Cybersecurity in Philippines: Advancing Digitalisation and Strengthening Cybersecurity (ft. Aboitiz Power, Maybank Philippines, Maynilad Water Services and Ingram Micro)

Show Notes

Guests:  Mr. Alexander Antukh, Chief Information Security Officer, Aboitiz Powe, Mr. Marlon Sorongon, Chief Information Security Officer, Maybank, Dr. Francisco Castillo, Senior Vice President, Chief Information Officer, Maynilad Water Services, Inc and Mr. Kanishka Kumar Sinha, Director - Hyperautomation Professional Services, Ingram Micro Inc.

In today's episode, we turn our focus to Philippines. The discussion unfolds against the backdrop of the 42nd ASEAN Innovation Business Platform Philippines Conference and Exhibition, hosted at the Marriott Manila on the 11th of July.

The Philippines, with its population surpassing 110 million, boasts over 85 million internet users, a figure that underscores the rapid digital transformation sweeping across the nation. However, this surge in connectivity has been shadowed by a corresponding rise in cyber threats. The Philippine National Police Anti-Cybercrime Group reported a sharp increase in cybercrime incidents in Metro Manila totalling 6,250 in the first six months of 2023 -- a 152-percent increase from the same period last year. The urgency for robust cybersecurity frameworks is palpable, as businesses are at heightened risk. To maintain seamless operations, safeguard sensitive customer data, and fortify the trust and loyalty of their stakeholders, Filipino organizations must prioritize and invest in comprehensive cybersecurity strategies.

Transcript

AIBP Intro: 0:02

The AIBP ASEAN B2B growth podcast is a series of fireside chats with business leaders in Southeast Asia focused on growth in the region. Topics discussed include business strategy, sales and marketing, enterprise technology and innovation.

Vanessa Kwan: 0:30

Greetings and welcome to the ASEAN B2B growth podcast. In today's episode, we shine the spotlight on cyber security in the Philippines, this conversation took place during the 41st edition of the ASEAN innovation business platform Philippines Conference and Exhibition held at Marriott Manila with Mr. Kanishka Kumar Sinha, Director of Hyperautomation Professional Services from Ingram Micro , hosting the discussion, along with Mr. Alexander Antukh, Chief Information Security Officer from Aboitiz Power, Mr. Marlon Sorongon, Chief Information Security Officer of Maybank, Philippines, and Dr Francisco Castillo, Senior Vice President, Chief Information Officer from Maynilad Water Services, on the current state of cyber security in the Philippines.

Kanishka Kumar Sinha - Ingram Micro: 1:17

I think the topic from a digital transformation in cyber security. So would like to the first question, would like to understand more as we look into digital transformation, how does cyber security play a role in enabling digital transformation for organizations? So, Alex, why don't we go this way this time? Start with

Alexander Antukh - AboitizPower: 1:40

you, right? So, well, that's a very broad question, right? So I guess we maybe to our first round, then the second at the time itself. Well, the original purpose of cybersecurity is to enable the business, right? So what we do to protect from the threats and from the risks is really to keep the business running and to hopefully increase the revenue. So obviously, digital transformation, innovation in general, has the mission to improve the efficiency of the business, to find the new ways of how we generate the revenue. So cyber security in that regard, keeps true to its mission to protect and with digital transformation, with innovation and with the novel ways of generating this revenue, of course, common new risks and new trends. So while we obviously support that, we welcome the new developments of AI and so on, everything what was said and what was said on this conference, we also need to acknowledge the systemic nature of the technologies of the digital race, which means that every new addition to us is a bit of extra pain, a bit of headache. And it means that we need to be aware of what is the technology of how it's connected to already existing ones, how we protect that, to even redefine the role of cybersecurity in general. So I'd say that there are two main parts to it. Number one, is really okay. There is a new technology, new project, new way of work, so we need to think of how to protect that. And then there is another part, or part, which is innovation in cyber security. So what are novel ways of how we protect that? And I believe we will talk a lot about that in the panel, so I will not take all the time to talk about so I'd say to start with, probably we just need to focus on those two parts, and then we continue here.

