CEBU CITY — Local banks, telcos, energy firms, and other companies operating critical information infrastructure (CII) could lose P6 billion a day if they are all compromised at the same time in a cyberattack, an advocacy group warned.
If all major CI operators were attacked, revenue losses could reach as high as P2.81 billion in the energy sector, P1.49 billion in banking, P1.06 billion in telecoms, P631 million in transportation, P115 million in water, and P40 million in healthcare, according to a Secure Connections study that looked into the financial reports of firms listed with the Philippine Stock Exchange.
These estimates exclude “indirect and non-quantifiable costs” such as regaining public trust and upgrades needed to fend off future breaches, Secure Connections ICT policy analyst Mary Grace Mirandilla-Santos said.
While beefing up digital defenses might require companies to hire experts and procure the necessary equipment, Mirandilla-Santos said, “The cost will be actually smaller if you have preventive measures in place, so don't wait to be attacked.”
“We need to develop a cybersecurity culture… If you're using the Internet, if you're on cyberspace, there is a very high likelihood that you will get attacked. We need to make sure that government, businesses, institutions, individuals understand what they need to do to promote cybersecurity,” she said in a seminar hosted by the US Embassy in Manila.
A national cybersecurity plan being drafted by the DICT would require companies to report cyberattacks, noted Ely Tingson, senior vice president for cyber risk at independent risk advisory firm Kroll.
“A lot of companies get hacked and they just keep silent about it. Most companies here do not report to authorities because we do not have reportorial requirements,” Tingson said in the same seminar.
“Reporting is very important. Data-sharing is very important, if we want a whole-of-society approach to cybersecurity,” Mirandilla-Santos said.
She said an executive order could set minimum information security standards, while Congress in the long run could pass a CII Protection Act. She said government agencies should also have the mandate and funds to build up capacity for information security.
“Despite the lack of a national policy, there are certain government agencies and regulators that already out cybersecurity measures in place, especially the banking sector. The BSP (Bangko Sentral ng Pilipinas) is one of the more proactive regulator in terms of promoting cybersecurity,” Mirandilla-Santos said.
“But again, we need to put in place policy that will ensure all critical infrastructure will be protected,” she added.