“Navigating the New Normal,” UNAWA’s series of free webinars helping small- and medium-sized enterprise (SME) owners with the new realities brought about by the enhanced community quarantine (ECQ), has addressed various aspects of business continuity in its past four webinars. One consistent recommendation brought up by our panelists is the need for businesses to go digital, with the remote working and social distancing environment benefiting from purely digital processes.
However, the push to go digital also comes with an increased need for data privacy and cybersecurity. As companies move their operations to digital platforms, they must also be aware of how to properly secure and safeguard these platforms from various cyber threats.
This was the focus of UNAWA’s fifth webinar, “Data Privacy and Cybersecurity–Is Your Company Ready?” Our panelists offered various insights from technological, legal, and professional perspectives on how SMEs can improve their data privacy and cybersecurity in an era of remote working and rapid digitalization. Here, we share five of these insights:
1. Don’t forget about data privacy and cybersecurity when digitizing your business.
Companies that are predominantly brick-and-mortar in nature are now exploring new ways to reach their customers digitally, such as putting up e-commerce platforms or setting up digital communication channels and apps. But Iannis Hanen, CEO of cybersecurity testing platform Secuna, reminded business owners going through this digitization phase not to forget about proper data privacy and cybersecurity practices.
“As [businesses] cut corners, they use ways to collect and transfer information that’s very sensitive. And they usually tend to ignore the security aspect as they do that because at this point, a lot of SME owners are not thinking about security of the data. They just want to have transactions with customers,” Hanen pointed out.
This applies especially to companies who are developing or deploying their own app, website, or software. Business owners must be vigilant in ensuring the safety and security of these platforms and not simply focus on how they can boost the company’s operations.
“Some companies are a little bit more ahead and are already thinking of developing either a new site or a new app [for their operations]. At that stage, they’re not necessarily considering security, they’re just looking at functionality. They want to sell fast, and they are deploying software that’s not necessarily tested or vetted,” added Hanen.
2. Data processing must be transparent, have a legitimate purpose, and be proportional.
So how can companies practice proper data privacy and cybersecurity protocols? Atty. Leandro Aguirre, Deputy Commissioner of the National Privacy Commission (NPC), suggests a good starting point in the three guiding principles of the Data Privacy Act of 2012 (DPA), the country’s set of regulations governing how organizations should process personal information.
The first of these principles is transparency, which means properly disclosing to your customers how you’re processing their data. “Transparency goes into the whole idea of trust. You want to be transparent with your customers and with your employees in terms of how you’re processing their information, and you have to do it by communicating it to them in a clear manner,” explained Aguirre.
The second principle, legitimate purpose, simply states that if a company will process customer data, they must have a valid reason why they’re doing so. “We want [your business] to use information only for a specific purpose that you’ve communicated with your customers,” added Aguirre.
Last but not least, data processing must have a sense of proportionality. This means that the data you collect for whatever purpose must only be enough for that purpose, avoiding instances where customers are required to divulge too much information and increasing the risks of a data breach. “The idea here is we want to minimize the amount of information we collect. If you don’t need that information, don’t collect it,” said Aguirre.
3. Proper security is discipline, responsibility, and acting right without delay.
In the same vein as Aguirre, AJ Dumanhug, the Co-founder, CTO, and CISO of Secuna, also shared three factors that make up a good cybersecurity strategy. This can be summed up with one sentence: “Security is discipline, responsibility, and acting right without delay.”
By discipline, he meant that companies must be consistent and persistent in how they relay practices about cybersecurity to their employees and customers. This includes strategies against common cyber attacks, tips on securing their devices, and reminders on how to better protect their assets. “For discipline, [these are] regular things that your business should do, such as educating your employees [as well as] your colleagues and users,” said Dumanhug.
By responsibility, he referred to how a company is handling the data they’re processing and understanding the types of data they have to protect. While Dumanhug recommends conducting a Privacy Impact Assessment (PIA), he also says that a PIA alone won’t be enough. “PIA is not just for the privacy, it should be working hand-in-hand with cybersecurity. You have to make sure that all the data [you are handling] are secure,” shared Dumanhug.
And by acting right without delay, he recommended SME owners to have a Disaster Recovery Plan (DRP) ready in the event of a cyber attack. But at the most basic level, Dumanhug said that companies must be smart, fast, and prepared to respond to a cyber threat. “Always remember that the winner is not the one with the strongest tools, but the one who is acting right the fastest,” added Dumanhug.
4. Make sure your data privacy and cybersecurity protocols consider remote working arrangements.
With these frameworks in mind, companies should have an easier time laying out their data privacy protocols and cybersecurity strategies. But Atty. Glorie Pineda, Senior Associate at multi-awarded law firm PJS Law, advised that businesses must take into consideration the new normal brought about by the ECQ, specifically the increased reliance on a remote working setup.
“Work-from-home arrangements are now here to stay. You must take this into consideration when you are drafting your policies and protocols, meaning that you must provide your employees with adequate standards. What do they have to take into consideration when they are working from home?” said Pineda.
She also recommended that business owners assess how their employees are accessing company data remotely. Without the proper protocols in place, businesses face a great risk of a data breach with different individuals accessing sensitive data from non-secure devices or connections. Companies must be diligent in implementing these protocols to protect their data even if their employees are working from home
“This goes beyond having the proper equipment, having the proper software, but also the security or the encryption methods that you must put in place when there is remote access to data, not just business data but also personal data. How do you extend that security that you have been implementing in your workplace?” explained Pineda.
5. Protect your business from cyber threats like you would protect your house from a fire.
In his discussion, Andrew Hong, Regional Director for Asia Pacific of multinational cybersecurity solutions provider CyberScout, brought up an analogy for SMEs to better relay the importance of having a concrete plan against cyber threats:
“Imagine you are a homeowner. In the event of a small fire, in every house you have a fire hydrant or an extinguisher, whether the mini tube one or the big one. But do you know that the mini type of extinguisher, you need to renew every year for licensing? Most people don’t, they just ignore. So when a fire happens, they take the fire extinguisher, and nothing comes out. There’s no foam because the things inside are expired. When the fire gets bigger hours later, you call for the [firefighters] to come in with their big hydrants, but then at least 90% of your property is lost [by then].”
Hong then explains that the fire is analogous to a cyber attack, and the fire extinguisher represents your company’s internal plan on how to handle them. Just like the mini fire extinguisher, your company must be careful with how they maintain it, and to make sure that it will be available when it is needed. The firefighters are the external organizations and experts that companies should call for help when needed, and Hong recommended that businesses be quick in asking for help.
“What to do when you have a cyber attack? Call for help early,” added Hong. “Do not delay [your] call for help.”
We hope this article was helpful. To get more information, insight, and inspiration,check out the other articles in UNAWA Explainer for more tips on how your business can navigate the new normal.