Marlon Sorongon - Maybank Philippines: 3:39

Yeah. So yeah, I think I couldn't agree more to Alex transformation introduce a paradigm shift the way, especially in the financial industry. So we have introduced a lot of process improvements. An online platform has to be extended also to our users and our clients. So I think my personal tune is, while your technology matures, security also has to follow in terms of product. So that security budget which supports these initiatives must also use. So if you introduce new technology, introduce new systems, it would also open door opportunity, opportunity for hackers to exploit this. So it is something that we need to consider while, while we while we introduce some sort of projects or some sort of application system to support this transformation, adversaries also do some research, how to explore the system. So I think the slope of security must also in parallel in terms of your innovations and your initiatives. I think that's my view. Yeah,

Dr. Francisco Castillo - Maynilad Water: 4:54

well, more or less I agree with the other opinions. But just to add I mean this. Digital transformation, really nothing new. I mean, it's just a cute word that we use nowadays, but ever since IT was started, we've been, you know, the whole industry has been slowly digitizing or using more systems. So unfortunately, as you have more systems your attack landscape, like it, or you have to defend more things, and you have more things which are vulnerable. So I think it's in proportion of how many you have, because everything is vulnerabilities. Maybe not. You don't know now, but you'll find you'll find out in months, right? The more things you put on the cloud, the more things you're exposed to the internet directly now to surface. So that, that's the challenge. So it's a cat and mouse game. You You just have to be continuously trying to understand the hackers can take advantage of the systems that you have in trying to

Kanishka Kumar Sinha - Ingram Micro: 6:11

great, great analogy. So if I summarize it, trying to it's a symbolic process as digital transformation happens during, I mean, to the organization, cyber security is also transforming to pick that up, and leading to that thought, what are the because you mentioned more you expose more vulnerabilities get added, and does the security features, how does One stay ahead of the curve. How? What are the strategies I mean, your organizations have taken, or would you suggest to stay ahead of the curve in terms of cyber security? So if we start in the reverse from your end, what are the strategies you would suggest?

Dr. Francisco Castillo - Maynilad Water: 7:00

Well, I think one has to be always abreast with what's happening. So what read a lot? It's a lot of material out there telling you, what are the vulnerabilities, who's been hacked, and what were the methodologies used? Of course, in the Philippines, there are some groups which in which we collaborate and ideas that's helpful. Threat intelligence, if you can buy it, that's also very helpful, because it gives you an anonymized version of what is happening out there, and you can prepare so I would say those things are pretty useful, but you never, never stop researching, reading, analyzing, because it never stops. And that's really what keeps me awake.

Kanishka Kumar Sinha - Ingram Micro: 7:51

I totally agree with you, and I also learned this in from one of our sessions during the second No, I I've learned this methodology somehow shared by a friend to me. We, they call it the collective defense. Collective defense is somehow introduced by NATO during the 911 so it's an attack on an ally. It's an attack for everyone. So this is a sort of a technique wherein they gathered information and shared intelligence among the members of this collective defense. And I believe that global security is a global concern, and that globally so there are a lot of partners and vendors that could assume, no could assume, infuse something to improve your posture, like global trade intelligence, attack, surface management, the third part is conduct, help you due diligence on third party risk management. You can conduct a P, T from cycling perspective. So there are other things. Helps you a lot in improving your security posture. So I think in in Philippines, we have a group of sisters already. We forming know as to share intelligence, much more sharing information to improve also our processes enforcing those technical and functional,

Alexander Antukh - AboitizPower: 9:18

yeah. And of course, I my point, I think on the more deep level, we are not really ahead of the curve in the sense that the attackers will be as the steps ahead. And yes, so number one is collect for sure. And I think again, we'll talk a bit more about private partnerships, on the ways of how we would get the industry, exchange information as well. In Fred can tell also, I think this is important in the in the sense that if there is an attack on somebody, somewhere in this world, and we are aware of that, it will be nice also to the necessary measures. But then again, I think it's also important to acknowledge that many times. Times there is an attack which is still growing for months, and we are still not there to fix that. So it's not just about the novel, it's also about the basics, right? But yes, to sum it up, I would say that probably the best strategy in this organic world, and especially for companies like ours, which is critical infrastructure, is to have the in a way that hurt immunity, to have that collective defense and to strengthen the ability to respond to together. Great.

