Cyber Crime Effects to
Businesses in Philippines
Adrian John V. Balarbar
Taguig City, Philippines
avbalarbar@student.apc.edu.ph
Victor Manuel P. Serrano
Taguig City, Philippines
vpserrano@student.apc.edu.ph
Abstract—Recently, there are many issues happening about
cybercrime in which causes a lot of loss of data. Usually, business
companies and political networks experience cyberattacks and
based on the research [3], countries that are vulnerable in
cyberattack are the ASEAN countries, especially Philippines which
receives continuous threats based on the advanced threat report of
the FireEye Inc. [3] Based on the amount of percentage of APT
attacks in 2013, the most vulnerable are government sites and
business process outsourcing firms where the percentage is 19.8. [3]
Foreign companies and investors became ambiguous because the
country’s reputation decreases slowly as it goes and may lead to
lower sales and mistrust [4]. One of the bank in the Philippines is
which is the Rizal Commercial Banking Corporation popularly
known as RCBC has the right to store money of people and
business for savings and lending money and is licensed by Bangko
Sentral ng Pilipinas (BSP), last February 2016, with the use of
SWIFT, hackers had heisted dangling 81 million US Dollars from
a Bangladesh’s bank account in the Federal Reserve Bank of New
York [5].
Keywords: Cybercrime, Data, Threats, Attack, APT, Business,
Government
I. INTRODUCTION
The Philippine government encourages further development
of Information Technology (IT) related services within the
country, since it was regarded as the next haven of economic
opportunities. It is said that the growth rate of the Information
Technology and Business Process Management (IT-BPM) and
global in-house center (GIC) are 30 percent annually, more than
the average rate of the global competitors. [1] Throughout time
passed. the industries and services available in the Philippines
matures and as the growth continues, there is roughly a bold
estimate of 25 billion US dollars in revenue and 1.5 million
direct hires this 2016 alone. [1] The presented figures clearly
show the importance of IT to Philippine economic growth.
As the IT related sector grows, various problems arise with
it. Additionally, complications caused by slow and reactionary
Paulo Lorenzo Macaraeg
Taguig City, Philippines
rlmacaraeg@student.apc.edu.ph
Kyle Rafael F. Sulabo
Taguig City, Philippines
kfsulabo@student.apc.edu.ph
conduct of the Philippine government towards cybercrime
contributes to further more problems. The reactive conduct of
the Philippine officials is said to be a matter of concern from
investors. [2] Furthermore, while there is a Philippine Computer
Emergency Response Team (PHCERT), their services are not
sufficient as a measure against the problem. A proactive
approach towards the problem is needed to ease the concerns of
the investors with regards to IT. [2] In this paper, the focus would
be about the effects of cyber terrorism/crime onto the businesses
in the Philippines.
The research aims to identify the sources of such attacks, means
and motives. Additionally, the researchers limit the scope of the
document towards the Philippines and the businesses present at
the country that incorporate IT with its process.
Any analysis derived from the research can be helpful for
other researchers looking for information about what common
approaches a malicious groups or persons do perform against
businesses, what preventive or diminution maneuvers should be
performed.
II. PROBLEM STATEMENT
Cybercrime is a method of attacking that comprises of any
illegal pursuit with use of any technology [10] such as hacking,
theft, child solicitation and identity theft. [11] Cyberterrorism
can be also classified as cybercrime. Its main goal is to steal or
expose confidential data and to cause fear [10] to any targeted
individual, property or government. [11] To classify any actions
or happenings as a cybercrime, it is important to know the
motive why the incident happened. Cybercrimes could be
classified into three types: (1) Computer-assisted crime, when
computers are used as a medium to perpetrate a crime. (2)
Computer-targeted crime, whereas criminals commit crime with
computers as prime target. (3) Computer-incidental crime, when
the use of computers in perpetrating a crime just happened to be
used and not used as main instrument for the crime.
