BOW-TIE ANALYSIS: DATA BREACH RISK
CHAPTER 1: OVERVIEW
1.1 Objective
Identify and analyze how data breaches happen, what causes them, and what their effects are, using a Bow-Tie Diagram. This means looking at both tech and human risks in private and public sectors across the Philippines.
1.2 Central Event (Top Event)
Loss of Control Over Confidential or Sensitive Data
This is the scenario when you no longer have control over your personal, private, or sensitive data, and it becomes easy for people who shouldn’t see it to access.
CHAPTER 2: THREATS (Left Side of Bow-Tie Diagram)
Initiating Mechanisms or Causes
2.1 External Threats
-
Phishing Attacks — Fake emails with harmful links aimed at employees to steal info or get access.
Advanced Persistent Threats (APT) — Long-term spying by high-level hackers, often linked to government groups, trying to gather sensitive info quietly.
DDoS or Brute-force Attacks — Overloading systems or trying endless login attempts to cause downtime or expose vulnerabilities.
Ransomware/Spyware Infections — These can happen through unsecured networks, sneaking in and locking up or spying on your data.
2.2 Internal Threats
-
Negligent Employees -Weak passwords, untrained on cybersecurity- Employees being careless, like using weak passwords or not knowing enough about cybersecurity.
Insider Threats -Disgruntled staff leaking data-Insider threats, where unhappy staff might leak sensitive data.
-
Improper Disposal of Hardware - Hard drives without data wiping-Throwing away hardware the wrong way, like tossing hard drives without wiping the data first.
2.3 Systemic or Technological Failures
-
Unpatched Systems -Unapplied security updates-security updates that haven't been installed
Obsolete Software -Outdated Software or no longer supported or supported by the vendor.
Weak Access Controls -Overuse of default or shared credentials, using default or shared passwords too often.
CHAPTER 3: PREVENTIVE BARRIERS
Barriers Between Threats and the Top Event
3.1 Technical Controls
-
Firewalls and Intrusion Detection/Prevention Systems (IDS/IPS)
-
Multi-factor Authentication (MFA)
-
Regular vulnerability scans and patch management
-
Data encryption (both at rest and in transit)
3.2 Administrative Controls
-
Clear rules on who can access data, with role-based controls to limit permissions.
Regular checks and audits of IT systems in coordination with BSP, NBI, and DICTtion)
Ongoing training and awareness programs for employees to keep security top of mind
Cybersecurity policies that follow the Data Privacy Act of 2012 (RA 10173) and DICT Circulars
3.3 Compliance Monitoring
-
Conduct Privacy Impact Assessments (PIA) for every new system, following NPC guidelines.
Set up data sharing agreements when working with public and private partners, like the NBI Cybercrime Division.
Report any incidents to the National Privacy Commission (NPC) and DICT.
CHAPTER 4: CONSEQUENCES (Right Side of Bow-Tie Diagram)
Possible Outcomes of Data Breach
4.1 Direct Consequences
-
Identity theft or financial fraud of customers or employees
-
Leakage of confidential contracts or trade secrets
-
Shutdown of public services due to compromised citizen data
4.2 Reputational and Legal Impacts
-
Loss of public trust (especially critical in government and banking sectors)
-
Regulatory penalties from NPC and BSP
-
Legal liabilities and class action lawsuits
-
Delisting of private companies from government supplier registries
4.3 Operational Disruptions
-
Downtime of critical IT systems (government portals, e-commerce, etc.)
-
Costs of data recovery and forensic investigations
-
Insurance claims and reputational repair campaigns
CHAPTER 5: MITIGATING BARRIERS
Barriers Between the Top Event and the Consequences
5.1 Technical Controls
-
Real-time data breach detection systems
-
Immutable audit trails and backup recovery systems
-
Network segmentation to limit breach scope
5.2 Legal and Response Protocols
-
Incident response plan compliant with Data Privacy Act of 2012
-
72-hour breach notification system to NPC
-
Engagement with DICT’s Cybersecurity Bureau and NBI Cybercrime Division
-
Internal investigation and root cause analysis (RCA) framework
5.3 Public Communication and Remediation
-
Public advisories in compliance with RA 10173
-
Credit monitoring services for affected clients
-
Regular updates to stakeholders on mitigation progress
CHAPTER 6: APPLICATION IN THE PHILIPPINE SETTING
6.1 Private Sector Context
-
BPO Firms: High-volume personal data, target of international cybercrime syndicates
-
Banks and Financial Institutions: Subject to BSP Circular No. 982, cybersecurity framework
-
E-commerce and Retail: Exposed due to online payment systems and third-party plugins
6.2 Public Sector Context
-
Government Agencies (e.g., LTO, BIR, PSA): Collect sensitive citizen data for identity, taxation, and services
-
LGUs and Barangays: Often lack IT maturity; vulnerable to phishing or ransomware
-
DICT and NPC: Serve as oversight and incident response coordinators
CHAPTER 7: RECOMMENDATIONS
7.1 Integrated Cybersecurity Framework
-
Establish Cyber Risk Register using ISO 27001 and Bow-Tie Analysis principles
-
Conduct regular penetration testing and audit reviews
-
Include cybersecurity KPIs in performance-based budgeting (for LGUs and GOCCs)
7.2 Training and Tacit Knowledge Sharing
-
Conduct workshops with NBI, DICT, and PNP Anti-Cybercrime Group
-
Include cyber hygiene as part of Civil Service eligibility and onboarding
-
Promote inter-agency exercises on data breach scenarios
No comments:
Post a Comment