Kanishka Kumar Sinha - Ingram Micro: 10:34

So I mean, if I summarize key points are, be a student, continue to be a student. Keep learning. Collaborate more and ahead of the curve, brings to brings to another interesting point. We see a lot of data protection and cyber security being enhanced, and guidelines being enhanced, GDPR, or industry specific like HIPAA, what are your views on, you know, these data privacy and industry aspect how that needs to be bought into the overall cyber security and as well as for the organizations to stay ahead of that curve in this So Alex, if we start playing

Alexander Antukh - AboitizPower: 11:21

if that most of those laws and regulations come as a response to a bridge or some crisis, so in a way, that's a creation of an incentive for companies to be more secure. So in that sense, I welcome, I think, for example, in the US, with the introduction of the North Sea 15 years ago, we developed of that the state of cyber security really improved the loss. And I think that was great. So obviously, compliance is not all. There is. There is, but it does help. And honestly, I think that in the Philippines, this is also important on the level of critical infrastructure and on the ways of how we further strengthen that. And so we see similar steps. Now, as you mentioned, GPR, there is these two in Europe, and there are others national of regional and international standards. Yes, My My opinion is that they see more well laws and regulation.

Marlon Sorongon - Maybank Philippines: 12:27

Yeah, well, I think I tried to call to compare my my role not 15 years ago. I wasn't like, this is he did it. You were just dealing with viruses, and these viruses, Potassium spirulis, just to become famous. So they do us impact your systems go down to performance server, but the aim is not really catch a stroking. What we are dealing like now is cyber criminals. So it's a different game. The Game shifted into a different intention and motivation. But this occurs, their motivation is to steal our money. I think the best effective approach is make your company a cyber resilient so there's so many challenges you can do. Can do research on Google, but some form of advice. There's so practices you can adapt, but there's always an achievable level controls, because some companies they they differ, differ in size. Some are big, some small, some somehow, some are limited resources, not adequately funded. But there's always an acceptable level controls. This is accepted by regulators, especially for us in our industry, we are heavily regulated by BSP, and we have to follow some shared guidelines, and we adapt that. So somehow, the trend landscape has totally changed. It's a different game right now. So there's so many hardening, network security, water security, bpt, you can always adopt depends in them enforce it with your policies, with your guidelines. Of course, number one is education, human education and cybersecurity, awareness. It will not defend it at all, but it could reinforce. Imagine, you have 1200 employee, and you equip them with the right mindset, with the right knowledge how to discern and identify threats, they will become your ally.

Dr. Francisco Castillo - Maynilad Water: 14:28

Yeah, well, we had the data privacy act some years ago. Was good because it sets a framework for Lean companies in terms of how to manage pi and all that. But I remember that when this was implemented, the first effect is, anywhere you call, right, they will say, please press one if you agree with sharing your private information. So I think we have to go beyond that, right? We have to really be protecting our PII so. And I don't know, but I feel that it's we're losing this battle. Every day I get a call and they know me. They know my name and myself or I never disclosed, even when I look emails coming to the very targeted, and they're very crafty, well crafted, you know, to specific executives. So, you know, there are leaks everywhere. And as mentioned earlier, I think the weakest link is really people, because you just, it just takes one mistake and there goes. Your PII is everywhere. You could just take a photo, for example. So nevertheless, as my colleague here said, we have to educate people as to what can, what cannot. People normally are not even aware occasion of what they do, right? So this will be a constant reminder.

Kanishka Kumar Sinha - Ingram Micro: 15:59

I want to add another part to this question, resisting in my role, are two sides of the table, and a lot of time we see resentment from, you know, when you have to go through a long cyber security event with a customer, you Know, go checks and balances a lot of time users see it as a hindrance to innovation. So what are your comments on that, when you see this kind of business, resent, why have people? Is, how would you educate? Because, you know, I personally see both the sides and a lot of time we come through that, is there a way to shorten the process? Is there a way to educate people better?

