Rising above the digital tug-of-war
WHILE no industry is immune, some sectors face greater data breach risks. Health care institutions hold one of the most sensitive types of personal and medical data, making them a prime target for attackers seeking financial gain.
Recent technological advancements have intensified a digital tug-of-war that both threatens and fortifies the strength of our data privacy guardrails. The fast-tracked deployment of technologies such as generative AI often comes with minimal protocols, which poses privacy, security and even ethical risks. Robust data protection and cybersecurity methods should be put in place to ensure more rigorous means of securing data, to withstand new threats brought about by digital transformation.
Between 2020 and 2023, there were roughly 3,000 cyberattacks and 54,000 cyberthreats and the Philippines saw a 400 percent year-on-year increase in cybercrime last year, coinciding with the recent proliferation and adoption of generative AI.
However, the key to navigating this complex landscape is not by shying away from innovation, but by understanding its risks so that we can leverage technology’s potential responsibly. Holistic internal governance that is aligned to business objectives is also essential.
AI: A double-edged sword
In the Philippines, government-led AI development, driven by various state-level research institutions and collaborations with the private sector, is poised to propel generative AI into mainstream use.
The country’s Department of Trade and Industry (DTI) launched the National AI Strategy Roadmap in 2021, outlining strategic priorities and responsibilities for the government, industries and academia. This includes a future National Center for AI Research (N-CAIR), led by the private sector, as well as the AI and Information Communications Technology (ICT) Roadmap, rolled out by the Department of Science and Technology, Philippine Council for Industry Energy and Emerging Technology Research and Development (DoST PCIEERD).
All this will pave the way for potential transformative breakthroughs, creating new avenues for productivity, growth and insight-generation. AI is also revolutionizing threat detection and response by analyzing vast amounts of data to identify anomalies and predict malicious online attacks, enabling faster response times. It can also automate repetitive tasks like vulnerability scanning and patching, freeing up human analysts for more complex work.
But as generative AI goes multimodal and the world transitions from content creation to content generation, its ability to produce realistic material raises issues regarding authenticity, data privacy and intellectual property. The same ease of content generation is also available to scammers and hackers, enabling them to commit traditional crimes using new techniques.
Major data security threats
Hackers are adapting their techniques at an alarming rate, leading to attacks that are more sophisticated and realistic. Instances of identity theft using deep fakes and voice cloning are on the rise. Cybersecurity experts predict that ransomware attacks will more aggressively target critical infrastructure and businesses with high data value. These are part of Advanced Persistent Threats (APTs), where sophisticated hacking groups use social engineering and zero-day exploits to weasel their way onto a network to mine private data. Malicious actors exploiting vulnerabilities in third-party vendors also remain a major concern in global supply chains.
Integrating a company’s data with generative AI services can also introduce security and privacy vulnerabilities as it involves sharing data with external providers. The extent of these risks hinges on various factors, including the provider’s reputation, data handling policies, and alignment with data protection regulations, such as purpose of use.
Even more pervasive dangers await the integration of generative AI into personal smart devices. Smartphones, for example, collect vast amounts of personal data, which raises concerns on how the information is processed, stored, used and shared. Multi-device connectivity and data-sharing have further amplified security risks for unsecure devices that can serve as gateways for hackers to infiltrate networks with zero-day vulnerabilities.
Most at risk of data breaches
While no industry is immune, some sectors face greater data breach risks. Health care institutions hold one of the most sensitive types of personal and medical data, making them a prime target for attackers seeking financial gain. The Cost of a Data Breach Report 2023 by IBM found health care to be the most expensive industry for breaches, averaging $10.10 million per incident.
Meanwhile, financial data like credit card numbers and social security numbers are highly valuable on the black market, making financial institutions attractive targets. Retail and e-commerce companies holding customer payment information are at risk too.
But more critically, companies that are not in a constant state of evolution to ensure all areas of the business have an agile security strategy are most at risk. Outdated security practices and those that don’t have proper data governance and AI usage policies in place are more likely to fumble in the face of new threats.
Notably, startups and small and medium enterprises (SMEs) may not have the proper infrastructure to address cybersecurity and data protection issues in their companies, as they themselves are strapped for resources to get ahead in their business operations.
Steps to improve their data security
Data privacy is not only a legal obligation but also a business opportunity. As such, organizations should reconsider the measures they have in place and develop a secure and well-governed data foundation.
While technological advancements in cybersecurity hold promise, data security ultimately relies on a layered approach accompanied by accountable data handling practices by humans.
Adopting a privacy-by-design approach means integrating privacy considerations into every stage of the development and operation of a system. For starters, firewalls, Multi-Factor Authentication (MFA) and access control are some security measures that can be implemented to prevent data breaches.
For the more advanced, organizations may consider emerging technologies that enable data analysis without compromising personal information, such as differential privacy, federated learning, and homomorphic encryption.
Understanding what data you hold and its sensitivity classification is also essential for effective protection. This will inform your incident response plan, meaning that in breach, you are able to minimize damage and ensure swift recovery.
According to the Philippine National Privacy Commission (NPC), all Personal Information Controllers (PICs) and Personal Information Processors (PIPs) are required to have a Security Incident Management Policy. This includes the need for a security incident response team to mitigate the effects of a breach and to lay out measures that minimize the occurrence of such incidents.
Implementing strong network segmentation and regularly updating IoT firmware with patches can significantly reduce vulnerabilities for an organization. Organizations should conduct regular Vulnerability Assessment and Penetration Testing (VAPT) to assess for possible gaps within the IT infrastructure and ensure that these issues are fixed as quickly as possible. VAPT tools and services can assess vulnerabilities within a system or application and help administrators prioritize which vulnerabilities should be addressed first.
Nonetheless, it is ultimately human error that is the weakest link in data protection. As such, educating employees on data handling best practices and phishing scams is crucial. Consider leveraging generative AI to build and actionize data protection practices in an organization.
With its current capabilities, it is possible to build a custom chatbot that allows employees to upload and check suspicious emails for possible malicious intent and provide advice on what next steps to take. These tools must be built in a secure and controlled environment so that organizations have control of the data that is being used to train bots and to ensure that conversation histories are not leaked to unintended parties.
Responsibility lies with us
Technology offers powerful tools for transformation, but it needs to be implemented responsibly by individuals, organizations and policymakers. Embracing robust data governance practices, prioritizing data subject rights, and continuously adapting to evolving threats are crucial to navigating the digital crossroads.
At the same time, a commitment by data protection professionals to continue upskilling to meet the demands of AI governance is imperative. One can do so by pursuing certifications like the AI Governance Professional under the International Association of Privacy Professionals (IAPP).
With concerted collaboration between regulators, government agencies, businesses and the public, there is a bright future for the Philippines where innovation thrives alongside robust data protection, ensuring a safe and secure future for all.
Edwin Concepcion is the Philippine country manager for Straits Interactive, a Singapore-based company that delivers sustainable data governance solutions to help organizations build trust in today’s data-driven world.