 Businesses and political networks are often struck by
cyberattacks. These attacks are classified as Advanced
Persistent Threats (APT). [3] APT is a kind of attack where the
perpetrators maintain constant access to the targeted system. [17]
ASEAN countries are known for being vulnerable when it
comes to cyberattack threats where the Philippines is the most
vulnerable and receives a high number of continuous threats
based on FireEye Incorporation’s advanced threat report, a
United States network security firm. [3] Also, the report
indicated that Hussarini and Page which are malware families
are present and running in the Philippines. The report stated that
in the industry, APT attacks in 2013 are in 19.8 percent of
business process outsourcing firms which were services,
consulting and value added reselling, 13.5 percent of
government sites, 10.2 percent of media and hospitals, 13
percent of high technology and 9.2 percent of
telecommunications. [3]
Based on the percentages, business process outsourcing firms
and government sites in the Philippines are most vulnerable to
APT. Many problems arise because of the threats that creates a
major impact. Since the businesses and political networks in the
Philippines are highly known for being the most vulnerable to
APT [3], the country’s reputation decreases which causes foreign
companies and investors to be uncertain that may lead to
mistrust and lower sales. [4]
Rizal Commercial Banking Corporation (RCBC) is licensed
and authorized by the Bangko Sentral ng Pilipinas (BSP) to
acquire money from people and businesses and to lend money.
In February 2016, 81 million US dollars was heisted by hackers
from Bangladesh’s bank account in the Federal Reserve Bank
of New York with the use of SWIFT [5], an international system
of wired cash transfer and can be transferred only from and to
financial establishments. [6] The hackers used multitudes
financial pathways to transfer the money. Eventually, the
hackers used its cohorts in the Philippines to create bank
accounts in RCBC and manage the cash movement. [7] Once the
transfer is complete, the money is withdrawn in cash and
converted I into casino chips as to make the money untraceable
since Philippine laws against money laundering does not cover
casinos therefore making the authorities unable to onto these
gambling institutions. [8]
The Bangladesh heist evidently shows the vulnerability of the
existing Philippine laws, money related firms, and the
government against highly organized crime. [8] The incident also
allows us to see that cybercrime could be utilized as one of the
processes to create a complex yet grander evil schemes. Thus,
the reputation of the Philippines plummets these evil schemes
making an unending spiral of distrust which makes business
opportunists to shy away and make the economy slow down.
There are still more problems that could be incorporated to
the paper. However, the problems stated above evidently
presents the severity of the situation. The statistical results of
attacks above present the values of how much businesses with
relation to IT must endure to perform transactions in the
country. In addition, with loopholes or not, the fact that the
Philippine laws could be easily exploited to serve misdeeds of
others is a clear message that the Philippine government and all
of the affected stakeholders should work together to eliminate
or at least mitigate the damages caused by cybercrime incidents.
[8]
III. RESULTS AND DISCUSSION
Technology always progresses by leaps and bounds. Though
progress is good in all, the criminals had always caught up with
technology’s phase better than the Philippine authorities, and
most businesses. The slow adaptation of new technologies by
most businesses and the reactionary approach of the Philippine
government toward incidents have significant effects with the
present dilemmas faced by both entities. Businesses in this
digital age should protect itself by limiting any substantial data
that could be exploited for an attack.
This study aims to look on measures for how a business
should protect against cybercrime. The results and discussions
will focus more about businesses. The stance of most solutions
will emphasize proactive approach to mitigate the threats. A
business must assume that the Philippine government could not
be relied upon in actively protecting their interests with relations
to IT. Some solutions that can be implemented are Logical
Access Controls, Acceptable Use Policy, Separation of Duties,
Due Care and Due Diligence, Employee Treatment, Personnel
Training.
In Logical Access Control (LAC), an organization must
properly limit the authority and accessibility of every business
personnel on every file o business resource. The organization
must properly implement an identification and authentication
system to ensure that access limits thoroughly applied on a
personnel level. [9] The identification and authentication scheme
can complement any existing physical controls for a more rigid
security of the protected data. [9] Business administrators could
designate roles, manage personnel, and create Access Control
Lists (ACL) more flexibly using LAC since the responsibilities
of each employee are limited to the access provisions (the ACL)
placed by the management. [9] Logical Access Control, although
may sound good, could only be efficiently be applied onto large
organizations or groups that had a complex hierarchy and
require a sophisticated management. [9] LAC helps to efficiently
designates roles and control the data access of each user in the
system. This management is not recommended to small
businesses, which such complexity is not need. This
management scheme will only incur losses to the small
organization if implemented. [9]
An Acceptable Use Policy (AUP) can be used to establish
constraints for a user to agree on to access data, networks and
internet provided by an organization. [12] It is a manifest of what
are conducts that are acceptable when pertaining to the use of
the organization’s resources. With the use of AUP, there is an
assurance for an organization that implements the policy
because users who agreed with the privilege to access the
network can be tracked, especially when there is a user that
violated the policy. Organizations can detect any malicious acts
that contradict to the rules and policies provided.