Dr. Francisco Castillo - Maynilad Water: 16:47

And actually, I will answer it as CI open, as an IT, because the problem is that, whether you like it or not, any IT security measure, I always was ease of use a way, or that's, there's no no doubt, right? So the trick here is you have to strike a balance right between making it secure and making it convenient. I mean, the most secure thing is right, but don't do business, right? So yes, in our case, we take it very seriously. We debate as to what extent somebody gave an example, right? The 18 character. In character, I think Tina 18 character password. And when we implemented that, we were expecting a huge backlash. And so nobody complained, you know, but in order to have to explain why, right, the other thing is, when you explain things, sorry, but this is for it, security guys, is it has to be explained simple because sometimes, you know, there's so much IT security gibberish that users don't understand. It has to be explaining simple terms. For example, you say you're gonna use your your internet, right? Then you go to a website, don't say, take a look at the certificate, if it's SSL, TLS, you know, point zero. I mean, they don't understand that. But what they do understand, hey, if you're in a Wi Fi using what you call this, I mean confidential information, right? Because it to be secure. I mean, so the language has to be changed, otherwise people don't understand, you know, and many times I think that's, that's where we fail.

Marlon Sorongon - Maybank Philippines: 18:53

Yeah, I agree with your people. The only language that this the management business would understand space. So you need to translate this specific areas that you see potential tax at company to strike it. No. Strike it at the bottom. Tell the management that if we do this, this is the risk. If you don't do this is the risk. So somehow, the productivity, they tend to see security as, I mean, a showstopper. So it's a whole plot for them to implement something. But if you were able to communicate clearly to them that consequence, if you don't comply, you don't do it, then definitely they will realize there are a lot of use especially facing the board, the management, and you try to just request justify for budgets. Then suddenly they tell you what sense of this, what's the importance of this? There are so many use cases in the internet. Use the most scariest, make. Example, this company was here, and suddenly they are fine 15 minutes. Then these are the consequences. Don't do this. Then when they go to sleep, they will ask themselves, maybe Martin was saying earlier was true, yeah. Let's approve the budget. I just something that you need management. These are the risk outweigh benefit.

Kanishka Kumar Sinha - Ingram Micro: 20:23

I really like that, because, to the point you mentioned, keep it simple, I believe that's that's very important for business. Because as a business user, you may not understand everything and why, and usually the complaints are delays, budget. But one aspect, the next thing I would really like to ask is when it comes to best practices, when it comes to, you know, creating the cyber security framework, what are the best practice you would suggest from going and making a step by step aspect of security. What's the straw man that?

Alexander Antukh - AboitizPower: 21:09

Well, to be honest, I haven't faced internal dialog with regards to the previous comment. I probably will say something, but I think that we put too much attention to the end user. Sense that there definitely should be security awareness, the basic one. But then at the same time, we say that we need to explain it in a very simple terms, and that the end user is not the expert, which I agree with. I think we probably, as the industry also failed a bit in this, in the ways of how we make it secure by default or not secure by default. And I think we as the industry also should consider the customer experience. I probably do not completely agree that security always needs to be a burden. And there was exactly the the example of password Blitz, I think the number one incentive for the users to do that is because it's easier, because you don't need to remember any password, but then it more secure, and in a way, it actually fixes one of the issues of the phishing if we talk about, well,

Dr. Francisco Castillo - Maynilad Water: 22:18

you agree it's a burden. You seem to memorize the lead team character, but, yeah,

Alexander Antukh - AboitizPower: 22:23

yeah, but passwordless is all slide it down, no. But passwordless is a security feature, so it is something new, and in this way, again, we are helping the user. So I think having security by default is equally as important. And so I actually believe that the end users fail security reasons, number one and number two, it's more beneficial to them to fail than not to fail. So if you need to access your email while you're connected to public Wi Fi, your boss expects you to send a report. And if you can do that, you will, unless you have an incentive that you will be probably fired if you do so and you get caught, or maybe you have an opinion, and then, you know, it is a bit more protective. So I'd say that, except, instead of just saying that the users really have to be that educated and, you know, try to make that flow of, well, hacks and so on. We probably, as the industry, also need to think a bit more of the customer experience of being secure by default and of just limiting the possibilities to fatal. So that's an addition to the periods. And I'm not sure I actually answered your question. Let me go

