SCMAP Perspective is our fortnightly column on PortCalls, tackling the latest developments in the supply chain industry, as well as updates from within SCMAP. On this column, Henrik Batallones focuses on cybersecurity in our supply chains after a spate of hacking attacks on government agencies holding sensitive data.

Patch any vulnerability

At the sidelines of this year’s SCMAP Supply Chain Conference, a delegate pulled me aside and made a suggestion. “Whenever you talk about technology in supply chain,” they said, “you should never forget cybersecurity. Maybe you should have a session about it next year.”
I’ll admit, the thought didn’t come across my mind, so I thanked them for the feedback and proceeded with the rest of the day.

Now, cybersecurity is top of our minds again, after a series of successful hacks into the systems of several critical government agencies has raised the possibility of our sensitive personal data being available to nefarious actors, making us more vulnerable to other cybercrimes such as identity theft and phishing. Scariest, of course, is the successful attack on PhilHealth, leading to data of millions of members being released to the dark web. Another, apparently dissimilar, attack on the Philippine Statistics Agency could do the same for the most marginalized Filipinos and the government’s ability to deliver basic services to them.

Of course, the inevitable questions are on why the government seems to be one step behind when it comes to this. How can citizens be confident of moves towards e-government when efforts to protect our data will be minimal at best? (News that PhilHealth has invested in a PHP 14-million antivirus system is the epitome of “reactive”.) Not to say that efforts aren’t there: government employees regularly undertake seminars and workshops on these issues. But one wrong move could provide an opening that can both compromise sensitive data and scuttle agencies’ ability to serve the public.

This story should also serve as a reminder for us in the private sector to reassess our cybersecurity measures. Sure, we may be a few steps ahead of the government – I’m sure it’s a safe assumption to make – but again, one wrong move could provide an opening that may reveal confidential information and present bottlenecks to our daily operations. This is important considering how far along we as a country have gone in our digitalization journey. As our systems become more interconnected, and we have turned more to the cloud to store information for easier access wherever we may be, we open potential new vulnerabilities that can affect our systems, our data, and our operations.

There is also the risk to our reputations, even if any such attack does not impact our company directly. I was in Singapore last week and the biggest domestic story was on the rising number of Singaporeans victimized by online scams. The country’s police force reported over 650 cases of scams – involving fake apps for legitimate brands being downloaded by Android users – in July and August alone, resulting in the loss of up to SGD 10 million (roughly PHP 410 million). This is not a domestic problem, with malware often being developed and deployed – off the shelf, in many cases – from other countries. Talking to the Straits Times, former White House adviser Philip Reiner warned that these scams will be a bigger problem globally in the coming months, and we may not be prepared for it.

Emerging technologies like generative AI may make it easier for us to optimize our operations and improve our service levels, but they also make it easier for nefarious actors to exploit vulnerabilities and victimize our companies, our employees and our end customers. That delegate is right: we should be thinking about cybersecurity. By that, I don’t mean we should be leaving it to our IT team. The weak link could be coming from us, so we should be more proactive than ever before.

For us, it should mean continuously assessing and patching up vulnerabilities, all while ensuring costs are optimal and sharing of information across trusted stakeholders is not hampered or compromised. It may seem like a tall order, but the funny thing about technology these days is that it’s just as easy to fix problems as it is to create them. Efforts should also be made to ensure our partners across the supply chain are on the same page, as any vulnerabilities with them may be exploited and can impact our own operations.

As for the government, whose role is to foster a competitive and business-friendly environment, well… those hacks barely inspire any confidence, do they? The Department of Information and Communication Technology has been dealing with this challenge for a while now: bolster the government’s digital initiatives and also improve its cybersecurity. This means boosting capacity and capability, and spreading them evenly, so that critical agencies do not fall prey to vulnerabilities caused by antivirus software that no one updates because… I don’t know. The funds were allocated elsewhere?