can get?
Take for example, what if, on your PhilHealth record, PhilHealth had subsidized the cancer treatment and you never told your family, right? What if you’re running for public office and you’re HIV positive? All of that is now out there. So what do you need to do? Let’s move this to practicality. What do you need to do?
Cybersecurity Tips for Businesses
1. Keep software and hardware up-to-date
So first things first. Common sense, right? Keep your software and hardware up to date. Like, there’s a reason Windows updates itself. There’s a reason IOS updates itself. And it’s not just for usability, right? It is for your security.
2. Use cloud-based tools
Next, guys, cloud technology was a buzzword ten years ago, right? If you are the subject of, like, take, for example, let’s say, my device. Let’s say this device that I’m using right now if this was hit by ransomware and I got locked out, I would just reformat the damn thing. As soon as I’m done with reformatting, sure, I have to reinstall all of my applications, but my project management tools are all cloud-based.
When I review payroll, that’s cloud-based. Like, everything we do is cloud-based. There is nothing that sits on a physical server anywhere that the hacker will stop me from working for half a day. That’s it. That would be the impact of ransomware on my device, right? So where your business can shift its process to be cloud-based, go cloud-based.
3. Educate your employees
It’s not enough to say, don’t open suspicious emails, because what you might think is a suspicious email might not look like a suspicious email to your employee, right? So if somebody had received an email that says, Taylor Swift ticket raffle, click this link. There you go. There you go, right?
Either that or your employee might not know email@example.com. They receive an email that looks like that. firstname.lastname@example.org and then it’s asking for, please confirm your payroll transaction by clicking this link, right? Like, there you go again. We have had instances, by the way, where our accountants got emails from what looked like me and our senior partner, like, it was signed as us. It was a spoofed email. Like if they weren’t paying attention because it said email@example.com. Who’s that, right? Like, that’s not me. I don’t own truelogic.com, right?
So spoofed emails. It’s not enough to say, don’t click suspicious emails. The first step before that is to educate your staff, all your staff, right? Like, educate everyone with access to the internet in your office about what a suspicious email looks like, right?
4. Encrypt your data
Encrypt your data and make sure that when you’re file sharing, you do it across secure channels. Software against antiviruses and malware, keep those always up to date. It’s a small investment that will save you a lot of pain. It’s sort of like investing in antivirus and malware is sort of like the same thing I tell my driver when I see him driving in a rush, I tell him, let the guy through. It’s a 15-second hassle. Because if we collide, that’s an hour’s hassle, right? So you are investing 15 seconds to not be sassed on the road and sass everybody else for an hour.
So this is what your investment in an antivirus and malware is. If you’re not investing, if you’re too cheap to invest in this, I don’t know. Prevention is better than cure, right? VPN, wherein the current situation where a ton of businesses and I work in Makati, so I can see how empty the offices are. Most offices in Makati are not fully occupied.
5. Use a VPN to privatize your connections
If you’re enabling work-from-home scenarios, have people log into your network because you can secure your network via a VPN, right? So use a VPN to privatize your connections. Don’t scrimp on the investment. You want to be hybrid, you want to be remote first, then put in the investment.
6. Don’t be lazy with your passwords.
admin123? Password1234? Everybody’s thought of that. Don’t use those as passwords. More than that. Where available, enable two-factor authentication. Like, I can’t even tell you the number of times I’ve been saved by two-factor authentication, where I see a transaction happening in my name and I don’t recognize it, right? But where available, always enable two-factor authentication.
7. Don’t go to websites that are not secure.
Regardless of how much you want their stuff. Don’t go to websites, like if Nike were on a 50% sale and that thing was not secure, I wouldn’t go there, right? Brands, websites, and businesses that care about you will care about the environment you operate in. If a business doesn’t care enough to encrypt its information, if it does not care enough to secure itself, for me, their audience, then I shouldn’t have to care about dealing with that business.
8. Avoid using public networks when you can.
Like I mean investing in your mobile data is pennies and cents now. Come on guys, come on guys. Try to avoid using public networks. It is a little-known trick for hackers to enable their phones to send out a signal so that they look like a WiFi connection to gain access to your device.
Most importantly, it is so important that I’ll just say it again, train your staff. Like train your staff, train yourself. Train your staff. You might know what a suspicious email is, but I promise you it is not common sense.
So with that, I want to thank you for joining us here at Truelogic DX. I hope this is one of those episodes where I know it’s not going to rock the numbers, but it is super important to talk about, right? It’s super important to talk about. If I’m going to bash the media for not making a big, for you know, only running cybersecurity issues for three cycles, then at least I have to do my part in making sure that I make noise about it. Truelogic DX is available on Spotify, Google, and Apple accounts.
Now give us a shout-out on social media to tell us what you thought about this topic. If you have any other comments or topics that you want us to cover, let us know. Thank you to our friends at Podmachine, as always. Thank you to our marketing team for producing these episodes and I’ll see you again on the next episode. Cheers guys.