Kanishka Kumar Sinha - Ingram Micro: 23:46

back to the question. I think what I wanted to we talked about this is we talked about partnership. How does that? You know, if one has to think about that straw man between industry, practices, government, you talked about a wider net. So what are the some suggestions, or, you know, recommendation you provide on a cyber security standpoint to utilize this collaboration, the larger framework and partnership within industry, outside industry, cyber scared. And the question is, sorry, the question is, what? What would you highlight on the partnership aspect building cyber security through industry partners and other agents? Yeah,

Marlon Sorongon - Maybank Philippines: 24:33

so there's so many references so far, I think, from financial coming from a financial institution. I would say the most applicable for us is the NISD and ISO collective. 2761 it's a formation, security management system. It's an industry applicable standards so far. What we adopt is the NISD. It's, I think it's one of the. Conference. But I can also recommend that from an organization that has different appetite. Of course, company you have, your appetite is defined by your own market. So banking, we also adopt frameworks which is applicable for us. Frameworks are set of standards you can use as reference, convert it to a policy. Once you have the policy, you make sure that is supported by management. So when you have this standard baseline, you convert it to standards, guidelines and instructions. So these frameworks you need to craft something which is customized by your needs and requirements. Do not just simply adopt everything and execution and implementation and you promise heaven and earth to the management that is not something effective, I would say no. So in terms of standards, make sure it's applicable and it address the needs Ernest of the company, of someone,

Dr. Francisco Castillo - Maynilad Water: 26:09

yeah, okay. With regards to frameworks, there's a lot of free and I but there are strengths for each framework. Actually, you think we, we take it from different ones. For if you have industrial system, pretty good. Of course you have things like COVID, and then you have it's not a framework lot of inputs. Is OWASP, the Australian directory of signals, Practical Guide for those of you may be interested. You can, you can look at it. So I think it's elimination, just one,

Alexander Antukh - AboitizPower: 26:56

add anything. I pretty much agree with this. So there are various frameworks, and they provide the blueprints of how certain aspects of the program should be built. It should be taken to consideration. But then again, they should be applied considering the actual risk of environment, the context. And so the closest they can, yeah,

Kanishka Kumar Sinha - Ingram Micro: 27:19

I think what are the point we all touched in the beginning about expanding digital transformation, expanding and cyber security evolving with it, but specifically on two aspects, IoT and AI. How do you think the expansion of IoT and AI is impacting cyber security and how cyber security is evolving for these

Dr. Francisco Castillo - Maynilad Water: 27:48

Okay, so two different things. Let me take different So, IoT. IoT is, I would say, different because it touches on the OT side, the OT side, sure you are very familiar with as its own particular policy, certificate access, call you, name it. So when you when you look at IoT, you have to be sure that you are designing your architecture uses in accord with the both it and OT, it's not the same AI. Well, that's another buzzword, right? So now everybody talks AI guy is slowly in many of the products that you know it, security, products that we are using it has started, actually, several years ago. Maybe they call it AI, they call it machine learning, and they call it clicks and so forth. So even knowing anything about anything about AI, I think it's, it is really being incorporated in many of these products, and the ability to detect things beyond simple signature, I think that's the difference.

Marlon Sorongon - Maybank Philippines: 29:18

Yeah, OT is a different framework. It is also they have gaps. OT is a different critical infrastructure. Somehow, when, when I work for an English role, the way they tend to see information security from all this perspective is opposite. They prioritize availability, integrity and confidentiality. PAL it we do the normal one, potentiality, integrity and availability, or the normal one, yeah, the normal ones. Let's see it. And. In terms of the other Sorry, I forgot the other thing that you mentioned, IoT. And so cyber security can always leverage with AI. So Kiko is the expert of AI here. I may not be conveying you the best message for AI, but what we're doing security is being took at that time because machine, they don't sleep. They always run, unlike us, to the guitar we sleep. So they're the one telling us, hey, something happening malicious. So when you woke up, she's the one taking charge while you're resting. Then automation is also another thing that can be powered by AI, they can do a lot of things that human cannot. So sometimes we took the convenience of introducing a platform that could help our lives easy, but it has a drawback, no, it also introduces a risk that may be unknown to us. Okay, so I think the moral and the ethics of using these technologies should always have humans. The food for AI is data. These tools will not work without information with data. So it always Reliance must be defined and must be compared.