Separation of Duties refer to the importance of making each
process in an organization separate. There should be no one that
could conduct business transactions alone. It can be helpful for
an organization to separate the duties and accesses of employees
to prevent problems like fraud and exposure of confidential
information since the intellectual property of an organization is
highly prioritized [13] and must not be given to the wrong hands.
Employees must be reminded what are their tasks and privileges
depending on their position.
Due Care is the efforts of an organization to prevent or
mitigate consequences of neglect of any possible risk present
and indicates the level of judgment, prudence, care,
determination while Due Diligence are about upholding
standards and actions conducting an intensive investigation that
are acceptable with the current laws. [16] Prevention or
elimination of risks heightens the security of an organization
because it detects risks and problems that needs action. It also
gives an organization sufficient time to prepare and establish
possible actions for a certain risk that may happen.
Employee Treatment refers to the methods of how the
company would avoid unwanted employee’s outrage. It refers
on how a company can manage all their employees to avoid loss
of interest in the job and unsatisfaction of the employees. Good
communication is the key to success. [14] It gives a company an
assurance that there will be no conflicts or anomalies because
the employees do their jobs properly due to the proper treatment
to them. Employee treatment goes a long way because it can
eliminate a problem like inside jobs because there is no need for
an employee to access and expose confidential data because the
company is treating them properly. Briefly, it is not giving the
employees motives or reasons to perpetrate a crime against the
organization.
Personnel Training refers to making the business personnel
more aware of the importance of information security.
Emphasize that the personnel also bear some security
responsibilities to the organization they belong. It is the process
of educating and orienting new employees in the workplace. this
action of training correlates with entry-level education that
helps new employees to prepare for their assigned tasks. [15]
Organizations benefit when implementing a personnel training
because the personnel have a background on how their tasks
flow and what are their rules and restriction when inside the
workplace. It decreases anomalies since all personnel are
wellinformed and prevents data loss or exposure.
IV. CONCLUSION AND RECOMMENDATION
In safeguarding business, one should have a full grasp of all
activities happening in the whole organization. This is true, both
in past and future to come. However, till now the as the business
becomes more modern and competitive there are always risks
that businesses could be sabotaged or wrongly manipulated for
a lot of reasons. Large or small, all business can be affected from
the misfortune of others. All businesses should be responsible
to each of its own wellbeing and should proactively think of
methods to improve its own Information Security.
Information security is not solely about computers, it is
about how you manage to safeguard your organizational against
internal and external threats that could endanger the stability or
existence of the business. Threats are always looking for worse
opportunities to strike. In our views, there is always a clouded
line between cybercrime and cyberterrorism. Every cybercrime
should be considered as cyberterrorism since it places many
people, every stakeholder, at risk and terror. The Philippine
authorities could only react when an incident happened. [2]
The case study therefore concludes that businesses should
proactively improve not only its information security, but also
towards its organizational security.
The security recommendations that the authors will advise
depends on the various state and situations that a business have
now or anticipate on future. There are some recommendations
that could be enforced to any type of business: (1) Acceptable
Use Policy, this could be used to enforce security responsibility
since it could be used as a proof or evidence against the
employee if neglected and defense of the company that there is
Due Care if an unfortunate incident happened. (2) Separation
of Duties, it is important, and applicable to all kinds of
organizations. It can be used to divide work and prevent an
abuse of power or privileges. (3) Due Care and Due Diligence,
it is important to uphold what is required by the law, and be
cautious of every move for the effects or consequences of
whatever action an organization may take. (4) Lastly, Personnel
Training, it is important to equip every employee knowledge
how to deal and prevent security risks that may in turn affect the
wellbeing of the whole company.
REFERENCES
[1]
“2012-2016 Philippine IT-BPM road map,” 2011.
