MAKATI, Philippines – With cyberthreats ramping up in frequency, the Philippines finds itself a prime target for malicious actors from across the globe looking to compromise the data of its citizens. According to Esquire, the nation jumped from top five to the second most attacked country in 2022 and is increasingly becoming more attractive to state-sponsored hacking groups. These breaches present a looming threat as the personal information of millions of Filipinos, taken from numerous corporations and government organizations, are stolen, and used as leverage to extort millions of pesos. Through a mixture of cyberattacks and social engineering, these groups have found their way into the systems of their targets, collecting data and intercepting transactions for profit.
To address these growing concerns, the Asian Institute of Management’s (AIM) Master in Cybersecurity (MCS) program hosted a session with the Chief Operating Officer of Red Rock IT Security Inc., Paul Prantilla, to discuss the Center for Internet Security (CIS) Controls. The CIS Controls offer a straightforward and prioritized set of best practices to bolster cybersecurity defenses.
These controls, developed collaboratively by global cybersecurity experts, simplify the process of safeguarding systems by focusing on specific actions to counteract prevalent threats. Implementing CIS Controls not only fortifies an organization’s security posture but also serves as a pathway to compliance with industry regulation. Addressing common vulnerabilities such as unpatched software and poor configuration management, the controls establish essential cyber hygiene, a vital defense against cyberattacks. Recognizing the dynamic nature of modern systems, the CIS Controls facilitate adaptability, ensuring alignment between security measures and evolving business needs.
- To highlight their use, Mr. Prantilla ran through a series of cases that focus on different vulnerabilities within organizations that fell victim to cyberattacks. In his lecture, he noted that CIS controls have a total of 153 safeguards spread over three implementation groups (IG) applicable to organizations of varying sizes depending on their assets and IT infrastructure.
- IG1 (Essential Cyber Hygiene): This is the foundational set of security controls (56) that every organization, regardless of size or expertise, should implement. It focuses on basic defenses against common attacks and is suitable for organizations with limited resources.
- IG2 (Intermediate): This builds upon IG1 with 74 additional controls. It is designed for organizations with more complex IT environments and some dedicated security resources. It addresses compliance needs and protects sensitive information.
- IG3 (Advanced): This is the most comprehensive set with all 153 controls. IG3 is suited for organizations with high-value assets, strict regulations, and the potential for significant impact from cyberattacks. It requires specialized security expertise.
The technical aspects of these controls were further expounded upon by MCS Academic Program Director, Professor Philip Kwa during the session. Professor Kwa showed the students how hackers infiltrate systems, how the students can identify threats, and enact countermeasures during a breach.
As the Philippines' digital landscape grows, a robust cybersecurity strategy is needed to protect not just data but important infrastructure as well. The CIS Controls provide a practical framework for organizations of all sizes to implement essential barriers and mitigate cyber threats. By teaching students these controls and fostering a culture of cyber awareness, AIM continues to create leaders in cyberspace who can effectively safeguard citizens' data and ensure a secure digital future.