Alexander Antukh - AboitizPower: 31:23

Thanks. So yeah, again, I'm afraid my answer would rather be generic in the sense that we again talk about systemic risk. So when we add the new emerging tech, there are reasons to the use of it there is related to qualities of those technologies. We already saw the largest bot nets because of the insecure, newly connected devices, the routers, for example, we see more and more now that ransomware is not just targeting the data but also the ability of the of the company to and it's not just in OT even in it, we see more which means that as the system gets more and more complex with new additions, and again, we call it that AI, or the new processes, it doesn't really matter complex. We have in a way, less control over that, and it's relatively easier to disrupt, and once it's disrupted, well, yeah, again, may need to pay, or we may need to recover, and so on. So coming back to the very first question, again, there are opportunities, in the sense that we may be able to detect some anomalies thanks to AI, or we may use the new tech to hopefully get more protected. But then, of course, the huge drawback is that in this new digital economy, more and more digitized, these risks need to be addressed both by the involvement of security from the very beginning, by assessing the risk and not just jumping into that, because that's a shiny new technology, and also hopefully keeping control over that complexity on the level which is acceptable, but again, I'm sorry that we will need to go much deeper,

Kanishka Kumar Sinha - Ingram Micro: 33:13

but that's a good start point for people to listen to these thoughts and start doing their own research. But before we go to the audience questions, one thing I would like to ask specifically, in context of Philippines, where and how you see the society aspect, I mean, how it is evolving. And if you take Philippines, as you know, Philippines is expanding, it's a big hub for shared services and global si to operate as industries are evolving. Philippines cyber security evolving, if you start from here,

Alexander Antukh - AboitizPower: 33:54

sure. Well, we had already a presentation about the National Cyber Security Plan. I think this is really important. And I think that's great, that there are such initiatives and specific pieces of that related to collective defense, related to the fact that we are sharing the intelligence and helping each other, that there are more public private partnerships, and so on. I think all of that will help as well as the mandates to further protect critical infrastructure. So this is good start. I think the rest, which is also part of it is the international cooperation. So for example, we have the regimen one here. There are, of course, the different ISACs. There are cooperations with the US, and again, on the international level. Again, it's kind of the summary of our whole dialog here, but with how we catch up, how is the head of the curve, how we do it collectively, and how we advance here in the Philippines. So I'd say probably we can post now separately.

Marlon Sorongon - Maybank Philippines: 34:56

Yeah, from my personal view, I will say where. Service will continue to grow. Imagine, if you use chat, GPT, in 15 minutes, you can create a script, Python script, to attack company or certain company, you know, phishing email. Phishing email in a matter of seconds. Another thing is there will be a potential no because of this invasion rain and alliances between this positive and negative was positive or potential cyber warfare. So the only defense we can do in terms of China's alliances is to defense. I mean, amongst discussion, amongst we need to stand this one, there will be a potential cyber warfare, maybe somehow then AI, cloud computing, IoT, will dominate the cyberspace, and there will be acquiring cyber insurance due to this numerous state multiple tests that are unknown, so it's difficult to acquire insurance unless you can tell them, hey, if somehow we have good defenses, and this is our premium, and because of this introduction of AI, there will be a lot of People which is interested and might shifting to the part instead of to the good side. So these are the things that currently sisters are are facing. No this is not simple. That's why our advocacy is to continuously encourage young professionals to at least invest in cyber security knowledge so that we can win this battle. We cannot win this battle alone. Put the shoulder on the Caesars burden.

