Rising Above the Digital Tug-of-War

By Edwin Concepcion

 Recent technological advancements have intensified a digital tug-of-war that both threatens and fortifies the strength of our data privacy guardrails. The fast-tracked deployment of technologies such as Generative AI, often comes with minimal protocols which poses privacy, security and even ethical risks. Robust data protection and cybersecurity methods should be put in place to ensure more rigorous means of securing data, to withstand new threats brought about by digital transformation. 

Between 2020 and 2023, there were roughly 3,000 cyberattacks and 54,000 cyber threats and the Philippines saw a 400 percent year on year increase in cybercrime last year, coinciding with the recent proliferation and adoption of Generative AI. However, the key to navigating this complex landscape is not by shying away from innovation, but by understanding its risks so that we can leverage technology’s potential responsibly. Holistic internal governance that is aligned to business objectives is also essential.

The Double-Edged Sword that is AI

In the Philippines, government-led AI development, driven by various state-level research institutions and collaborations with the private sector, is poised to propel generative AI into mainstream use. The country’s Department of Trade and Industry (DTI) launched the National AI Strategy Roadmap in 2021, outlining strategic priorities and responsibilities for the government, industries, and academia. This includes a future National Center for AI Research (N-CAIR), led by the private sector, as well as the AI and Information Communications Technology (ICT) Roadmap, rolled out by the Department of Science and Technology, Philippine Council for Industry Energy and Emerging Technology Research and Development (DOST PCIEERD).

All this will pave the way for potential transformative breakthroughs, creating new avenues for productivity, growth and insight-generation. In fact, AI is also revolutionising threat detection and response by analysing vast amounts of data to identify anomalies and predict malicious online attacks, enabling faster response times. It can also automate repetitive tasks like vulnerability scanning and patching, freeing up human analysts for more complex work. 

But as generative AI goes multimodal and the world transitions from content creation to content generation, its ability to produce realistic material raises issues regarding authenticity, data privacy and intellectual property. The same ease of content generation is also available to scammers and hackers, enabling them to commit traditional crimes using new techniques. Highlighting the double-edged nature of AI and the need for robust data governance and ethical AI development.

Major data security threats to expect in 2024

Hackers are adapting their techniques at an alarming rate, leading to attacks that are more sophisticated and realistic. Instances of identity theft using deep fakes and voice cloning are on the rise. Cybersecurity experts predict that ransomware attacks will more aggressively target critical infrastructure and businesses with high data value. These are part of Advanced Persistent Threats (APTs) where sophisticated hacking groups use social engineering and zero-day exploits to weasel their way onto a network to mine private data. Malicious actors exploiting vulnerabilities in third-party vendors also remains a major concern in global supply chains. 

Integrating a company’s data with generative AI services can also introduce security and privacy vulnerabilities as it involves sharing data with external providers. The extent of these risks hinges on various factors, including the provider’s reputation, data handling policies, and alignment with data protection regulations such as purpose of use. 

Even more pervasive dangers await the integration of generative AI into personal smart devices. While smart devices that seamlessly integrate into our lives offer unparalleled convenience, they also collect vast amounts of personal data, raising concerns on how this information is processed, stored, used and shared. Present in our homes and carried on ourselves, multi-device connectivity and data-sharing has further amplified security risks for unsecure devices that can serve as gateways for hackers to infiltrate networks with zero-day vulnerabilities. 

Parties most at risk of data breaches

While no industry is immune, some sectors face greater data breach risks. Healthcare institutions hold one of the most sensitive types of personal and medical data, making them a prime target for attackers seeking financial gain. The Cost of a Data Breach Report 2023 by IBM found healthcare to be the most expensive industry for breaches, averaging $10.10 million per incident. 

Meanwhile, financial data like credit card numbers and social security numbers are highly valuable on the black market, making financial institutions attractive targets. Retail and E-commerce companies holding customer payment information are at risk too. 

But more critically, companies who are not in a constant state of evolution to ensure all areas of the business have an agile security strategy are most at risk of data security threats. Outdated security practices and those that don’t have proper data governance and AI usage policies in place are more likely to fumble in the face of new threats. Notably, startups and Small & Medium Enterprises (SMEs) may not have the proper infrastructure to address cybersecurity and data protection issues in their companies as they themselves are strapped for resources to get ahead in their business operations.

Steps companies can make to improve their data security

Data privacy is not only a legal obligation but also a business opportunity. As such, organisations should reconsider the measures they have in place and develop a secure and well-governed data foundation. 

While technological advancements in cybersecurity hold promise, data security ultimately relies on a layered approach accompanied by accountable data handling practices by humans. 

Adopting a privacy by design approach means integrating privacy considerations into every stage of the development and operation of a system. For starters, firewalls, Multi-Factor Authentication (MFA) and access control are some security measures that can be implemented to prevent data breaches. For the more advanced, organisations may consider emerging technologies that enable data analysis without compromising personal information, such as differential privacy, federated learning, and homomorphic encryption.

Understanding what data you hold and its sensitivity classification is also essential for effective protection. This will also inform your incident response plan, such that in the event of a breach, you are able to minimise damage and ensure swift recovery. According to the Philippine National Privacy Commission (NPC), all Personal Information Controllers (PICs) and Personal Information Processors (PIPs) are required to have a Security Incident Management Policy. This comprises having a security incident response team to mitigate the effects of a breach, and laying out measures that minimise the occurrence of such incidents.

Implementing strong network segmentation and regularly updating IoT firmware with patches can significantly reduce vulnerabilities for an organisation and their customers’ data stored in cloud servers. Organisations should conduct regular Vulnerability Assessment and Penetration Testing (VAPT) to assess for possible gaps within the IT infrastructure and ensure that these issues are fixed as quickly as possible. VAPT tools and services can assess vulnerabilities within a system or application and help administrators prioritise which vulnerabilities should be addressed first. 

By subjecting software systems to comprehensive scrutiny before implementation, organisations can identify and address potential data privacy and security gaps. Due diligence in organisations must be done before embarking on integrating AI services, thoroughly evaluating the provider’s policies and practices. The organisation can then make informed decisions regarding data sharing and usage.

As many technological controls one can take, it is ultimately human error that is the weakest link in data protection. As such, educating employees on data handling best practices and phishing scams is crucial. Consider leveraging generative AI to build and actionise data protection practices in an organisation. With its current capabilities, it is possible to build a custom chatbot that allows employees to upload and check suspicious emails for possible malicious intent and provide advice on what next steps to take. Conversational AI is also a great way to conduct interactive table-top breach simulations where the course of events are responsive to the choices of the user. Of course, these tools must be built in a secure and controlled environment such that conversation histories are not leaked to unintended parties and the organisation can control the data on which the bot is trained. 

The Responsibility Lies with Us

Technology offers powerful tools for transformation but it needs to be used with wisdom. The responsibility lies with individuals, organisations, and policymakers to use technology ethically and responsibly. Embracing robust data governance practices, prioritising data subject rights, and continuously adapting to evolving threats are crucial to navigating the digital crossroads. At the same time, a commitment by data protection professionals to continue upskilling to meet the demands of AI governance is imperative. One can do so by pursuing certifications like the AI Governance Professional under the International Association of Privacy Professionals (IAPP).

With concerted collaboration between regulators, government agencies, businesses and the public, there is a bright future for the Philippines where innovation thrives alongside robust data protection, ensuring a safe and secure future for all.

This article was first published on The Manila Times on 18 Feb 2024.