[Online]. Available: http://dict.gov.ph/2012-2016-
philippine-itbpm-road-map/. Accessed: Oct. 29, 2016.
[2]
B. P. Corporation, “BusinessWorld | Cybercrimes affect
business confidence in PHL: Fortinet,” 2015. [Online].
Available:
http://www.bworldonline.com/content.php?section=Tech
nology&title=cybercrimes-affect-business-confidence-
inphl-fortinet&id=111924. Accessed: Oct. 29, 2016.
 [14]
S. M. Heathfield, "How (and why) to Foster Employee
[3]
A.-C. News, “Philippines most exposed to cyber attack satisfaction," in The Balance, The Balance, 2016. [Online].
threats - report | ABS-CBN news,” in Business, ABS-CBN Available:
News, 2014. [Online]. Available: https://www.thebalance.com/employeesatisfaction-
http://news.abscbn.com/business/08/15/14/philippines- 1918014. Accessed: Oct. 29, 2016.
most-exposedcyber-attack-threats-report. Accessed: Oct. [15]
“What is personnel training?,” wiseGEEK, 2016. [Online].
29, 2016. Available: http://www.wisegeek.com/what-is-
personneltraining.htm. Accessed: Oct. 29, 2016.
[4]
M. Beauchamp and studio D, “The disadvantages of bad [16]
USLegal, "Due care law & legal definition," in USLegal,
publicity,”. [Online]. Available: 2001. [Online]. Available:
http://yourbusiness.azcentral.com/disadvantages- http://definitions.uslegal.com/d/due-care/. Accessed: Oct.
badpublicity-3495.html. Accessed: Oct. 29, 2016. 29, 2016.
[5]
C. D. Paz, “TIMELINE: Tracing the $81-million stolen [17]
Posted and M. Rouse, "What is advanced persistent threat
fund from Bangladesh bank,” Rappler, 2016. [Online]. (APT)? - definition from WhatIs.com," SearchSecurity,
Available: 2010. [Online]. Available:
http://www.rappler.com/business/industries/banking- http://searchsecurity.techtarget.com/definition/advancedpe
andfinancial-services/125999-timeline-money- rsistent-threat-APT. Accessed: Nov. 4, 2016.
launderingbangladesh-bank. Accessed: Oct. 29, 2016.
[6]
S. Seth, “How the SWIFT system works,” Investopedia,
2015. [Online]. Available:
http://www.investopedia.com/articles/personalfinance/05
0515/how-swift-system-works.asp. Accessed: Oct. 29,
2016.
[7]
T. M. Times, “Uncomfortable truths about the RCBC
scandal - the manila times online,” in Business, The Manila
Times Online, 2016. [Online]. Available:
http://www.manilatimes.net/uncomfortable-truths-
aboutthe-rcbc-scandal/251287/. Accessed: Oct. 29, 2016.
[8]
C. Larano, “A hole in the global money-laundering
defense:
Philippine casinos,” wsj.com, 2016. [Online]. Available:
http://www.wsj.com/articles/quest-for-stolenbangladeshi-
funds-leads-to-philippine-casinos1458324994. Accessed:
Oct. 29, 2016.
[9]
“Logical access control,” 1989. [Online]. Available:
http://securityv.isu.edu/isl/hk_acces.html. Accessed: Oct.
29, 2016.
[10]
M. Kurnava, “Cyber-crime v Cyber-terrorism: What is the
difference?”, Linkedin, 2016. [Online]. Available:
https://www.linkedin.com/pulse/cyber-crime-v-
cyberterrorism-what-difference-matthew-kurnava.
Accessed: Oct. 29, 2016.
[11]
“Cyber Crime”, Cross Domain Solutions. [Online].
Available:
http://www.crossdomainsolutions.com/cybercrime/.
Accessed: Oct. 29, 2016.
[12]
“Acceptable Use Policy” WhatIs. Available:
http://whatis.techtarget.com/definition/acceptable-
usepolicy-AUP. Accessed: Oct. 29, 2016.
[13]
“Separation of Duties in Information Technology” SANS.
[Online]. Available:
http://www.sans.edu/research/security-
laboratory/article/it-separation-duties. Accessed: Oct. 29,
2016