Kanishka Kumar Sinha - Ingram Micro: 36:49

But if I add an added point for you, especially working in a banking and financial sector which is much more highly regulated, and even you have a higher probability of threat. See what is local Philippines, banks and organization are doing. Are at part of the global organizations? Or do you see a gap in that?

Marlon Sorongon - Maybank Philippines: 37:15

Yes, we we are actually our offices in Malaysia. We have also Singapore as we compare friends from each countries, mass masses from Singapore then Malaysia. We have BNM. We have BSP as well. In Philippines, we sometimes collaborate and adapt, no what is the best and secured way of securing our formation

Kanishka Kumar Sinha - Ingram Micro: 37:44

assets

Marlon Sorongon - Maybank Philippines: 37:44

and our customers assets. So we can adapt those guidelines, which is we think applicable to us, but somehow BSP is still our mandate, but in terms of guidelines, in terms of singular PSP will always allow you to implement which they think applicable and appropriate in terms of protecting your information assets. So there's no limit, there's no principles, no beyond that. It's acceptable in terms of three standards.

Dr. Francisco Castillo - Maynilad Water: 38:20

Well, maybe the message I would like to deliver to the it is very To be honest, I know of many Filipino companies that have been hacked will not be changed. This is the last time I will get invited if I do that, but just let me it reads like the who's who in Philippine business, and then report it are more that are hacked. And it's it's really scary, so we have to be on our toes. And every time one of these companies, big companies gets hacked, that's what drives investments further, investments in people and in the security measures. So we cannot be complacent. And the other thing is, I think humble, because, you know, it's not a matter of if you get hacked or of when and how to deal with and, yeah,

Kanishka Kumar Sinha - Ingram Micro: 39:28

I think that that point, it's a matter. It's not about our you know that if you have there, but it's a matter of when and how do you protect yourself or the organization, and how do you being ahead of the curve? How

Dr. Francisco Castillo - Maynilad Water: 39:44

do you recover? How do you attack? Do you have to better than just protect? It's recovering from him.

Kanishka Kumar Sinha - Ingram Micro: 39:51

So now we will take some audience questions.

YY - AIBP: 39:54

I think we have time for one question, so I'm going to ask the topQuestion from the audience itself, this is with

Dr. Francisco Castillo - Maynilad Water: 39:58

So my reason is, if you're looking regards to the connection between IT and OT systems. It is important to connect it, but what cyber security measures have you implemented for this in connecting IT and OT? For the both of you, yes for Dr Kiko and also Alex. at IoT, there's a standard. It's called an C 95 it's very old, 1995 and C 95 take a look at that, because that tells you how you have to architect and separate the OT side from the IT side, and how you upgrade and protect it, and that there's a lot of offshoots. Again, can refer you to Isa, that's very good set of nerds that talk about protecting industrial assets. And I think for the electric electric sector, you have your OEC and all that. Maybe you'd like to add,

Alexander Antukh - AboitizPower: 41:03

no it's pretty much that there are systems, secure reference architectures, this segmentation, the way, how the controls, like the network controls, or security model taxes and so on. It's all in place. So it's really, again, a combined approach to to pretty much that connection. Again, we could go into detail of each of those controls, but there are these, so I guess all threes in one would probably be a sorry security.

Marlon Sorongon - Maybank Philippines: 41:33

Well, I can't share too much about even banking, however, OT is really a complex kind of thing. There's totalism, governance between it, and think most guys, Primo.

Dr. Francisco Castillo - Maynilad Water: 41:49

Maybe we will just add one thing, no matter what's there you if you want to secure it, don't expose it to the internet, especially for industrial systems.

Kanishka Kumar Sinha - Ingram Micro: 41:59

That's a great closing line, and I know we are on time, and thanks. Thanks for three of you to coming in and sharing your thoughts. And I'm not sure if anybody in the audience who are making notes great insights shared, but I'm sure the recording would be available so that can begin to make your notes on all the insights shared on this topic.

Vanessa Kwan: 42:22

Stay tuned for more insights on the current state of cybersecurity across the ASEAN region in the coming episodes,

AIBP Intro: 42:35

we hope you've enjoyed the episode. For more information about business growth in the ASEAN region, please visit our website, www.IoTbusiness-platform.com.